diff --git a/baremetal-operator-image/Dockerfile b/baremetal-operator-image/Dockerfile new file mode 100644 index 0000000..2880cad --- /dev/null +++ b/baremetal-operator-image/Dockerfile @@ -0,0 +1,34 @@ +# SPDX-License-Identifier: Apache-2.0 +#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%% +#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%-%RELEASE% +#!BuildVersion: 15.6 +ARG SLE_VERSION +FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro + +FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base +COPY --from=micro / /installroot/ +RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator-061 iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/* + +FROM micro AS final +# Define labels according to https://en.opensuse.org/Building_derived_containers +# labelprefix=com.suse.application.baremetal-operator +LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)" +LABEL org.opencontainers.image.title="SLE baremetal-operator Container Image" +LABEL org.opencontainers.image.description="baremetal-operator based on the SLE Base Container Image." +LABEL org.opencontainers.image.version="%%baremetal-operator_version%%" +LABEL org.opencontainers.image.url="https://www.suse.com/products/server/" +LABEL org.opencontainers.image.created="%BUILDTIME%" +LABEL org.opencontainers.image.vendor="SUSE LLC" +LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%-%RELEASE%" +LABEL org.openbuildservice.disturl="%DISTURL%" +LABEL com.suse.supportlevel="l3" +LABEL com.suse.eula="SUSE Combined EULA February 2024" +LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle" +LABEL com.suse.image-type="application" +LABEL com.suse.release-stage="released" +# endlabelprefix + +COPY --from=base /installroot / +RUN groupadd -r -g 11000 bmo +RUN useradd -u 11000 -g 11000 bmo +ENTRYPOINT [ "/usr/bin/baremetal-operator" ] diff --git a/baremetal-operator-image/_service b/baremetal-operator-image/_service new file mode 100644 index 0000000..7decba7 --- /dev/null +++ b/baremetal-operator-image/_service @@ -0,0 +1,17 @@ + + + + + Dockerfile + %%baremetal-operator_version%% + baremetal-operator-061 + patch + + + Dockerfile + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo) + IMG_REPO + + diff --git a/cdi-chart/Chart.yaml b/cdi-chart/Chart.yaml new file mode 100644 index 0000000..641cfc7 --- /dev/null +++ b/cdi-chart/Chart.yaml @@ -0,0 +1,9 @@ +#!BuildTag: %%IMG_PREFIX%%cdi-chart:0.4.0 +#!BuildTag: %%IMG_PREFIX%%cdi-chart:0.4.0-%RELEASE% +apiVersion: v2 +appVersion: 1.60.1 +description: A Helm chart for Containerized Data Importer (CDI) +icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg +name: cdi +type: application +version: 0.4.0 diff --git a/cdi-chart/_service b/cdi-chart/_service new file mode 100644 index 0000000..6b8f891 --- /dev/null +++ b/cdi-chart/_service @@ -0,0 +1,8 @@ + + + + Chart.yaml + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + + diff --git a/cdi-chart/crds.obscpio b/cdi-chart/crds.obscpio new file mode 100644 index 0000000..934dbbb Binary files /dev/null and b/cdi-chart/crds.obscpio differ diff --git a/cdi-chart/templates.obscpio b/cdi-chart/templates.obscpio new file mode 100644 index 0000000..f1fb05f Binary files /dev/null and b/cdi-chart/templates.obscpio differ diff --git a/cdi-chart/values.yaml b/cdi-chart/values.yaml new file mode 100644 index 0000000..b4c1fef --- /dev/null +++ b/cdi-chart/values.yaml @@ -0,0 +1,38 @@ +deployment: + version: 1.60.1-150600.3.9.1 + operatorImage: registry.suse.com/suse/sles/15.6/cdi-operator + controllerImage: registry.suse.com/suse/sles/15.6/cdi-controller + importerImage: registry.suse.com/suse/sles/15.6/cdi-importer + clonerImage: registry.suse.com/suse/sles/15.6/cdi-cloner + apiserverImage: registry.suse.com/suse/sles/15.6/cdi-apiserver + uploadserverImage: registry.suse.com/suse/sles/15.6/cdi-uploadserver + uploadproxyImage: registry.suse.com/suse/sles/15.6/cdi-uploadproxy + pullPolicy: IfNotPresent + +cdi: + config: + featureGates: + - HonorWaitForFirstConsumer + imagePullPolicy: "IfNotPresent" + infra: + nodeSelector: + kubernetes.io/os: linux + tolerations: + - key: CriticalAddonsOnly + operator: Exists + uninstallStrategy: "" + workload: + nodeSelector: + kubernetes.io/os: linux + +hookImage: rancher/kubectl:v1.30.2 +hookRestartPolicy: OnFailure +hookSecurityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/metal3-chart/Chart.yaml b/metal3-chart/Chart.yaml new file mode 100644 index 0000000..50f2777 --- /dev/null +++ b/metal3-chart/Chart.yaml @@ -0,0 +1,27 @@ +#!BuildTag: %%IMG_PREFIX%%metal3-chart:0.8.1 +#!BuildTag: %%IMG_PREFIX%%metal3-chart:0.8.1-%RELEASE% +apiVersion: v2 +appVersion: 1.16.0 +dependencies: +- alias: metal3-baremetal-operator + name: baremetal-operator + repository: file://./charts/baremetal-operator + version: 0.5.0 +- alias: metal3-ironic + name: ironic + repository: file://./charts/ironic + version: 0.7.0 +- alias: metal3-mariadb + name: mariadb + repository: file://./charts/mariadb + version: 0.5.4 +- alias: metal3-media + condition: global.enable_metal3_media_server + name: media + repository: file://./charts/media + version: 0.5.0 +description: A Helm chart that installs all of the dependencies needed for Metal3 +icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg +name: metal3 +type: application +version: 0.8.1 diff --git a/metal3-chart/README.md b/metal3-chart/README.md new file mode 100644 index 0000000..c6ccadd --- /dev/null +++ b/metal3-chart/README.md @@ -0,0 +1,100 @@ +# Prerequisites +There are two dependencies that are not managed through the metal3 chart because are related to applications that have a cluster-wide scope: `cert-manager` and a LoadBalancer Service provider such as `metallb` or `kube-vip`. + +## Cert Manager +In order to successfully deploy metal3 the cluster must have already installed the `cert-manager`. + +You can install it through `helm` with: +```bash +helm repo add jetstack https://charts.jetstack.io +helm repo update +helm install \ + cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --set installCRDs=true +``` +, or via `kubectl` with: +```bash +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.yaml +``` + +## MetalLB (Optional) +Ironic currently requires a staticIP address and MetalLB is one option to achieve that. + +1. If K3s is used as Kubernetes distribution, then it should be started with `--disable=servicelb` flag. Ref https://metallb.universe.tf/configuration/k3s/ +2. Find 1 free IP address in the network. +3. Install `MetalLB` through `helm` with: + +```bash +helm repo add suse-edge https://suse-edge.github.io/charts +helm install \ + metallb suse-edge/metallb \ + --namespace metallb-system \ + --create-namespace +``` + +4. Provide the IP pool configuration with: + +```bash +export STATIC_IRONIC_IP= + +cat <<-EOF | kubectl apply -f - +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: ironic-ip-pool + namespace: metallb-system +spec: + addresses: + - ${STATIC_IRONIC_IP}/32 + serviceAllocation: + priority: 100 + serviceSelectors: + - matchExpressions: + - {key: app.kubernetes.io/name, operator: In, values: [metal3-ironic]} +EOF + +cat <<-EOF | kubectl apply -f - +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: ironic-ip-pool-l2-adv + namespace: metallb-system +spec: + ipAddressPools: + - ironic-ip-pool +EOF +``` + +5. Create new values.yaml file that will override some of the default properties: + +```bash +TMP_DIR=$(mktemp -d) +cat > ${TMP_DIR}/values.yaml << EOF +global: + ironicIP: "" +EOF +``` + +# Install + +```bash +helm install \ + metal3 suse-edge/metal3 \ + --namespace metal3-system \ + --create-namespace + -f ${TMP_DIR}/values.yaml +``` + +# How to upgrade the chart +1. Run `helm dependency update .