moved charts/images

This commit is contained in:
Denislav Prodanov 2024-10-21 16:17:49 +03:00
parent 606de0934e
commit 3ad03cb946
43 changed files with 2004 additions and 0 deletions

View File

@ -0,0 +1,34 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%
#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator-061 iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.baremetal-operator
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE baremetal-operator Container Image"
LABEL org.opencontainers.image.description="baremetal-operator based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%baremetal-operator_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="l3"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
RUN groupadd -r -g 11000 bmo
RUN useradd -u 11000 -g 11000 bmo
ENTRYPOINT [ "/usr/bin/baremetal-operator" ]

View File

@ -0,0 +1,17 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%baremetal-operator_version%%</param>
<param name="package">baremetal-operator-061</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
</services>

9
cdi-chart/Chart.yaml Normal file
View File

@ -0,0 +1,9 @@
#!BuildTag: %%IMG_PREFIX%%cdi-chart:0.4.0
#!BuildTag: %%IMG_PREFIX%%cdi-chart:0.4.0-%RELEASE%
apiVersion: v2
appVersion: 1.60.1
description: A Helm chart for Containerized Data Importer (CDI)
icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg
name: cdi
type: application
version: 0.4.0

8
cdi-chart/_service Normal file
View File

@ -0,0 +1,8 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
</service>
</services>

BIN
cdi-chart/crds.obscpio Normal file

Binary file not shown.

BIN
cdi-chart/templates.obscpio Normal file

Binary file not shown.

38
cdi-chart/values.yaml Normal file
View File

@ -0,0 +1,38 @@
deployment:
version: 1.60.1-150600.3.9.1
operatorImage: registry.suse.com/suse/sles/15.6/cdi-operator
controllerImage: registry.suse.com/suse/sles/15.6/cdi-controller
importerImage: registry.suse.com/suse/sles/15.6/cdi-importer
clonerImage: registry.suse.com/suse/sles/15.6/cdi-cloner
apiserverImage: registry.suse.com/suse/sles/15.6/cdi-apiserver
uploadserverImage: registry.suse.com/suse/sles/15.6/cdi-uploadserver
uploadproxyImage: registry.suse.com/suse/sles/15.6/cdi-uploadproxy
pullPolicy: IfNotPresent
cdi:
config:
featureGates:
- HonorWaitForFirstConsumer
imagePullPolicy: "IfNotPresent"
infra:
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: CriticalAddonsOnly
operator: Exists
uninstallStrategy: ""
workload:
nodeSelector:
kubernetes.io/os: linux
hookImage: rancher/kubectl:v1.30.2
hookRestartPolicy: OnFailure
hookSecurityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL

27
metal3-chart/Chart.yaml Normal file
View File

@ -0,0 +1,27 @@
#!BuildTag: %%IMG_PREFIX%%metal3-chart:0.8.1
#!BuildTag: %%IMG_PREFIX%%metal3-chart:0.8.1-%RELEASE%
apiVersion: v2
appVersion: 1.16.0
dependencies:
- alias: metal3-baremetal-operator
name: baremetal-operator
repository: file://./charts/baremetal-operator
version: 0.5.0
- alias: metal3-ironic
name: ironic
repository: file://./charts/ironic
version: 0.7.0
- alias: metal3-mariadb
name: mariadb
repository: file://./charts/mariadb
version: 0.5.4
- alias: metal3-media
condition: global.enable_metal3_media_server
name: media
repository: file://./charts/media
version: 0.5.0
description: A Helm chart that installs all of the dependencies needed for Metal3
icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
name: metal3
type: application
version: 0.8.1

100
metal3-chart/README.md Normal file
View File

@ -0,0 +1,100 @@
# Prerequisites
There are two dependencies that are not managed through the metal3 chart because are related to applications that have a cluster-wide scope: `cert-manager` and a LoadBalancer Service provider such as `metallb` or `kube-vip`.
## Cert Manager
In order to successfully deploy metal3 the cluster must have already installed the `cert-manager`.
You can install it through `helm` with:
```bash
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true
```
, or via `kubectl` with:
```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.yaml
```
## MetalLB (Optional)
Ironic currently requires a staticIP address and MetalLB is one option to achieve that.
1. If K3s is used as Kubernetes distribution, then it should be started with `--disable=servicelb` flag. Ref https://metallb.universe.tf/configuration/k3s/
2. Find 1 free IP address in the network.
3. Install `MetalLB` through `helm` with:
```bash
helm repo add suse-edge https://suse-edge.github.io/charts
helm install \
metallb suse-edge/metallb \
--namespace metallb-system \
--create-namespace
```
4. Provide the IP pool configuration with:
```bash
export STATIC_IRONIC_IP=<STATIC_IRONIC_IP>
cat <<-EOF | kubectl apply -f -
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: ironic-ip-pool
namespace: metallb-system
spec:
addresses:
- ${STATIC_IRONIC_IP}/32
serviceAllocation:
priority: 100
serviceSelectors:
- matchExpressions:
- {key: app.kubernetes.io/name, operator: In, values: [metal3-ironic]}
EOF
cat <<-EOF | kubectl apply -f -
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: ironic-ip-pool-l2-adv
namespace: metallb-system
spec:
ipAddressPools:
- ironic-ip-pool
EOF
```
5. Create new values.yaml file that will override some of the default properties:
```bash
TMP_DIR=$(mktemp -d)
cat > ${TMP_DIR}/values.yaml << EOF
global:
ironicIP: "<STATIC_IRONIC_IP>"
EOF
```
# Install
```bash
helm install \
metal3 suse-edge/metal3 \
--namespace metal3-system \
--create-namespace
-f ${TMP_DIR}/values.yaml
```
# How to upgrade the chart
1. Run `helm dependency update .` in this chart to download/update the dependent charts.
2. Identify the appropriate subchart values settings and create an appropriate override values YAML file.
* Ensure that the relevant ironic and baremetal-operator settings match.
3. Install the chart using a command like the following:
```console
$ helm upgrade heavy-metal . --namespace metal-cubed --create-namespace --install --values ~/overrides.yaml
```

15
metal3-chart/_service Normal file
View File

@ -0,0 +1,15 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime">
<param name="file">values.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
</service>
</services>

View File

@ -0,0 +1 @@
The metal3 chart is a parent chart that installs all of the other charts that a metal3 deployment needs, but doesn't actually deploy any services itself.