` in this chart to download/update the dependent charts. + +2. Identify the appropriate subchart values settings and create an appropriate override values YAML file. + * Ensure that the relevant ironic and baremetal-operator settings match. + +3. Install the chart using a command like the following: + +```console +$ helm upgrade heavy-metal . --namespace metal-cubed --create-namespace --install --values ~/overrides.yaml +``` diff --git a/metal3-chart/_service b/metal3-chart/_service new file mode 100644 index 0000000..c3f6878 --- /dev/null +++ b/metal3-chart/_service @@ -0,0 +1,15 @@ + + + + values.yaml + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo) + IMG_REPO + + + Chart.yaml + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + + diff --git a/metal3-chart/app-readme.md b/metal3-chart/app-readme.md new file mode 100644 index 0000000..a7572b9 --- /dev/null +++ b/metal3-chart/app-readme.md @@ -0,0 +1 @@ +The metal3 chart is a parent chart that installs all of the other charts that a metal3 deployment needs, but doesn't actually deploy any services itself. \ No newline at end of file diff --git a/metal3-chart/charts.obscpio b/metal3-chart/charts.obscpio new file mode 100644 index 0000000..c3b1f6c Binary files /dev/null and b/metal3-chart/charts.obscpio differ diff --git a/metal3-chart/templates.obscpio b/metal3-chart/templates.obscpio new file mode 100644 index 0000000..a34873e Binary files /dev/null and b/metal3-chart/templates.obscpio differ diff --git a/metal3-chart/values.yaml b/metal3-chart/values.yaml new file mode 100644 index 0000000..48af6e4 --- /dev/null +++ b/metal3-chart/values.yaml @@ -0,0 +1,130 @@ +# The metal3 chart is a parent chart that installs +# all of the other charts that a metal3 deployment needs, +# but doesn't actually deploy any services itself. + +global: + # IP on which the Ironic services will be exposed + ironicIP: "" + + # whether to enable media server. + enable_metal3_media_server: false + + # whether to enable dnsmasq on the provisioning network (for PXE boot) + enable_dnsmasq: false + + # whether to enable PXE boot capability + # NOTE: enable_dnsmasq must set to 'true' in order for this option to be effective. + enable_pxe_boot: false + + # whether to enable tls + enable_tls: true + + # whether to enable the TLS of the Virtual Media. + enable_vmedia_tls: true + + # whether to enable basic auth + enable_basicAuth: true + + auth: + ironicUsername: "" + ironicPassword: "" + ironicInspectorUsername: "" + ironicInspectorPassword: "" + + # whether to have additional trusted CA + # NOTE: If enabled, a secret with name tls-ca-additional should be deployed + # The secret should be like this: + # data: + # ca-additional.crt: + additionalTrustedCAs: false + + # Will be used when tls is enabled + vmediaTLSPort: 6185 + + # IP address of the router associated with the specified DHCP + # address range + dnsmasqDefaultRouter: "" + + # IP address of the dns server to be provided with DHCP + # response + dnsmasqDNSServer: "" + + # specify comma-delimited range of IP addresses the DHCP server will manage. + # e.g 192.168.20.20,192.168.20.80 + dhcpRange: "" + + # Network interface on which provisioning network can be accessed + provisioningInterface: "" + + # IP Address assigned to network interface on provisioning network + provisioningIP: "" + + # Name for the MariaDB service + databaseServiceName: metal3-mariadb + + # In a multi-node cluster use the node selector to ensure the pods + # all run on the same host where the dnsmasqDNSServer and provisioningIP + # and /opt/media exist. Uncomment the nodeSelector and update the + # hostname accordingly. + #nodeSelector: + #kubernetes.io/hostname: "csrancher-n1" + +# +# media service +# + +# Override any settings for the metal3 media service here +metal3-media: + # location where media files should be placed so that they are + # available to the Ironic deployment services. + mediaVolume: + hostPath: /opt/media + image: + repository: "%%IMG_REPO%%/%%IMG_PREFIX%%ironic" + +# +# ironic service +# + +# Override any settings for the metal3 ironic service here +# Ensure the storageClass is defined +metal3-ironic: + service: + type: LoadBalancer + persistence: + ironic: + # storageClass for the ironic shared volume + storageClass: "" + images: + ironic: + repository: "%%IMG_REPO%%/%%IMG_PREFIX%%ironic" + ironicIPADownloader: + repository: "%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader" + +# +# Database Service +# + +# Override any settings for the metal3 mariadb service here +metal3-mariadb: + # storageClass for the mysql datastore + persistence: + storageClass: "" + image: + repository: "registry.suse.com/edge/mariadb" + tag: "10.6.15.1" + +# +# Baremetal Operator +# + +# Override any settings for the metal3 baremetal-operator service here +metal3-baremetal-operator: + images: + baremetalOperator: + repository: "%%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator" + rbacProxy: + repository: "%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy" + tag: "v0.18.0" + + diff --git a/metallb-chart/Chart.yaml b/metallb-chart/Chart.yaml new file mode 100644 index 0000000..6531cd1 --- /dev/null +++ b/metallb-chart/Chart.yaml @@ -0,0 +1,23 @@ +#!BuildTag: %%IMG_PREFIX%%metallb-chart:0.14.9 +#!BuildTag: %%IMG_PREFIX%%metallb-chart:0.14.9-%RELEASE% +apiVersion: v2 +appVersion: v0.14.3 +dependencies: +- condition: frrk8s.enabled + name: frr-k8s + repository: file://./charts/frr-k8s + version: 0.0.15 +- condition: crds.enabled + name: metallb-crds + repository: file://./charts/metallb-crds + version: 0.14.8 +description: A network load-balancer implementation for Kubernetes using standard + routing protocols +home: https://metallb.universe.tf +icon: https://metallb.universe.tf/images/logo/metallb-white.png +kubeVersion: '>= 1.19.0-0' +name: metallb +sources: +- https://github.com/metallb/metallb +type: application +version: 0.14.9 diff --git a/metallb-chart/README.md b/metallb-chart/README.md new file mode 100644 index 0000000..68692d1 --- /dev/null +++ b/metallb-chart/README.md @@ -0,0 +1,169 @@ +# metallb + +![Version: 0.14.8](https://img.shields.io/badge/Version-0.14.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.14.8](https://img.shields.io/badge/AppVersion-v0.14.8-informational?style=flat-square) + +A network load-balancer implementation for Kubernetes using standard routing protocols + +**Homepage:** + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.19.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | crds | 0.14.8 | +| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.14 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| controller.affinity | object | `{}` | | +| controller.enabled | bool | `true` | | +| controller.extraContainers | list | `[]` | | +| controller.image.pullPolicy | string | `nil` | | +| controller.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/metallb-controller"` | | +| controller.image.tag | string | `nil` | | +| controller.labels | object | `{}` | | +| controller.livenessProbe.enabled | bool | `true` | | +| controller.livenessProbe.failureThreshold | int | `3` | | +| controller.livenessProbe.initialDelaySeconds | int | `10` | | +| controller.livenessProbe.periodSeconds | int | `10` | | +| controller.livenessProbe.successThreshold | int | `1` | | +| controller.livenessProbe.timeoutSeconds | int | `1` | | +| controller.logLevel | string | `"info"` | Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` | +| controller.nodeSelector | object | `{}` | | +| controller.podAnnotations | object | `{}` | | +| controller.priorityClassName | string | `""` | | +| controller.readinessProbe.enabled | bool | `true` | | +| controller.readinessProbe.failureThreshold | int | `3` | | +| controller.readinessProbe.initialDelaySeconds | int | `10` | | +| controller.readinessProbe.periodSeconds | int | `10` | | +| controller.readinessProbe.successThreshold | int | `1` | | +| controller.readinessProbe.timeoutSeconds | int | `1` | | +| controller.resources | object | `{}` | | +| controller.runtimeClassName | string | `""` | | +| controller.securityContext.fsGroup | int | `65534` | | +| controller.securityContext.runAsNonRoot | bool | `true` | | +| controller.securityContext.runAsUser | int | `65534` | | +| controller.serviceAccount.annotations | object | `{}` | | +| controller.serviceAccount.create | bool | `true` | | +| controller.serviceAccount.name | string | `""` | | +| controller.strategy.type | string | `"RollingUpdate"` | | +| controller.tlsCipherSuites | string | `""` | | +| controller.tlsMinVersion | string | `"VersionTLS12"` | | +| controller.tolerations | list | `[]` | | +| crds.enabled | bool | `true` | | +| crds.validationFailurePolicy | string | `"Fail"` | | +| frrk8s.enabled | bool | `false` | | +| frrk8s.external | bool | `false` | | +| frrk8s.namespace | string | `""` | | +| fullnameOverride | string | `""` | | +| imagePullSecrets | list | `[]` | | +| loadBalancerClass | string | `""` | | +| nameOverride | string | `""` | | +| prometheus.controllerMetricsTLSSecret | string | `""` | | +| prometheus.metricsPort | int | `7472` | | +| prometheus.namespace | string | `""` | | +| prometheus.podMonitor.additionalLabels | object | `{}` | | +| prometheus.podMonitor.annotations | object | `{}` | | +| prometheus.podMonitor.enabled | bool | `false` | | +| prometheus.podMonitor.interval | string | `nil` | | +| prometheus.podMonitor.jobLabel | string | `"app.kubernetes.io/name"` | | +| prometheus.podMonitor.metricRelabelings | list | `[]` | | +| prometheus.podMonitor.relabelings | list | `[]` | | +| prometheus.prometheusRule.additionalLabels | object | `{}` | | +| prometheus.prometheusRule.addressPoolExhausted.enabled | bool | `true` | | +| prometheus.prometheusRule.addressPoolExhausted.labels.severity | string | `"alert"` | | +| prometheus.prometheusRule.addressPoolUsage.enabled | bool | `true` | | +| prometheus.prometheusRule.addressPoolUsage.thresholds[0].labels.severity | string | `"warning"` | | +| prometheus.prometheusRule.addressPoolUsage.thresholds[0].percent | int | `75` | | +| prometheus.prometheusRule.addressPoolUsage.thresholds[1].labels.severity | string | `"warning"` | | +| prometheus.prometheusRule.addressPoolUsage.thresholds[1].percent | int | `85` | | +| prometheus.prometheusRule.addressPoolUsage.thresholds[2].labels.severity | string | `"alert"` | | +| prometheus.prometheusRule.addressPoolUsage.thresholds[2].percent | int | `95` | | +| prometheus.prometheusRule.annotations | object | `{}` | | +| prometheus.prometheusRule.bgpSessionDown.enabled | bool | `true` | | +| prometheus.prometheusRule.bgpSessionDown.labels.severity | string | `"alert"` | | +| prometheus.prometheusRule.configNotLoaded.enabled | bool | `true` | | +| prometheus.prometheusRule.configNotLoaded.labels.severity | string | `"warning"` | | +| prometheus.prometheusRule.enabled | bool | `false` | | +| prometheus.prometheusRule.extraAlerts | list | `[]` | | +| prometheus.prometheusRule.staleConfig.enabled | bool | `true` | | +| prometheus.prometheusRule.staleConfig.labels.severity | string | `"warning"` | | +| prometheus.rbacPrometheus | bool | `true` | | +| prometheus.rbacProxy.pullPolicy | string | `nil` | | +| prometheus.rbacProxy.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"` | | +| prometheus.rbacProxy.tag | string | `"v0.12.0"` | | +| prometheus.scrapeAnnotations | bool | `false` | | +| prometheus.serviceAccount | string | `""` | | +| prometheus.serviceMonitor.controller.additionalLabels | object | `{}` | | +| prometheus.serviceMonitor.controller.annotations | object | `{}` | | +| prometheus.serviceMonitor.controller.tlsConfig.insecureSkipVerify | bool | `true` | | +| prometheus.serviceMonitor.enabled | bool | `false` | | +| prometheus.serviceMonitor.interval | string | `nil` | | +| prometheus.serviceMonitor.jobLabel | string | `"app.kubernetes.io/name"` | | +| prometheus.serviceMonitor.metricRelabelings | list | `[]` | | +| prometheus.serviceMonitor.relabelings | list | `[]` | | +| prometheus.serviceMonitor.speaker.additionalLabels | object | `{}` | | +| prometheus.serviceMonitor.speaker.annotations | object | `{}` | | +| prometheus.serviceMonitor.speaker.tlsConfig.insecureSkipVerify | bool | `true` | | +| prometheus.speakerMetricsTLSSecret | string | `""` | | +| rbac.create | bool | `true` | | +| speaker.affinity | object | `{}` | | +| speaker.enabled | bool | `true` | | +| speaker.excludeInterfaces.enabled | bool | `true` | | +| speaker.extraContainers | list | `[]` | | +| speaker.frr.enabled | bool | `true` | | +| speaker.frr.image.pullPolicy | string | `nil` | | +| speaker.frr.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/frr"` | | +| speaker.frr.image.tag | string | `"8.4.2"` | | +| speaker.frr.metricsPort | int | `7473` | | +| speaker.frr.resources | object | `{}` | | +| speaker.frrMetrics.resources | object | `{}` | | +| speaker.ignoreExcludeLB | bool | `false` | | +| speaker.image.pullPolicy | string | `nil` | | +| speaker.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/metallb-speaker"` | | +| speaker.image.tag | string | `nil` | | +| speaker.labels | object | `{}` | | +| speaker.livenessProbe.enabled | bool | `true` | | +| speaker.livenessProbe.failureThreshold | int | `3` | | +| speaker.livenessProbe.initialDelaySeconds | int | `10` | | +| speaker.livenessProbe.periodSeconds | int | `10` | | +| speaker.livenessProbe.successThreshold | int | `1` | | +| speaker.livenessProbe.timeoutSeconds | int | `1` | | +| speaker.logLevel | string | `"info"` | Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` | +| speaker.memberlist.enabled | bool | `true` | | +| speaker.memberlist.mlBindAddrOverride | string | `""` | | +| speaker.memberlist.mlBindPort | int | `7946` | | +| speaker.memberlist.mlSecretKeyPath | string | `"/etc/ml_secret_key"` | | +| speaker.nodeSelector | object | `{}` | | +| speaker.podAnnotations | object | `{}` | | +| speaker.priorityClassName | string | `""` | | +| speaker.readinessProbe.enabled | bool | `true` | | +| speaker.readinessProbe.failureThreshold | int | `3` | | +| speaker.readinessProbe.initialDelaySeconds | int | `10` | | +| speaker.readinessProbe.periodSeconds | int | `10` | | +| speaker.readinessProbe.successThreshold | int | `1` | | +| speaker.readinessProbe.timeoutSeconds | int | `1` | | +| speaker.reloader.resources | object | `{}` | | +| speaker.resources | object | `{}` | | +| speaker.runtimeClassName | string | `""` | | +| speaker.securityContext | object | `{}` | | +| speaker.serviceAccount.annotations | object | `{}` | | +| speaker.serviceAccount.create | bool | `true` | | +| speaker.serviceAccount.name | string | `""` | | +| speaker.startupProbe.enabled | bool | `true` | | +| speaker.startupProbe.failureThreshold | int | `30` | | +| speaker.startupProbe.periodSeconds | int | `5` | | +| speaker.tolerateMaster | bool | `true` | | +| speaker.tolerations | list | `[]` | | +| speaker.updateStrategy.type | string | `"RollingUpdate"` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) diff --git a/metallb-chart/_service b/metallb-chart/_service new file mode 100644 index 0000000..c3f6878 --- /dev/null +++ b/metallb-chart/_service @@ -0,0 +1,15 @@ + + + + values.yaml + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo) + IMG_REPO + + + Chart.yaml + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + + diff --git a/metallb-chart/charts.obscpio b/metallb-chart/charts.obscpio new file mode 100644 index 0000000..abb1383 Binary files /dev/null and b/metallb-chart/charts.obscpio differ diff --git a/metallb-chart/policy.obscpio b/metallb-chart/policy.obscpio new file mode 100644 index 0000000..09b648f Binary files /dev/null and b/metallb-chart/policy.obscpio differ diff --git a/metallb-chart/templates.obscpio b/metallb-chart/templates.obscpio new file mode 100644 index 0000000..9d21bff Binary files /dev/null and b/metallb-chart/templates.obscpio differ diff --git a/metallb-chart/values.schema.json b/metallb-chart/values.schema.json new file mode 100644 index 0000000..5015d56 --- /dev/null +++ b/metallb-chart/values.schema.json @@ -0,0 +1,448 @@ +{ + "$schema": "https://json-schema.org/draft-07/schema#", + "title": "Values", + "type": "object", + "definitions": { + "prometheusAlert": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "labels": { + "type": "object", + "additionalProperties": { "type": "string" } + } + }, + "required": [ "enabled" ] + }, + "probe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "required": [ + "failureThreshold", + "initialDelaySeconds", + "periodSeconds", + "successThreshold", + "timeoutSeconds" + ] + }, + "component": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "logLevel": { + "type": "string", + "enum": [ "all", "debug", "info", "warn", "error", "none" ] + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "anyOf": [ + { "type": "string" }, + { "type": "null" } + ] + }, + "pullPolicy": { + "anyOf": [ + { + "type": "null" + }, + { + "type": "string", + "enum": [ "Always", "IfNotPresent", "Never" ] + } + ] + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "annotations": { + "type": "object" + } + } + }, + "resources": { + "type": "object" + }, + "nodeSelector": { + "type": "object" + }, + "tolerations": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type":"string" + }, + "runtimeClassName": { + "type":"string" + }, + "affinity": { + "type": "object" + }, + "podAnnotations": { + "type": "object" + }, + "livenessProbe": { + "$ref": "#/definitions/probe" + }, + "readinessProbe": { + "$ref": "#/definitions/probe" + } + }, + "required": [ + "image", + "serviceAccount" + ] + } + }, + "properties": { + "imagePullSecrets": { + "description": "Secrets used for pulling images", + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + }, + "required": [ "name" ], + "additionalProperties": false + } + }, + "nameOverride": { + "description": "Override chart name", + "type": "string" + }, + "fullNameOverride": { + "description": "Override fully qualified app name", + "type": "string" + }, + "configInLine": { + "description": "MetalLB configuration", + "type": "object" + }, + "loadBalancerClass": { + "type":"string" + }, + "rbac": { + "description": "RBAC configuration", + "type": "object", + "properties": { + "create": { + "description": "Enable RBAC", + "type": "boolean" + } + } + }, + "prometheus": { + "description": "Prometheus monitoring config", + "type": "object", + "properties": { + "scrapeAnnotations": { "type": "boolean" }, + "metricsPort": { "type": "integer" }, + "secureMetricsPort": { "type": "integer" }, + "rbacPrometheus": { "type": "boolean" }, + "serviceAccount": { "type": "string" }, + "namespace": { "type": "string" }, + "rbacProxy": { + "description": "kube-rbac-proxy configuration", + "type": "object", + "properties": { + "repository": { "type": "string" }, + "tag": { "type": "string" } + } + }, + "podMonitor": { + "description": "Prometheus Operator PodMonitors", + "type": "object", + "properties": { + "enabled": { "type": "boolean" }, + "additionalMonitors": { "type": "object" }, + "jobLabel": { "type": "string" }, + "interval": { + "anyOf": [ + { "type": "integer" }, + { "type": "null" } + ] + }, + "metricRelabelings": { + "type": "array", + "items": { + "type": "object" + } + }, + "relabelings": { + "type": "array", + "items": { + "type": "object" + } + } + } + }, + "serviceMonitor": { + "description": "Prometheus Operator ServiceMonitors", + "type": "object", + "properties": { + "enabled": { "type": "boolean" }, + "jobLabel": { "type": "string" }, + "interval": { + "anyOf": [ + { "type": "integer" }, + { "type": "null" } + ] + }, + "metricRelabelings": { + "type": "array", + "items": { + "type": "object" + } + }, + "relabelings": { + "type": "array", + "items": { + "type": "object" + } + } + } + }, + "prometheusRule": { + "description": "Prometheus Operator alertmanager alerts", + "type": "object", + "properties": { + "enabled": { "type": "boolean" }, + "additionalMonitors": { "type": "object" }, + "staleConfig": { "$ref": "#/definitions/prometheusAlert" }, + "configNotLoaded": { "$ref": "#/definitions/prometheusAlert" }, + "addressPoolExhausted": { "$ref": "#/definitions/prometheusAlert" }, + "addressPoolUsage": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "thresholds": { + "type": "array", + "items": { + "type": "object", + "properties": { + "percent": { + "type": "integer", + "minimum": 0, + "maximum": 100 + }, + "labels": { + "type": "object", + "additionalProperties": { "type": "string" } + } + }, + "required": [ "percent" ] + } + } + }, + "required": [ "enabled" ] + }, + "bgpSessionDown": { "$ref": "#/definitions/prometheusAlert" }, + "extraAlerts": { + "type": "array", + "items": { + "type": "object" + } + } + }, + "required": [ + "enabled", + "staleConfig", + "configNotLoaded", + "addressPoolExhausted", + "addressPoolUsage", + "bgpSessionDown" + ] + } + }, + "required": [ "podMonitor", "prometheusRule" ] + }, + "controller": { + "allOf": [ + { "$ref": "#/definitions/component" }, + { "description": "MetalLB Controller", + "type": "object", + "properties": { + "strategy": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + }, + "required": [ "type" ] + }, + "command" : { + "type": "string" + }, + "webhookMode" : { + "type": "string" + }, + "extraContainers": { + "type": "array", + "items": { + "type": "object" + } + } + } + } + ] + }, + "speaker": { + "allOf": [ + { "$ref": "#/definitions/component" }, + { "description": "MetalLB Speaker", + "type": "object", + "properties": { + "tolerateMaster": { + "type": "boolean" + }, + "memberlist": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "mlBindPort": { + "type": "integer" + }, + "mlBindAddrOverride": { + "type": "string" + }, + "mlSecretKeyPath": { + "type": "string" + } + } + }, + "excludeInterfaces": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "ignoreExcludeLB": { + "type": "boolean" + }, + "updateStrategy": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + }, + "required": [ "type" ] + }, + "runtimeClassName": { + "type": "string" + }, + "securityContext": { + "type": "object" + }, + "secretName": { + "type": "string" + }, + "frr": { + "description": "Install FRR container in speaker deployment", + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "image": { "$ref": "#/definitions/component/properties/image" }, + "metricsPort": { "type": "integer" }, + "secureMetricsPort": { "type": "integer" }, + "resources:": { "type": "object" } + }, + "required": [ "enabled" ] + }, + "command" : { + "type": "string" + }, + "reloader": { + "type": "object", + "properties": { + "resources": { "type": "object" } + } + }, + "frrMetrics": { + "type": "object", + "properties": { + "resources": { "type": "object" } + } + }, + "extraContainers": { + "type": "array", + "items": { + "type": "object" + } + } + }, + "required": [ "tolerateMaster" ] + } + ] + }, + "crds": { + "description": "CRD configuration", + "type": "object", + "properties": { + "enabled": { + "description": "Enable CRDs", + "type": "boolean" + }, + "validationFailurePolicy": { + "description": "Failure policy to use with validating webhooks", + "type": "string", + "enum": [ "Ignore", "Fail" ] + } + } + } + }, + "required": [ + "controller", + "speaker" + ] +} diff --git a/metallb-chart/values.yaml b/metallb-chart/values.yaml new file mode 100644 index 0000000..49bd819 --- /dev/null +++ b/metallb-chart/values.yaml @@ -0,0 +1,380 @@ +# Default values for metallb. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" +# MetalLB supports LoadBalancerClass, which allows multiple load balancer implementations to co-exist. +# In order to set the loadbalancer class MetalLB should be listening for, the --lb-class= +# parameter must be provided to both the speaker and the controller. +loadBalancerClass: "" + +# To configure MetalLB, you must specify ONE of the following two +# options. + +rbac: + # create specifies whether to install and use RBAC rules. + create: true + +prometheus: + # scrape annotations specifies whether to add Prometheus metric + # auto-collection annotations to pods. See + # https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml + # for a corresponding Prometheus configuration. Alternatively, you + # may want to use the Prometheus Operator + # (https://github.com/coreos/prometheus-operator) for more powerful + # monitoring configuration. If you use the Prometheus operator, this + # can be left at false. + scrapeAnnotations: false + + # port both controller and speaker will listen on for metrics + metricsPort: 7472 + + # if set, enables rbac proxy on the controller and speaker to expose + # the metrics via tls. + # secureMetricsPort: 9120 + + # the name of the secret to be mounted in the speaker pod + # to expose the metrics securely. If not present, a self signed + # certificate to be used. + speakerMetricsTLSSecret: "" + + # the name of the secret to be mounted in the controller pod + # to expose the metrics securely. If not present, a self signed + # certificate to be used. + controllerMetricsTLSSecret: "" + + # prometheus doens't have the permission to scrape all namespaces so we give it permission to scrape metallb's one + rbacPrometheus: true + + # the service account used by prometheus + # required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true " + serviceAccount: "" + + # the namespace where prometheus is deployed + # required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true " + namespace: "" + + # the image to be used for the kuberbacproxy container + rbacProxy: + repository: "%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy" + tag: "v0.18.0" + pullPolicy: IfNotPresent + + # Prometheus Operator PodMonitors + podMonitor: + # enable support for Prometheus Operator + enabled: false + + # optional additionnal labels for podMonitors + additionalLabels: {} + + # optional annotations for podMonitors + annotations: {} + + # Job label for scrape target + jobLabel: "app.kubernetes.io/name" + + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: + + # metric relabel configs to apply to samples before ingestion. + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + # relabel configs to apply to samples before ingestion. + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # target_label: nodename + # replacement: $1 + # action: replace + + # Prometheus Operator ServiceMonitors. To be used as an alternative + # to podMonitor, supports secure metrics. + serviceMonitor: + # enable support for Prometheus Operator + enabled: false + + speaker: + # optional additional labels for the speaker serviceMonitor + additionalLabels: {} + # optional additional annotations for the speaker serviceMonitor + annotations: {} + # optional tls configuration for the speaker serviceMonitor, in case + # secure metrics are enabled. + tlsConfig: + insecureSkipVerify: true + + controller: + # optional additional labels for the controller serviceMonitor + additionalLabels: {} + # optional additional annotations for the controller serviceMonitor + annotations: {} + # optional tls configuration for the controller serviceMonitor, in case + # secure metrics are enabled. + tlsConfig: + insecureSkipVerify: true + + # Job label for scrape target + jobLabel: "app.kubernetes.io/name" + + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: + + # metric relabel configs to apply to samples before ingestion. + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + # relabel configs to apply to samples before ingestion. + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # target_label: nodename + # replacement: $1 + # action: replace + + # Prometheus Operator alertmanager alerts + prometheusRule: + # enable alertmanager alerts + enabled: false + + # optional additionnal labels for prometheusRules + additionalLabels: {} + + # optional annotations for prometheusRules + annotations: {} + + # MetalLBStaleConfig + staleConfig: + enabled: true + labels: + severity: warning + + # MetalLBConfigNotLoaded + configNotLoaded: + enabled: true + labels: + severity: warning + + # MetalLBAddressPoolExhausted + addressPoolExhausted: + enabled: true + labels: + severity: alert + + addressPoolUsage: + enabled: true + thresholds: + - percent: 75 + labels: + severity: warning + - percent: 85 + labels: + severity: warning + - percent: 95 + labels: + severity: alert + + # MetalLBBGPSessionDown + bgpSessionDown: + enabled: true + labels: + severity: alert + + extraAlerts: [] + +# controller contains configuration specific to the MetalLB cluster +# controller. +controller: + enabled: true + # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` + logLevel: info + # command: /controller + # webhookMode: enabled + image: + repository: "%%IMG_REPO%%/%%IMG_PREFIX%%metallb-controller" + tag: "v0.14.8" + pullPolicy: IfNotPresent + ## @param controller.updateStrategy.type Metallb controller deployment strategy type. + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## e.g: + ## strategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + strategy: + type: RollingUpdate + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. If not set and create is + # true, a name is generated using the fullname template + name: "" + annotations: {} + securityContext: + runAsNonRoot: true + # nobody + runAsUser: 65534 + fsGroup: 65534 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + resources: {} + # limits: + # cpu: 100m + # memory: 100Mi + nodeSelector: {} + tolerations: [] + priorityClassName: "" + runtimeClassName: "" + affinity: {} + podAnnotations: {} + labels: {} + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + tlsMinVersion: "VersionTLS12" + tlsCipherSuites: "" + + extraContainers: [] + +# speaker contains configuration specific to the MetalLB speaker +# daemonset. +speaker: + enabled: true + # command: /speaker + # -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` + logLevel: info + tolerateMaster: true + memberlist: + enabled: true + mlBindPort: 7946 + mlBindAddrOverride: "" + mlSecretKeyPath: "/etc/ml_secret_key" + excludeInterfaces: + enabled: true + # ignore the exclude-from-external-loadbalancer label + ignoreExcludeLB: false + + image: + repository: "%%IMG_REPO%%/%%IMG_PREFIX%%metallb-speaker" + tag: "v0.14.8" + pullPolicy: IfNotPresent + ## @param speaker.updateStrategy.type Speaker daemonset strategy type + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. If not set and create is + # true, a name is generated using the fullname template + name: "" + annotations: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + ## Defines a secret name for the controller to generate a memberlist encryption secret + ## By default secretName: {{ "metallb.fullname" }}-memberlist + ## + # secretName: + resources: {} + # limits: + # cpu: 100m + # memory: 100Mi + nodeSelector: {} + tolerations: [] + priorityClassName: "" + affinity: {} + ## Selects which runtime class will be used by the pod. + runtimeClassName: "" + podAnnotations: {} + labels: {} + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + enabled: true + failureThreshold: 30 + periodSeconds: 5 + # frr contains configuration specific to the MetalLB FRR container, + # for speaker running alongside FRR. + frr: + enabled: false + image: + repository: "%%IMG_REPO%%/%%IMG_PREFIX%%frr" + tag: "8.4" + pullPolicy: IfNotPresent + metricsPort: 7473 + resources: {} + + # if set, enables a rbac proxy sidecar container on the speaker to + # expose the frr metrics via tls. + # secureMetricsPort: 9121 + + + reloader: + resources: {} + + frrMetrics: + resources: {} + + extraContainers: [] + +crds: + enabled: true + validationFailurePolicy: Fail + +# frrk8s contains the configuration related to using an frrk8s instance +# (github.com/metallb/frr-k8s) as the backend for the BGP implementation. +# This allows configuring additional frr parameters in combination to those +# applied by MetalLB. +frrk8s: + # if set, enables