BIN
metal3-chart/charts.obscpio Normal file

Binary file not shown.

Binary file not shown.

130
metal3-chart/values.yaml Normal file
View File

@ -0,0 +1,130 @@
# The metal3 chart is a parent chart that installs
# all of the other charts that a metal3 deployment needs,
# but doesn't actually deploy any services itself.
global:
# IP on which the Ironic services will be exposed
ironicIP: ""
# whether to enable media server.
enable_metal3_media_server: false
# whether to enable dnsmasq on the provisioning network (for PXE boot)
enable_dnsmasq: false
# whether to enable PXE boot capability
# NOTE: enable_dnsmasq must set to 'true' in order for this option to be effective.
enable_pxe_boot: false
# whether to enable tls
enable_tls: true
# whether to enable the TLS of the Virtual Media.
enable_vmedia_tls: true
# whether to enable basic auth
enable_basicAuth: true
auth:
ironicUsername: ""
ironicPassword: ""
ironicInspectorUsername: ""
ironicInspectorPassword: ""
# whether to have additional trusted CA
# NOTE: If enabled, a secret with name tls-ca-additional should be deployed
# The secret should be like this:
# data:
# ca-additional.crt: <b64enc cert>
additionalTrustedCAs: false
# Will be used when tls is enabled
vmediaTLSPort: 6185
# IP address of the router associated with the specified DHCP
# address range
dnsmasqDefaultRouter: ""
# IP address of the dns server to be provided with DHCP
# response
dnsmasqDNSServer: ""
# specify comma-delimited range of IP addresses the DHCP server will manage.
# e.g 192.168.20.20,192.168.20.80
dhcpRange: ""
# Network interface on which provisioning network can be accessed
provisioningInterface: ""
# IP Address assigned to network interface on provisioning network
provisioningIP: ""
# Name for the MariaDB service
databaseServiceName: metal3-mariadb
# In a multi-node cluster use the node selector to ensure the pods
# all run on the same host where the dnsmasqDNSServer and provisioningIP
# and /opt/media exist. Uncomment the nodeSelector and update the
# hostname accordingly.
#nodeSelector:
#kubernetes.io/hostname: "csrancher-n1"
#
# media service
#
# Override any settings for the metal3 media service here
metal3-media:
# location where media files should be placed so that they are
# available to the Ironic deployment services.
mediaVolume:
hostPath: /opt/media
image:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%ironic"
#
# ironic service
#
# Override any settings for the metal3 ironic service here
# Ensure the storageClass is defined
metal3-ironic:
service:
type: LoadBalancer
persistence:
ironic:
# storageClass for the ironic shared volume
storageClass: ""
images:
ironic:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%ironic"
ironicIPADownloader:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader"
#
# Database Service
#
# Override any settings for the metal3 mariadb service here
metal3-mariadb:
# storageClass for the mysql datastore
persistence:
storageClass: ""
image:
repository: "registry.suse.com/edge/mariadb"
tag: "10.6.15.1"
#
# Baremetal Operator
#
# Override any settings for the metal3 baremetal-operator service here
metal3-baremetal-operator:
images:
baremetalOperator:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator"
rbacProxy:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy"
tag: "v0.18.0"

23
metallb-chart/Chart.yaml Normal file
View File

@ -0,0 +1,23 @@
#!BuildTag: %%IMG_PREFIX%%metallb-chart:0.14.9
#!BuildTag: %%IMG_PREFIX%%metallb-chart:0.14.9-%RELEASE%
apiVersion: v2
appVersion: v0.14.3
dependencies:
- condition: frrk8s.enabled
name: frr-k8s
repository: file://./charts/frr-k8s
version: 0.0.15
- condition: crds.enabled
name: metallb-crds
repository: file://./charts/metallb-crds
version: 0.14.8
description: A network load-balancer implementation for Kubernetes using standard
routing protocols
home: https://metallb.universe.tf
icon: https://metallb.universe.tf/images/logo/metallb-white.png
kubeVersion: '>= 1.19.0-0'
name: metallb
sources:
- https://github.com/metallb/metallb
type: application
version: 0.14.9