frrk8s as a backend. This is mutually exclusive to frr + # mode. + enabled: false + external: false + namespace: "" diff --git a/metallb-controller-image/Dockerfile b/metallb-controller-image/Dockerfile new file mode 100644 index 0000000..ea68c61 --- /dev/null +++ b/metallb-controller-image/Dockerfile @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: Apache-2.0 +#!BuildTag: %%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%% +#!BuildTag: %%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%-%RELEASE% +#!BuildVersion: 15.6 +ARG SLE_VERSION +FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro + +FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base +COPY --from=micro / /installroot/ +RUN zypper --installroot /installroot --non-interactive install --no-recommends metallb-controller-0148; zypper -n clean; rm -rf /var/log/* + +FROM micro AS final +# Define labels according to https://en.opensuse.org/Building_derived_containers +# labelprefix=com.suse.application.metallb +LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)" +LABEL org.opencontainers.image.title="SLE Metallb Controller Container Image" +LABEL org.opencontainers.image.description="metallb-controller based on the SLE Base Container Image." +LABEL org.opencontainers.image.version="%%metallb-controller_version%%" +LABEL org.opencontainers.image.url="https://www.suse.com/products/server/" +LABEL org.opencontainers.image.created="%BUILDTIME%" +LABEL org.opencontainers.image.vendor="SUSE LLC" +LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%-%RELEASE%" +LABEL org.openbuildservice.disturl="%DISTURL%" +LABEL com.suse.supportlevel="l3" +LABEL com.suse.eula="SUSE Combined EULA February 2024" +LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle" +LABEL com.suse.image-type="application" +LABEL com.suse.release-stage="released" +# endlabelprefix + +COPY --from=base /installroot / +ENTRYPOINT ["/controller"] diff --git a/metallb-controller-image/_service b/metallb-controller-image/_service new file mode 100644 index 0000000..875cb5b --- /dev/null +++ b/metallb-controller-image/_service @@ -0,0 +1,17 @@ + + + + + Dockerfile + %%metallb-controller_version%% + metallb-controller-0148 + patch + + + Dockerfile + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo) + IMG_REPO + + \ No newline at end of file diff --git a/metallb-speaker-image/Dockerfile b/metallb-speaker-image/Dockerfile new file mode 100644 index 0000000..dc0a055 --- /dev/null +++ b/metallb-speaker-image/Dockerfile @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: Apache-2.0 +#!BuildTag: %%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%% +#!BuildTag: %%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%-%RELEASE% +#!BuildVersion: 15.6 +ARG SLE_VERSION +FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro + +FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base +COPY --from=micro / /installroot/ +RUN zypper --installroot /installroot --non-interactive install --no-recommends metallb-speaker-0148; zypper -n clean; rm -rf /var/log/* + +FROM micro AS final +# Define labels according to https://en.opensuse.org/Building_derived_containers +# labelprefix=com.suse.application.metallb +LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)" +LABEL org.opencontainers.image.title="SLE Metallb Speaker Container Image" +LABEL org.opencontainers.image.description="metallb-speaker based on the SLE Base Container Image." +LABEL org.opencontainers.image.version="%%metallb-speaker_version%%" +LABEL org.opencontainers.image.url="https://www.suse.com/products/server/" +LABEL org.opencontainers.image.created="%BUILDTIME%" +LABEL org.opencontainers.image.vendor="SUSE LLC" +LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%-%RELEASE%" +LABEL org.openbuildservice.disturl="%DISTURL%" +LABEL com.suse.supportlevel="l3" +LABEL com.suse.eula="SUSE Combined EULA February 2024" +LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle" +LABEL com.suse.image-type="application" +LABEL com.suse.release-stage="released" +# endlabelprefix + +COPY --from=base /installroot / +ENTRYPOINT ["/speaker"] diff --git a/metallb-speaker-image/_service b/metallb-speaker-image/_service new file mode 100644 index 0000000..d136914 --- /dev/null +++ b/metallb-speaker-image/_service @@ -0,0 +1,17 @@ + + + + + Dockerfile + %%metallb-speaker_version%% + metallb-speaker-0148 + patch + + + Dockerfile + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo) + IMG_REPO + + \ No newline at end of file diff --git a/sriov-crd-chart/Chart.yaml b/sriov-crd-chart/Chart.yaml new file mode 100644 index 0000000..5953b18 --- /dev/null +++ b/sriov-crd-chart/Chart.yaml @@ -0,0 +1,13 @@ +#!BuildTag: %%IMG_PREFIX%%sriov-crd-chart:1.3.0-%RELEASE% +#!BuildTag: %%IMG_PREFIX%%sriov-crd-chart:1.3.0 +annotations: + catalog.cattle.io/experimental: "true" + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/permits-os: linux + catalog.cattle.io/release-name: sriov-crd +apiVersion: v2 +description: Installs the CRDs for the SR-IOV operator +name: sriov-crd +type: application +version: 1.3.0 diff --git a/sriov-crd-chart/_service b/sriov-crd-chart/_service new file mode 100644 index 0000000..6b8f891 --- /dev/null +++ b/sriov-crd-chart/_service @@ -0,0 +1,8 @@ + + + + Chart.yaml + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + + diff --git a/sriov-crd-chart/templates.obscpio b/sriov-crd-chart/templates.obscpio new file mode 100644 index 0000000..3995b9f Binary files /dev/null and b/sriov-crd-chart/templates.obscpio differ diff --git a/sriov-network-operator-chart/Chart.yaml b/sriov-network-operator-chart/Chart.yaml new file mode 100644 index 0000000..538f7e3 --- /dev/null +++ b/sriov-network-operator-chart/Chart.yaml @@ -0,0 +1,28 @@ +#!BuildTag: %%IMG_PREFIX%%sriov-network-operator-chart:1.3.0-%RELEASE% +#!BuildTag: %%IMG_PREFIX%%sriov-network-operator-chart:1.3.0 +annotations: + catalog.cattle.io/auto-install: sriov-crd=match + catalog.cattle.io/experimental: "true" + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/upstream-version: 1.3.0 +apiVersion: v2 +appVersion: v1.3.0 +dependencies: +- condition: sriov-nfd.enabled + name: sriov-nfd + repository: file://./charts/sriov-nfd + version: 0.15.6 +description: SR-IOV network operator configures and manages SR-IOV networks in the + kubernetes cluster +home: https://github.com/k8snetworkplumbingwg/sriov-network-operator +icon: https://charts.rancher.io/assets/logos/sr-iov.svg +keywords: +- sriov +kubeVersion: '>= 1.16.0-0' +name: sriov-network-operator +sources: +- https://github.com/k8snetworkplumbingwg/sriov-network-operator +type: application +version: 1.3.0 diff --git a/sriov-network-operator-chart/README.md b/sriov-network-operator-chart/README.md new file mode 100644 index 0000000..86b0519 --- /dev/null +++ b/sriov-network-operator-chart/README.md @@ -0,0 +1,130 @@ +# SR-IOV Network Operator Helm Chart + +SR-IOV Network Operator Helm Chart provides an easy way to install, configure and manage +the lifecycle of SR-IOV network operator. + +## SR-IOV Network Operator +SR-IOV Network Operator leverages [Kubernetes CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) +and [Operator SDK](https://github.com/operator-framework/operator-sdk) to configure and manage SR-IOV networks in a Kubernetes cluster. + +SR-IOV Network Operator features: +- Initialize the supported SR-IOV NIC types on selected nodes. +- Provision/upgrade SR-IOV device plugin executable on selected node. +- Provision/upgrade SR-IOV CNI plugin executable on selected nodes. +- Manage configuration of SR-IOV device plugin on host. +- Generate net-att-def CRs for SR-IOV CNI plugin +- Supports operation in a virtualized Kubernetes deployment + - Discovers VFs attached to the Virtual Machine (VM) + - Does not require attached of associated PFs + - VFs can be associated to SriovNetworks by selecting the appropriate PciAddress as the RootDevice in the SriovNetworkNodePolicy + +## QuickStart + +### Prerequisites + +- Kubernetes v1.17+ +- Helm v3 + +### Install Helm + +Helm provides an install script to copy helm binary to your system: +``` +$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 +$ chmod 500 get_helm.sh +$ ./get_helm.sh +``` + +For additional information and methods for installing Helm, refer to the official [helm website](https://helm.sh/) + +### Deploy SR-IOV Network Operator + +``` +# Install Operator +$ helm install -n sriov-network-operator --create-namespace --wait sriov-network-operator ./ + +# View deployed resources +$ kubectl -n sriov-network-operator get pods +``` + +In the case that [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) is enabled, the sriov network operator namespace will require a security level of 'privileged' +``` +$ kubectl label ns sriov-network-operator pod-security.kubernetes.io/enforce=privileged +``` + +## Chart parameters + +In order to tailor the deployment of the network operator to your cluster needs +We have introduced the following Chart parameters. + +| Name | Type | Default | description | +| ---- |------|---------|-------------| +| `imagePullSecrets` | list | `[]` | An optional list of references to secrets to use for pulling any of the SR-IOV Network Operator image | +| `supportedExtraNICs` | list | `[]` | An optional list of whitelisted NICs | + +### Operator parameters + +| Name | Type | Default | description | +| ---- | ---- | ------- | ----------- | +| `operator.tolerations` | list | `[{"key":"node-role.kubernetes.io/master","operator":"Exists","effect":"NoSchedule"},{"key":"node-role.kubernetes.io/control-plane","operator":"Exists","effect":"NoSchedule"}]` | Operator's tolerations | +| `operator.nodeSelector` | object | {} | Operator's node selector | +| `operator.affinity` | object | `{"nodeAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/master","operator":"In","values":[""]}]}},{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/control-plane","operator":"In","values":[""]}]}}]}}` | Operator's afffinity configuration | +| `operator.nameOverride` | string | `` | Operator's resource name override | +| `operator.fullnameOverride` | string | `` | Operator's resource full name override | +| `operator.resourcePrefix` | string | `openshift.io` | Device plugin resource prefix | +| `operator.cniBinPath` | string | `/opt/cni/bin` | Path for CNI binary | +| `operator.clustertype` | string | `kubernetes` | Cluster environment type | + +#### Admission Controllers parameters + +The admission controllers can be enabled by switching on a single parameter `operator.admissionControllers.enabled`. By +default, the user needs to pre-create Kubernetes Secrets that match the names provided in +`operator.admissionControllers.certificates.secretNames`. The secrets should have 3 fields populated with the relevant +content: +* `ca.crt` (value needs to be base64 encoded twice) +* `tls.crt` +* `tls.key` + +Aside from the aforementioned mode, the chart supports 3 more modes for certificate consumption by the admission +controllers, which can be found in the table below. In a nutshell, the modes that are supported are: +* Consume pre-created Certificates managed by cert-manager +* Generate self signed Certificates managed by cert-manager +* Specify the content of the certificates as Helm values + +| Name | Type | Default | description | +| ---- | ---- | ------- | ----------- | +| `operator.admissionControllers.enabled` | bool | false | Flag that switches on the admission controllers | +| `operator.admissionControllers.certificates.secretNames.operator` | string | `operator-webhook-cert` | Secret that stores the certificate for the Operator's admission controller | +| `operator.admissionControllers.certificates.secretNames.injector` | string | `network-resources-injector-cert` | Secret that stores the certificate for the Network Resources Injector's admission controller | +| `operator.admissionControllers.certificates.certManager.enabled` | bool | false | Flag that switches on consumption of certificates managed by cert-manager | +| `operator.admissionControllers.certificates.certManager.generateSelfSigned` | bool | false | Flag that switches on generation of self signed certificates managed by cert-manager. The secrets in which the certificates are stored will have the names provided in `operator.admissionControllers.certificates.secretNames` | +| `operator.admissionControllers.certificates.custom.enabled` | bool | false | Flag that switches on consumption of user provided certificates that are part of `operator.admissionControllers.certificates.custom.operator` and `operator.admissionControllers.certificates.custom.injector` objects | +| `operator.admissionControllers.certificates.custom.operator.caCrt` | string | `` | The CA certificate to be used by the Operator's admission controller | +| `operator.admissionControllers.certificates.custom.operator.tlsCrt` | string | `` | The public part of the certificate to be used by the Operator's admission controller | +| `operator.admissionControllers.certificates.custom.operator.tlsKey` | string | `` | The private part of the certificate to be used by the Operator's admission controller | +| `operator.admissionControllers.certificates.custom.injector.caCrt` | string | `` | The CA certificate to be used by the Network Resources Injector's admission controller | +| `operator.admissionControllers.certificates.custom.injector.tlsCrt` | string | `` | The public part of the certificate to be used by the Network Resources Injector's admission controller | +| `operator.admissionControllers.certificates.custom.injector.tlsKey` | string | `` | The private part of the certificate to be used by the Network Resources Injector's admission controller | + +### SR-IOV Operator Configuration Parameters + +This section contains general parameters that apply to both the operator and daemon componets of SR-IOV Network Operator. + +| Name | Type | Default | description | +| ---- | ---- | ------- | ----------- | +| `sriovOperatorConfig.deploy` | bool | `false` | deploy SriovOperatorConfig custom resource | +| `sriovOperatorConfig.configDaemonNodeSelector` | map[string]string | `{}` | node slectors for sriov-network-config-daemon | +| `sriovOperatorConfig.logLevel` | int | `2` | log level for both operator and sriov-network-config-daemon | +| `sriovOperatorConfig.disableDrain` | bool | `false` | disable node draining when configuring SR-IOV, set to true in case of a single node cluster or any other justifiable reason | +| `sriovOperatorConfig.configurationMode` | string | `daemon` | sriov-network-config-daemon configuration mode. either `daemon` or `systemd` | + +### Images parameters + +| Name | description | +| ---- | ----------- | +| `images.operator` | Operator controller image | +| `images.sriovConfigDaemon` | Daemon node agent image | +| `images.sriovCni` | SR-IOV CNI image | +| `images.ibSriovCni` | InfiniBand SR-IOV CNI image | +| `images.sriovDevicePlugin` | SR-IOV device plugin image | +| `images.resourcesInjector` | Resources Injector image | +| `images.webhook` | Operator Webhook image | diff --git a/sriov-network-operator-chart/_service b/sriov-network-operator-chart/_service new file mode 100644 index 0000000..6b8f891 --- /dev/null +++ b/sriov-network-operator-chart/_service @@ -0,0 +1,8 @@ + + + + Chart.yaml + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + + diff --git a/sriov-network-operator-chart/app-README.md b/sriov-network-operator-chart/app-README.md new file mode 100644 index 0000000..7dcf664 --- /dev/null +++ b/sriov-network-operator-chart/app-README.md @@ -0,0 +1,13 @@ +# Rancher SR-IOV Network Operator + +This chart is based on the upstream [k8snetworkplumbingwg/sriov-network-operator](https://github.com/k8snetworkplumbingwg/sriov-network-operator) project. The chart deploys the SR-IOV Operator and its CRDs, which are designed