169
metallb-chart/README.md Normal file
View File

@ -0,0 +1,169 @@
# metallb
![Version: 0.14.8](https://img.shields.io/badge/Version-0.14.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.14.8](https://img.shields.io/badge/AppVersion-v0.14.8-informational?style=flat-square)
A network load-balancer implementation for Kubernetes using standard routing protocols
**Homepage:** <https://metallb.universe.tf>
## Source Code
* <https://github.com/metallb/metallb>
## Requirements
Kubernetes: `>= 1.19.0-0`
| Repository | Name | Version |
|------------|------|---------|
| | crds | 0.14.8 |
| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.14 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| controller.affinity | object | `{}` | |
| controller.enabled | bool | `true` | |
| controller.extraContainers | list | `[]` | |
| controller.image.pullPolicy | string | `nil` | |
| controller.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/metallb-controller"` | |
| controller.image.tag | string | `nil` | |
| controller.labels | object | `{}` | |
| controller.livenessProbe.enabled | bool | `true` | |
| controller.livenessProbe.failureThreshold | int | `3` | |
| controller.livenessProbe.initialDelaySeconds | int | `10` | |
| controller.livenessProbe.periodSeconds | int | `10` | |
| controller.livenessProbe.successThreshold | int | `1` | |
| controller.livenessProbe.timeoutSeconds | int | `1` | |
| controller.logLevel | string | `"info"` | Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` |
| controller.nodeSelector | object | `{}` | |
| controller.podAnnotations | object | `{}` | |
| controller.priorityClassName | string | `""` | |
| controller.readinessProbe.enabled | bool | `true` | |
| controller.readinessProbe.failureThreshold | int | `3` | |
| controller.readinessProbe.initialDelaySeconds | int | `10` | |
| controller.readinessProbe.periodSeconds | int | `10` | |
| controller.readinessProbe.successThreshold | int | `1` | |
| controller.readinessProbe.timeoutSeconds | int | `1` | |
| controller.resources | object | `{}` | |
| controller.runtimeClassName | string | `""` | |
| controller.securityContext.fsGroup | int | `65534` | |
| controller.securityContext.runAsNonRoot | bool | `true` | |
| controller.securityContext.runAsUser | int | `65534` | |
| controller.serviceAccount.annotations | object | `{}` | |
| controller.serviceAccount.create | bool | `true` | |
| controller.serviceAccount.name | string | `""` | |
| controller.strategy.type | string | `"RollingUpdate"` | |
| controller.tlsCipherSuites | string | `""` | |
| controller.tlsMinVersion | string | `"VersionTLS12"` | |
| controller.tolerations | list | `[]` | |
| crds.enabled | bool | `true` | |
| crds.validationFailurePolicy | string | `"Fail"` | |
| frrk8s.enabled | bool | `false` | |
| frrk8s.external | bool | `false` | |
| frrk8s.namespace | string | `""` | |
| fullnameOverride | string | `""` | |
| imagePullSecrets | list | `[]` | |
| loadBalancerClass | string | `""` | |
| nameOverride | string | `""` | |
| prometheus.controllerMetricsTLSSecret | string | `""` | |
| prometheus.metricsPort | int | `7472` | |
| prometheus.namespace | string | `""` | |
| prometheus.podMonitor.additionalLabels | object | `{}` | |
| prometheus.podMonitor.annotations | object | `{}` | |
| prometheus.podMonitor.enabled | bool | `false` | |
| prometheus.podMonitor.interval | string | `nil` | |
| prometheus.podMonitor.jobLabel | string | `"app.kubernetes.io/name"` | |
| prometheus.podMonitor.metricRelabelings | list | `[]` | |
| prometheus.podMonitor.relabelings | list | `[]` | |
| prometheus.prometheusRule.additionalLabels | object | `{}` | |
| prometheus.prometheusRule.addressPoolExhausted.enabled | bool | `true` | |
| prometheus.prometheusRule.addressPoolExhausted.labels.severity | string | `"alert"` | |
| prometheus.prometheusRule.addressPoolUsage.enabled | bool | `true` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[0].labels.severity | string | `"warning"` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[0].percent | int | `75` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[1].labels.severity | string | `"warning"` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[1].percent | int | `85` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[2].labels.severity | string | `"alert"` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[2].percent | int | `95` | |
| prometheus.prometheusRule.annotations | object | `{}` | |
| prometheus.prometheusRule.bgpSessionDown.enabled | bool | `true` | |
| prometheus.prometheusRule.bgpSessionDown.labels.severity | string | `"alert"` | |
| prometheus.prometheusRule.configNotLoaded.enabled | bool | `true` | |
| prometheus.prometheusRule.configNotLoaded.labels.severity | string | `"warning"` | |
| prometheus.prometheusRule.enabled | bool | `false` | |
| prometheus.prometheusRule.extraAlerts | list | `[]` | |
| prometheus.prometheusRule.staleConfig.enabled | bool | `true` | |
| prometheus.prometheusRule.staleConfig.labels.severity | string | `"warning"` | |
| prometheus.rbacPrometheus | bool | `true` | |
| prometheus.rbacProxy.pullPolicy | string | `nil` | |
| prometheus.rbacProxy.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"` | |
| prometheus.rbacProxy.tag | string | `"v0.12.0"` | |
| prometheus.scrapeAnnotations | bool | `false` | |
| prometheus.serviceAccount | string | `""` | |
| prometheus.serviceMonitor.controller.additionalLabels | object | `{}` | |
| prometheus.serviceMonitor.controller.annotations | object | `{}` | |
| prometheus.serviceMonitor.controller.tlsConfig.insecureSkipVerify | bool | `true` | |
| prometheus.serviceMonitor.enabled | bool | `false` | |
| prometheus.serviceMonitor.interval | string | `nil` | |
| prometheus.serviceMonitor.jobLabel | string | `"app.kubernetes.io/name"` | |
| prometheus.serviceMonitor.metricRelabelings | list | `[]` | |
| prometheus.serviceMonitor.relabelings | list | `[]` | |
| prometheus.serviceMonitor.speaker.additionalLabels | object | `{}` | |
| prometheus.serviceMonitor.speaker.annotations | object | `{}` | |
| prometheus.serviceMonitor.speaker.tlsConfig.insecureSkipVerify | bool | `true` | |
| prometheus.speakerMetricsTLSSecret | string | `""` | |
| rbac.create | bool | `true` | |
| speaker.affinity | object | `{}` | |
| speaker.enabled | bool | `true` | |
| speaker.excludeInterfaces.enabled | bool | `true` | |
| speaker.extraContainers | list | `[]` | |
| speaker.frr.enabled | bool | `true` | |
| speaker.frr.image.pullPolicy | string | `nil` | |
| speaker.frr.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/frr"` | |
| speaker.frr.image.tag | string | `"8.4.2"` | |
| speaker.frr.metricsPort | int | `7473` | |
| speaker.frr.resources | object | `{}` | |
| speaker.frrMetrics.resources | object | `{}` | |
| speaker.ignoreExcludeLB | bool | `false` | |
| speaker.image.pullPolicy | string | `nil` | |
| speaker.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/metallb-speaker"` | |
| speaker.image.tag | string | `nil` | |
| speaker.labels | object | `{}` | |
| speaker.livenessProbe.enabled | bool | `true` | |
| speaker.livenessProbe.failureThreshold | int | `3` | |
| speaker.livenessProbe.initialDelaySeconds | int | `10` | |
| speaker.livenessProbe.periodSeconds | int | `10` | |
| speaker.livenessProbe.successThreshold | int | `1` | |
| speaker.livenessProbe.timeoutSeconds | int | `1` | |
| speaker.logLevel | string | `"info"` | Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` |
| speaker.memberlist.enabled | bool | `true` | |
| speaker.memberlist.mlBindAddrOverride | string | `""` | |
| speaker.memberlist.mlBindPort | int | `7946` | |
| speaker.memberlist.mlSecretKeyPath | string | `"/etc/ml_secret_key"` | |
| speaker.nodeSelector | object | `{}` | |
| speaker.podAnnotations | object | `{}` | |
| speaker.priorityClassName | string | `""` | |
| speaker.readinessProbe.enabled | bool | `true` | |
| speaker.readinessProbe.failureThreshold | int | `3` | |
| speaker.readinessProbe.initialDelaySeconds | int | `10` | |
| speaker.readinessProbe.periodSeconds | int | `10` | |
| speaker.readinessProbe.successThreshold | int | `1` | |
| speaker.readinessProbe.timeoutSeconds | int | `1` | |
| speaker.reloader.resources | object | `{}` | |
| speaker.resources | object | `{}` | |
| speaker.runtimeClassName | string | `""` | |
| speaker.securityContext | object | `{}` | |
| speaker.serviceAccount.annotations | object | `{}` | |
| speaker.serviceAccount.create | bool | `true` | |
| speaker.serviceAccount.name | string | `""` | |
| speaker.startupProbe.enabled | bool | `true` | |
| speaker.startupProbe.failureThreshold | int | `30` | |
| speaker.startupProbe.periodSeconds | int | `5` | |
| speaker.tolerateMaster | bool | `true` | |
| speaker.tolerations | list | `[]` | |
| speaker.updateStrategy.type | string | `"RollingUpdate"` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0)

15
metallb-chart/_service Normal file
View File

@ -0,0 +1,15 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime">
<param name="file">values.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
</service>
</services>

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,448 @@
{
"$schema": "https://json-schema.org/draft-07/schema#",
"title": "Values",
"type": "object",
"definitions": {
"prometheusAlert": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"labels": {
"type": "object",
"additionalProperties": { "type": "string" }
}
},
"required": [ "enabled" ]
},
"probe": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"failureThreshold": {
"type": "integer"
},
"initialDelaySeconds": {
"type": "integer"
},
"periodSeconds": {
"type": "integer"
},
"successThreshold": {
"type": "integer"
},
"timeoutSeconds": {
"type": "integer"
}
},
"required": [
"failureThreshold",
"initialDelaySeconds",
"periodSeconds",
"successThreshold",
"timeoutSeconds"
]
},
"component": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"logLevel": {
"type": "string",
"enum": [ "all", "debug", "info", "warn", "error", "none" ]
},
"image": {
"type": "object",
"properties": {
"repository": {
"type": "string"
},
"tag": {
"anyOf": [
{ "type": "string" },
{ "type": "null" }
]
},
"pullPolicy": {
"anyOf": [
{
"type": "null"
},
{
"type": "string",
"enum": [ "Always", "IfNotPresent", "Never" ]
}
]
}
}
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"name": {
"type": "string"
},
"annotations": {
"type": "object"
}
}
},
"resources": {
"type": "object"
},
"nodeSelector": {
"type": "object"
},
"tolerations": {
"type": "array",
"items": {
"type": "object"
}
},
"priorityClassName": {
"type":"string"
},
"runtimeClassName": {
"type":"string"
},
"affinity": {
"type": "object"
},
"podAnnotations": {
"type": "object"
},
"livenessProbe": {
"$ref": "#/definitions/probe"
},
"readinessProbe": {
"$ref": "#/definitions/probe"
}
},
"required": [
"image",
"serviceAccount"
]
}
},
"properties": {
"imagePullSecrets": {
"description": "Secrets used for pulling images",
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
},
"required": [ "name" ],
"additionalProperties": false
}
},
"nameOverride": {
"description": "Override chart name",
"type": "string"
},
"fullNameOverride": {
"description": "Override fully qualified app name",
"type": "string"
},
"configInLine": {
"description": "MetalLB configuration",
"type": "object"
},
"loadBalancerClass": {
"type":"string"
},
"rbac": {
"description": "RBAC configuration",
"type": "object",
"properties": {
"create": {
"description": "Enable RBAC",
"type": "boolean"
}
}
},
"prometheus": {
"description": "Prometheus monitoring config",
"type": "object",
"properties": {
"scrapeAnnotations": { "type": "boolean" },
"metricsPort": { "type": "integer" },
"secureMetricsPort": { "type": "integer" },
"rbacPrometheus": { "type": "boolean" },
"serviceAccount": { "type": "string" },
"namespace": { "type": "string" },
"rbacProxy": {
"description": "kube-rbac-proxy configuration",
"type": "object",
"properties": {
"repository": { "type": "string" },
"tag": { "type": "string" }
}
},
"podMonitor": {
"description": "Prometheus Operator PodMonitors",
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"additionalMonitors": { "type": "object" },
"jobLabel": { "type": "string" },
"interval": {
"anyOf": [
{ "type": "integer" },
{ "type": "null" }
]
},
"metricRelabelings": {
"type": "array",
"items": {
"type": "object"
}
},
"relabelings": {
"type": "array",
"items": {
"type": "object"
}
}
}
},
"serviceMonitor": {
"description": "Prometheus Operator ServiceMonitors",
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"jobLabel": { "type": "string" },
"interval": {
"anyOf": [
{ "type": "integer" },
{ "type": "null" }
]
},
"metricRelabelings": {
"type": "array",
"items": {
"type": "object"
}
},
"relabelings": {
"type": "array",
"items": {
"type": "object"
}
}
}
},
"prometheusRule": {
"description": "Prometheus Operator alertmanager alerts",
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"additionalMonitors": { "type": "object" },
"staleConfig": { "$ref": "#/definitions/prometheusAlert" },
"configNotLoaded": { "$ref": "#/definitions/prometheusAlert" },
"addressPoolExhausted": { "$ref": "#/definitions/prometheusAlert" },
"addressPoolUsage": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"thresholds": {
"type": "array",
"items": {
"type": "object",
"properties": {
"percent": {
"type": "integer",
"minimum": 0,
"maximum": 100
},
"labels": {
"type": "object",
"additionalProperties": { "type": "string" }
}
},
"required": [ "percent" ]
}
}
},
"required": [ "enabled" ]
},
"bgpSessionDown": { "$ref": "#/definitions/prometheusAlert" },
"extraAlerts": {
"type": "array",
"items": {
"type": "object"
}
}
},
"required": [
"enabled",
"staleConfig",
"configNotLoaded",
"addressPoolExhausted",
"addressPoolUsage",
"bgpSessionDown"
]
}
},
"required": [ "podMonitor", "prometheusRule" ]
},
"controller": {
"allOf": [
{ "$ref": "#/definitions/component" },
{ "description": "MetalLB Controller",
"type": "object",
"properties": {
"strategy": {
"type": "object",
"properties": {
"type": {
"type": "string"
}
},
"required": [ "type" ]
},
"command" : {
"type": "string"
},
"webhookMode" : {
"type": "string"
},
"extraContainers": {
"type": "array",
"items": {
"type": "object"
}
}
}
}
]
},
"speaker": {
"allOf": [
{ "$ref": "#/definitions/component" },
{ "description": "MetalLB Speaker",
"type": "object",
"properties": {
"tolerateMaster": {
"type": "boolean"
},
"memberlist": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"mlBindPort": {
"type": "integer"
},
"mlBindAddrOverride": {
"type": "string"
},
"mlSecretKeyPath": {
"type": "string"
}
}
},
"excludeInterfaces": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
}
},
"ignoreExcludeLB": {
"type": "boolean"
},
"updateStrategy": {
"type": "object",
"properties": {
"type": {
"type": "string"
}
},
"required": [ "type" ]
},
"runtimeClassName": {
"type": "string"
},
"securityContext": {
"type": "object"
},
"secretName": {
"type": "string"
},
"frr": {
"description": "Install FRR container in speaker deployment",
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"image": { "$ref": "#/definitions/component/properties/image" },
"metricsPort": { "type": "integer" },
"secureMetricsPort": { "type": "integer" },
"resources:": { "type": "object" }
},
"required": [ "enabled" ]
},
"command" : {
"type": "string"
},
"reloader": {
"type": "object",
"properties": {
"resources": { "type": "object" }
}
},
"frrMetrics": {
"type": "object",
"properties": {
"resources": { "type": "object" }
}
},
"extraContainers": {
"type": "array",
"items": {
"type": "object"
}
}
},
"required": [ "tolerateMaster" ]
}
]
},
"crds": {
"description": "CRD configuration",
"type": "object",
"properties": {
"enabled": {
"description": "Enable CRDs",
"type": "boolean"
},
"validationFailurePolicy": {
"description": "Failure policy to use with validating webhooks",
"type": "string",
"enum": [ "Ignore", "Fail" ]
}
}
}
},
"required": [
"controller",
"speaker"
]
}

380
metallb-chart/values.yaml Normal file
View File

@ -0,0 +1,380 @@
# Default values for metallb.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# MetalLB supports LoadBalancerClass, which allows multiple load balancer implementations to co-exist.
# In order to set the loadbalancer class MetalLB should be listening for, the --lb-class=<CLASS_NAME>
# parameter must be provided to both the speaker and the controller.
loadBalancerClass: ""
# To configure MetalLB, you must specify ONE of the following two
# options.
rbac:
# create specifies whether to install and use RBAC rules.
create: true
prometheus:
# scrape annotations specifies whether to add Prometheus metric
# auto-collection annotations to pods. See
# https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml
# for a corresponding Prometheus configuration. Alternatively, you
# may want to use the Prometheus Operator
# (https://github.com/coreos/prometheus-operator) for more powerful
# monitoring configuration. If you use the Prometheus operator, this
# can be left at false.
scrapeAnnotations: false
# port both controller and speaker will listen on for metrics
metricsPort: 7472
# if set, enables rbac proxy on the controller and speaker to expose
# the metrics via tls.
# secureMetricsPort: 9120
# the name of the secret to be mounted in the speaker pod
# to expose the metrics securely. If not present, a self signed
# certificate to be used.
speakerMetricsTLSSecret: ""
# the name of the secret to be mounted in the controller pod
# to expose the metrics securely. If not present, a self signed
# certificate to be used.
controllerMetricsTLSSecret: ""
# prometheus doens't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
rbacPrometheus: true
# the service account used by prometheus
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
serviceAccount: ""
# the namespace where prometheus is deployed
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
namespace: ""
# the image to be used for the kuberbacproxy container
rbacProxy:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy"
tag: "v0.18.0"
pullPolicy: IfNotPresent
# Prometheus Operator PodMonitors
podMonitor:
# enable support for Prometheus Operator
enabled: false
# optional additionnal labels for podMonitors
additionalLabels: {}
# optional annotations for podMonitors
annotations: {}
# Job label for scrape target
jobLabel: "app.kubernetes.io/name"
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval:
# metric relabel configs to apply to samples before ingestion.
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# relabel configs to apply to samples before ingestion.
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# target_label: nodename
# replacement: $1
# action: replace
# Prometheus Operator ServiceMonitors. To be used as an alternative
# to podMonitor, supports secure metrics.
serviceMonitor:
# enable support for Prometheus Operator
enabled: false
speaker:
# optional additional labels for the speaker serviceMonitor
additionalLabels: {}
# optional additional annotations for the speaker serviceMonitor
annotations: {}
# optional tls configuration for the speaker serviceMonitor, in case
# secure metrics are enabled.
tlsConfig:
insecureSkipVerify: true
controller:
# optional additional labels for the controller serviceMonitor
additionalLabels: {}
# optional additional annotations for the controller serviceMonitor
annotations: {}
# optional tls configuration for the controller serviceMonitor, in case
# secure metrics are enabled.
tlsConfig:
insecureSkipVerify: true
# Job label for scrape target
jobLabel: "app.kubernetes.io/name"
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval:
# metric relabel configs to apply to samples before ingestion.
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# relabel configs to apply to samples before ingestion.
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# target_label: nodename
# replacement: $1
# action: replace
# Prometheus Operator alertmanager alerts
prometheusRule:
# enable alertmanager alerts
enabled: false
# optional additionnal labels for prometheusRules
additionalLabels: {}
# optional annotations for prometheusRules
annotations: {}
# MetalLBStaleConfig
staleConfig:
enabled: true
labels:
severity: warning
# MetalLBConfigNotLoaded
configNotLoaded:
enabled: true
labels:
severity: warning
# MetalLBAddressPoolExhausted
addressPoolExhausted:
enabled: true
labels:
severity: alert
addressPoolUsage:
enabled: true
thresholds:
- percent: 75
labels:
severity: warning
- percent: 85
labels:
severity: warning
- percent: 95
labels:
severity: alert
# MetalLBBGPSessionDown
bgpSessionDown:
enabled: true
labels:
severity: alert
extraAlerts: []
# controller contains configuration specific to the MetalLB cluster
# controller.
controller:
enabled: true
# -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
logLevel: info
# command: /controller
# webhookMode: enabled
image:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%metallb-controller"
tag: "v0.14.8"
pullPolicy: IfNotPresent
## @param controller.updateStrategy.type Metallb controller deployment strategy type.
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
## e.g:
## strategy:
## type: RollingUpdate
## rollingUpdate:
## maxSurge: 25%
## maxUnavailable: 25%
##
strategy:
type: RollingUpdate
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use. If not set and create is
# true, a name is generated using the fullname template
name: ""
annotations: {}
securityContext:
runAsNonRoot: true
# nobody
runAsUser: 65534
fsGroup: 65534
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
nodeSelector: {}
tolerations: []
priorityClassName: ""
runtimeClassName: ""
affinity: {}
podAnnotations: {}
labels: {}
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
tlsMinVersion: "VersionTLS12"
tlsCipherSuites: ""
extraContainers: []
# speaker contains configuration specific to the MetalLB speaker
# daemonset.
speaker:
enabled: true
# command: /speaker
# -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
logLevel: info
tolerateMaster: true
memberlist:
enabled: true
mlBindPort: 7946
mlBindAddrOverride: ""
mlSecretKeyPath: "/etc/ml_secret_key"
excludeInterfaces:
enabled: true
# ignore the exclude-from-external-loadbalancer label
ignoreExcludeLB: false
image:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%metallb-speaker"
tag: "v0.14.8"
pullPolicy: IfNotPresent
## @param speaker.updateStrategy.type Speaker daemonset strategy type
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
##
updateStrategy:
## StrategyType
## Can be set to RollingUpdate or OnDelete
##
type: RollingUpdate
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use. If not set and create is
# true, a name is generated using the fullname template
name: ""
annotations: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
## Defines a secret name for the controller to generate a memberlist encryption secret
## By default secretName: {{ "metallb.fullname" }}-memberlist
##
# secretName:
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
nodeSelector: {}
tolerations: []
priorityClassName: ""
affinity: {}
## Selects which runtime class will be used by the pod.
runtimeClassName: ""
podAnnotations: {}
labels: {}
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
startupProbe:
enabled: true
failureThreshold: 30
periodSeconds: 5
# frr contains configuration specific to the MetalLB FRR container,
# for speaker running alongside FRR.
frr:
enabled: false
image:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%frr"
tag: "8.4"
pullPolicy: IfNotPresent
metricsPort: 7473
resources: {}
# if set, enables a rbac proxy sidecar container on the speaker to
# expose the frr metrics via tls.
# secureMetricsPort: 9121
reloader:
resources: {}
frrMetrics:
resources: {}
extraContainers: []
crds:
enabled: true
validationFailurePolicy: Fail
# frrk8s contains the configuration related to using an frrk8s instance
# (github.com/metallb/frr-k8s) as the backend for the BGP implementation.
# This allows configuring additional frr parameters in combination to those
# applied by MetalLB.
frrk8s:
# if set, enables frrk8s as a backend. This is mutually exclusive to frr
# mode.
enabled: false
external: false
namespace: ""

View File

@ -0,0 +1,32 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%
#!BuildTag: %%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends metallb-controller-0148; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.metallb
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE Metallb Controller Container Image"
LABEL org.opencontainers.image.description="metallb-controller based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%metallb-controller_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="l3"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
ENTRYPOINT ["/controller"]

View File

@ -0,0 +1,17 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%metallb-controller_version%%</param>
<param name="package">metallb-controller-0148</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
</services>

View File

@ -0,0 +1,32 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%
#!BuildTag: %%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends metallb-speaker-0148; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.metallb
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE Metallb Speaker Container Image"
LABEL org.opencontainers.image.description="metallb-speaker based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%metallb-speaker_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="l3"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
ENTRYPOINT ["/speaker"]

View File

@ -0,0 +1,17 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%metallb-speaker_version%%</param>
<param name="package">metallb-speaker-0148</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
</services>

View File

@ -0,0 +1,13 @@
#!BuildTag: %%IMG_PREFIX%%sriov-crd-chart:1.3.0-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%sriov-crd-chart:1.3.0
annotations:
catalog.cattle.io/experimental: "true"
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-sriov-system
catalog.cattle.io/permits-os: linux
catalog.cattle.io/release-name: sriov-crd
apiVersion: v2
description: Installs the CRDs for the SR-IOV operator
name: sriov-crd
type: application
version: 1.3.0

8
sriov-crd-chart/_service Normal file
View File

@ -0,0 +1,8 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
</service>
</services>

Binary file not shown.

View File

@ -0,0 +1,28 @@
#!BuildTag: %%IMG_PREFIX%%sriov-network-operator-chart:1.3.0-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%sriov-network-operator-chart:1.3.0
annotations:
catalog.cattle.io/auto-install: sriov-crd=match
catalog.cattle.io/experimental: "true"
catalog.cattle.io/namespace: cattle-sriov-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux
catalog.cattle.io/upstream-version: 1.3.0
apiVersion: v2
appVersion: v1.3.0
dependencies:
- condition: sriov-nfd.enabled
name: sriov-nfd
repository: file://./charts/sriov-nfd
version: 0.15.6
description: SR-IOV network operator configures and manages SR-IOV networks in the
kubernetes cluster
home: https://github.com/k8snetworkplumbingwg/sriov-network-operator
icon: https://charts.rancher.io/assets/logos/sr-iov.svg
keywords:
- sriov
kubeVersion: '>= 1.16.0-0'
name: sriov-network-operator
sources:
- https://github.com/k8snetworkplumbingwg/sriov-network-operator
type: application
version: 1.3.0

View File

@ -0,0 +1,130 @@
# SR-IOV Network Operator Helm Chart
SR-IOV Network Operator Helm Chart provides an easy way to install, configure and manage
the lifecycle of SR-IOV network operator.
## SR-IOV Network Operator
SR-IOV Network Operator leverages [Kubernetes CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
and [Operator SDK](https://github.com/operator-framework/operator-sdk) to configure and manage SR-IOV networks in a Kubernetes cluster.
SR-IOV Network Operator features:
- Initialize the supported SR-IOV NIC types on selected nodes.
- Provision/upgrade SR-IOV device plugin executable on selected node.
- Provision/upgrade SR-IOV CNI plugin executable on selected nodes.
- Manage configuration of SR-IOV device plugin on host.
- Generate net-att-def CRs for SR-IOV CNI plugin
- Supports operation in a virtualized Kubernetes deployment
- Discovers VFs attached to the Virtual Machine (VM)
- Does not require attached of associated PFs
- VFs can be associated to SriovNetworks by selecting the appropriate PciAddress as the RootDevice in the SriovNetworkNodePolicy
## QuickStart
### Prerequisites
- Kubernetes v1.17+
- Helm v3
### Install Helm
Helm provides an install script to copy helm binary to your system:
```
$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
$ chmod 500 get_helm.sh
$ ./get_helm.sh
```
For additional information and methods for installing Helm, refer to the official [helm website](https://helm.sh/)
### Deploy SR-IOV Network Operator
```
# Install Operator
$ helm install -n sriov-network-operator --create-namespace --wait sriov-network-operator ./
# View deployed resources
$ kubectl -n sriov-network-operator get pods
```
In the case that [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) is enabled, the sriov network operator namespace will require a security level of 'privileged'
```
$ kubectl label ns sriov-network-operator pod-security.kubernetes.io/enforce=privileged
```
## Chart parameters
In order to tailor the deployment of the network operator to your cluster needs
We have introduced the following Chart parameters.
| Name | Type | Default | description |
| ---- |------|---------|-------------|
| `imagePullSecrets` | list | `[]` | An optional list of references to secrets to use for pulling any of the SR-IOV Network Operator image |
| `supportedExtraNICs` | list | `[]` | An optional list of whitelisted NICs |
### Operator parameters
| Name | Type | Default | description |
| ---- | ---- | ------- | ----------- |
| `operator.tolerations` | list | `[{"key":"node-role.kubernetes.io/master","operator":"Exists","effect":"NoSchedule"},{"key":"node-role.kubernetes.io/control-plane","operator":"Exists","effect":"NoSchedule"}]` | Operator's tolerations |
| `operator.nodeSelector` | object | {} | Operator's node selector |
| `operator.affinity` | object | `{"nodeAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/master","operator":"In","values":[""]}]}},{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/control-plane","operator":"In","values":[""]}]}}]}}` | Operator's afffinity configuration |
| `operator.nameOverride` | string | `` | Operator's resource name override |
| `operator.fullnameOverride` | string | `` | Operator's resource full name override |
| `operator.resourcePrefix` | string | `openshift.io` | Device plugin resource prefix |
| `operator.cniBinPath` | string | `/opt/cni/bin` | Path for CNI binary |
| `operator.clustertype` | string | `kubernetes` | Cluster environment type |
#### Admission Controllers parameters
The admission controllers can be enabled by switching on a single parameter `operator.admissionControllers.enabled`. By
default, the user needs to pre-create Kubernetes Secrets that match the names provided in
`operator.admissionControllers.certificates.secretNames`. The secrets should have 3 fields populated with the relevant
content:
* `ca.crt` (value needs to be base64 encoded twice)
* `tls.crt`
* `tls.key`
Aside from the aforementioned mode, the chart supports 3 more modes for certificate consumption by the admission
controllers, which can be found in the table below. In a nutshell, the modes that are supported are:
* Consume pre-created Certificates managed by cert-manager
* Generate self signed Certificates managed by cert-manager
* Specify the content of the certificates as Helm values
| Name | Type | Default | description |
| ---- | ---- | ------- | ----------- |
| `operator.admissionControllers.enabled` | bool | false | Flag that switches on the admission controllers |
| `operator.admissionControllers.certificates.secretNames.operator` | string | `operator-webhook-cert` | Secret that stores the certificate for the Operator's admission controller |
| `operator.admissionControllers.certificates.secretNames.injector` | string | `network-resources-injector-cert` | Secret that stores the certificate for the Network Resources Injector's admission controller |
| `operator.admissionControllers.certificates.certManager.enabled` | bool | false | Flag that switches on consumption of certificates managed by cert-manager |
| `operator.admissionControllers.certificates.certManager.generateSelfSigned` | bool | false | Flag that switches on generation of self signed certificates managed by cert-manager. The secrets in which the certificates are stored will have the names provided in `operator.admissionControllers.certificates.secretNames` |
| `operator.admissionControllers.certificates.custom.enabled` | bool | false | Flag that switches on consumption of user provided certificates that are part of `operator.admissionControllers.certificates.custom.operator` and `operator.admissionControllers.certificates.custom.injector` objects |
| `operator.admissionControllers.certificates.custom.operator.caCrt` | string | `` | The CA certificate to be used by the Operator's admission controller |
| `operator.admissionControllers.certificates.custom.operator.tlsCrt` | string | `` | The public part of the certificate to be used by the Operator's admission controller |
| `operator.admissionControllers.certificates.custom.operator.tlsKey` | string | `` | The private part of the certificate to be used by the Operator's admission controller |
| `operator.admissionControllers.certificates.custom.injector.caCrt` | string | `` | The CA certificate to be used by the Network Resources Injector's admission controller |
| `operator.admissionControllers.certificates.custom.injector.tlsCrt` | string | `` | The public part of the certificate to be used by the Network Resources Injector's admission controller |
| `operator.admissionControllers.certificates.custom.injector.tlsKey` | string | `` | The private part of the certificate to be used by the Network Resources Injector's admission controller |
### SR-IOV Operator Configuration Parameters
This section contains general parameters that apply to both the operator and daemon componets of SR-IOV Network Operator.
| Name | Type | Default | description |
| ---- | ---- | ------- | ----------- |
| `sriovOperatorConfig.deploy` | bool | `false` | deploy SriovOperatorConfig custom resource |
| `sriovOperatorConfig.configDaemonNodeSelector` | map[string]string | `{}` | node slectors for sriov-network-config-daemon |
| `sriovOperatorConfig.logLevel` | int | `2` | log level for both operator and sriov-network-config-daemon |
| `sriovOperatorConfig.disableDrain` | bool | `false` | disable node draining when configuring SR-IOV, set to true in case of a single node cluster or any other justifiable reason |
| `sriovOperatorConfig.configurationMode` | string | `daemon` | sriov-network-config-daemon configuration mode. either `daemon` or `systemd` |
### Images parameters
| Name | description |
| ---- | ----------- |
| `images.operator` | Operator controller image |
| `images.sriovConfigDaemon` | Daemon node agent image |
| `images.sriovCni` | SR-IOV CNI image |
| `images.ibSriovCni` | InfiniBand SR-IOV CNI image |
| `images.sriovDevicePlugin` | SR-IOV device plugin image |
| `images.resourcesInjector` | Resources Injector image |
| `images.webhook` | Operator Webhook image |

View File

@ -0,0 +1,8 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
</service>
</services>

View File

@ -0,0 +1,13 @@
# Rancher SR-IOV Network Operator
This chart is based on the upstream [k8snetworkplumbingwg/sriov-network-operator](https://github.com/k8snetworkplumbingwg/sriov-network-operator) project. The chart deploys the SR-IOV Operator and its CRDs, which are designed to help the user provision and configure the SR-IOV CNI in a cluster that uses [Multus CNI](https://github.com/k8snetworkplumbingwg/multus-cni), to provide high performing extra network interfaces to pods. This chart is expected to be deployed on an RKE2 cluster and only meant for advanced use cases where multiple CNI plugins and high performing network interfaces on pods are required. Users who do not need these features are not advised to install this chart.
The chart installs the following components:
- SR-IOV Operator - An operator that helps provision and configure the SR-IOV CNI plugin and SR-IOV Device plugin
- SR-IOV Network Config Daemon - A Daemon deployed by the Operator that discovers SR-IOV NICs on each node
Note that SR-IOV requires NICs that support SR-IOV and the activation of specific configuration options in the operating system. Nodes that fulfill these requirements should be labeled with: `feature.node.kubernetes.io/network-sriov.capable=true`.
The SR-IOV Network Config Daemon will be deployed on such capable nodes. For more information on how to use this feature, refer to our RKE2 networking docs.

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,124 @@
operator:
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- effect: NoExecute
key: node-role.kubernetes.io/etcd
operator: Exists
nodeSelector: {}
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: "node-role.kubernetes.io/master"
operator: In
values: [""]
- weight: 1
preference:
matchExpressions:
- key: "node-role.kubernetes.io/control-plane"
operator: In
values: [""]
nameOverride: ""
fullnameOverride: ""
resourcePrefix: "rancher.io"
cniBinPath: "/opt/cni/bin"
clusterType: "kubernetes"
admissionControllers:
enabled: false
certificates:
secretNames:
operator: "operator-webhook-cert"
injector: "network-resources-injector-cert"
certManager:
# When enabled, makes use of certificates managed by cert-manager.
enabled: false
# When enabled, certificates are generated via cert-manager and then name will match the name of the secrets
# defined above
generateSelfSigned: false
# If not specified, no secret is created and secrets with the names defined above are expected to exist in the
# cluster. In that case, the ca.crt must be base64 encoded twice since it ends up being an env variable.
custom:
enabled: false
# operator:
# caCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsKey: |
# -----BEGIN EC PRIVATE KEY-----
# MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
# ...
# -----END EC PRIVATE KEY-----
# injector:
# caCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsKey: |
# -----BEGIN EC PRIVATE KEY-----
# MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
# ...
# -----END EC PRIVATE KEY-----
sriovOperatorConfig:
# deploy sriovOperatorConfig CR with the below values
deploy: true
# node slectors for sriov-network-config-daemon
configDaemonNodeSelector: {feature.node.kubernetes.io/network-sriov.capable: 'true'}
# log level for both operator and sriov-network-config-daemon
logLevel: 2
# disable node draining when configuring SR-IOV, set to true in case of a single node
# cluster or any other justifiable reason
disableDrain: false
# sriov-network-config-daemon configuration mode. either "daemon" or "systemd"
configurationMode: daemon
# Example for supportedExtraNICs values ['MyNIC: "8086 1521 1520"']
supportedExtraNICs: []
# Image URIs for sriov-network-operator components
images:
operator:
repository: rancher/hardened-sriov-network-operator
tag: v1.3.0-build20240816
sriovConfigDaemon:
repository: rancher/hardened-sriov-network-config-daemon
tag: v1.3.0-build20240816
sriovCni:
repository: rancher/hardened-sriov-cni
tag: v2.8.1-build20240820
ibSriovCni:
repository: rancher/hardened-ib-sriov-cni
tag: v1.1.1-build20240816
sriovDevicePlugin:
repository: rancher/hardened-sriov-network-device-plugin
tag: v3.7.0-build20240816
resourcesInjector:
repository: rancher/hardened-sriov-network-resources-injector
tag: v1.6.0-build20240816
webhook:
repository: rancher/hardened-sriov-network-webhook
tag: v1.3.0-build20240816
imagePullSecrets: []
global:
cattle:
systemDefaultRegistry: ""
rbac:
userRoles:
aggregateToDefaultRoles: false

View File

@ -0,0 +1,13 @@
#!BuildTag: %%IMG_PREFIX%%upgrade-controller-chart:0.1.0
#!BuildTag: %%IMG_PREFIX%%upgrade-controller-chart:0.1.0-%RELEASE%
apiVersion: v2
appVersion: 0.1.0
dependencies:
- condition: crds.enabled
name: lifecycle-crds
repository: file://./charts/lifecycle-crds
version: 0.1.0
description: A Helm chart for Upgrade Controller
name: upgrade-controller
type: application
version: 0.1.0

View File

@ -0,0 +1,16 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime">
<param name="file">values.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
</service>
</services>

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,91 @@
# Default values for upgrade-controller.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: %%IMG_REPO%%/%%IMG_PREFIX%%upgrade-controller
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
env:
releaseManifest:
image: %%IMG_REPO%%/%%IMG_PREFIX%%release-manifest
kubectl:
image: %%IMG_REPO%%/%%IMG_PREFIX%%kubectl
version: 1.30.3
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
podSecurityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
webhookService:
name: webhook-server
type: ClusterIP
port: 443
targetPort: 9443
resources: {}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
# Always keep the cert volume first in case others are appended
# or adjust the certificate resources lookup.
volumes:
- name: cert
secret:
secretName: webhook-server-cert
defaultMode: 420
optional: false
volumeMounts:
- name: cert
mountPath: "/tmp/k8s-webhook-server/serving-certs"
readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}
crds:
enabled: true

View File

@ -0,0 +1,38 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%upgrade-controller:0.1.0
#!BuildTag: %%IMG_PREFIX%%upgrade-controller:0.1.0-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends upgrade-controller-010; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.upgrade-controller
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE Edge Upgrade Controller Container Image"
LABEL org.opencontainers.image.description="Edge Update Controller Image based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="0.1.0"
LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%upgrade-controller:0.1.0-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="techpreview"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
RUN mv /usr/bin/upgrade-controller /manager
# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
USER 65532
ENTRYPOINT [ "/manager" ]

View File

@ -0,0 +1,10 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
</services>