to help the user provision and configure the SR-IOV CNI in a cluster that uses [Multus CNI](https://github.com/k8snetworkplumbingwg/multus-cni), to provide high performing extra network interfaces to pods. This chart is expected to be deployed on an RKE2 cluster and only meant for advanced use cases where multiple CNI plugins and high performing network interfaces on pods are required. Users who do not need these features are not advised to install this chart. + +The chart installs the following components: + + - SR-IOV Operator - An operator that helps provision and configure the SR-IOV CNI plugin and SR-IOV Device plugin + - SR-IOV Network Config Daemon - A Daemon deployed by the Operator that discovers SR-IOV NICs on each node + +Note that SR-IOV requires NICs that support SR-IOV and the activation of specific configuration options in the operating system. Nodes that fulfill these requirements should be labeled with: `feature.node.kubernetes.io/network-sriov.capable=true`. + +The SR-IOV Network Config Daemon will be deployed on such capable nodes. For more information on how to use this feature, refer to our RKE2 networking docs. + diff --git a/sriov-network-operator-chart/charts.obscpio b/sriov-network-operator-chart/charts.obscpio new file mode 100644 index 0000000..829a2b4 Binary files /dev/null and b/sriov-network-operator-chart/charts.obscpio differ diff --git a/sriov-network-operator-chart/templates.obscpio b/sriov-network-operator-chart/templates.obscpio new file mode 100644 index 0000000..036de0b Binary files /dev/null and b/sriov-network-operator-chart/templates.obscpio differ diff --git a/sriov-network-operator-chart/values.yaml b/sriov-network-operator-chart/values.yaml new file mode 100644 index 0000000..9d6c741 --- /dev/null +++ b/sriov-network-operator-chart/values.yaml @@ -0,0 +1,124 @@ +operator: + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - effect: NoExecute + key: node-role.kubernetes.io/etcd + operator: Exists + nodeSelector: {} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: "node-role.kubernetes.io/master" + operator: In + values: [""] + - weight: 1 + preference: + matchExpressions: + - key: "node-role.kubernetes.io/control-plane" + operator: In + values: [""] + nameOverride: "" + fullnameOverride: "" + resourcePrefix: "rancher.io" + cniBinPath: "/opt/cni/bin" + clusterType: "kubernetes" + admissionControllers: + enabled: false + certificates: + secretNames: + operator: "operator-webhook-cert" + injector: "network-resources-injector-cert" + certManager: + # When enabled, makes use of certificates managed by cert-manager. + enabled: false + # When enabled, certificates are generated via cert-manager and then name will match the name of the secrets + # defined above + generateSelfSigned: false + # If not specified, no secret is created and secrets with the names defined above are expected to exist in the + # cluster. In that case, the ca.crt must be base64 encoded twice since it ends up being an env variable. + custom: + enabled: false + # operator: + # caCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsKey: | + # -----BEGIN EC PRIVATE KEY----- + # MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo= + # ... + # -----END EC PRIVATE KEY----- + # injector: + # caCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsKey: | + # -----BEGIN EC PRIVATE KEY----- + # MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo= + # ... + # -----END EC PRIVATE KEY----- +sriovOperatorConfig: + # deploy sriovOperatorConfig CR with the below values + deploy: true + # node slectors for sriov-network-config-daemon + configDaemonNodeSelector: {feature.node.kubernetes.io/network-sriov.capable: 'true'} + # log level for both operator and sriov-network-config-daemon + logLevel: 2 + # disable node draining when configuring SR-IOV, set to true in case of a single node + # cluster or any other justifiable reason + disableDrain: false + # sriov-network-config-daemon configuration mode. either "daemon" or "systemd" + configurationMode: daemon +# Example for supportedExtraNICs values ['MyNIC: "8086 1521 1520"'] +supportedExtraNICs: [] +# Image URIs for sriov-network-operator components +images: + operator: + repository: rancher/hardened-sriov-network-operator + tag: v1.3.0-build20240816 + sriovConfigDaemon: + repository: rancher/hardened-sriov-network-config-daemon + tag: v1.3.0-build20240816 + sriovCni: + repository: rancher/hardened-sriov-cni + tag: v2.8.1-build20240820 + ibSriovCni: + repository: rancher/hardened-ib-sriov-cni + tag: v1.1.1-build20240816 + sriovDevicePlugin: + repository: rancher/hardened-sriov-network-device-plugin + tag: v3.7.0-build20240816 + resourcesInjector: + repository: rancher/hardened-sriov-network-resources-injector + tag: v1.6.0-build20240816 + webhook: + repository: rancher/hardened-sriov-network-webhook + tag: v1.3.0-build20240816 +imagePullSecrets: [] +global: + cattle: + systemDefaultRegistry: "" + rbac: + userRoles: + aggregateToDefaultRoles: false diff --git a/upgrade-controller-chart/Chart.yaml b/upgrade-controller-chart/Chart.yaml new file mode 100644 index 0000000..380b36e --- /dev/null +++ b/upgrade-controller-chart/Chart.yaml @@ -0,0 +1,13 @@ +#!BuildTag: %%IMG_PREFIX%%upgrade-controller-chart:0.1.0 +#!BuildTag: %%IMG_PREFIX%%upgrade-controller-chart:0.1.0-%RELEASE% +apiVersion: v2 +appVersion: 0.1.0 +dependencies: +- condition: crds.enabled + name: lifecycle-crds + repository: file://./charts/lifecycle-crds + version: 0.1.0 +description: A Helm chart for Upgrade Controller +name: upgrade-controller +type: application +version: 0.1.0 diff --git a/upgrade-controller-chart/_service b/upgrade-controller-chart/_service new file mode 100644 index 0000000..3cd1d17 --- /dev/null +++ b/upgrade-controller-chart/_service @@ -0,0 +1,16 @@ + + + + values.yaml + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo) + IMG_REPO + + + Chart.yaml + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + + + diff --git a/upgrade-controller-chart/charts.obscpio b/upgrade-controller-chart/charts.obscpio new file mode 100644 index 0000000..9d4e3e8 Binary files /dev/null and b/upgrade-controller-chart/charts.obscpio differ diff --git a/upgrade-controller-chart/templates.obscpio b/upgrade-controller-chart/templates.obscpio new file mode 100644 index 0000000..c619dbc Binary files /dev/null and b/upgrade-controller-chart/templates.obscpio differ diff --git a/upgrade-controller-chart/values.yaml b/upgrade-controller-chart/values.yaml new file mode 100644 index 0000000..91ec22e --- /dev/null +++ b/upgrade-controller-chart/values.yaml @@ -0,0 +1,91 @@ +# Default values for upgrade-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: %%IMG_REPO%%/%%IMG_PREFIX%%upgrade-controller + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +env: + releaseManifest: + image: %%IMG_REPO%%/%%IMG_PREFIX%%release-manifest + kubectl: + image: %%IMG_REPO%%/%%IMG_PREFIX%%kubectl + version: 1.30.3 + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + +securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + +webhookService: + name: webhook-server + type: ClusterIP + port: 443 + targetPort: 9443 + +resources: {} + +livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 +readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + +# Always keep the cert volume first in case others are appended +# or adjust the certificate resources lookup. +volumes: + - name: cert + secret: + secretName: webhook-server-cert + defaultMode: 420 + optional: false + +volumeMounts: + - name: cert + mountPath: "/tmp/k8s-webhook-server/serving-certs" + readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +crds: + enabled: true diff --git a/upgrade-controller-image/Dockerfile b/upgrade-controller-image/Dockerfile new file mode 100644 index 0000000..4a5ad8d --- /dev/null +++ b/upgrade-controller-image/Dockerfile @@ -0,0 +1,38 @@ +# SPDX-License-Identifier: Apache-2.0 +#!BuildTag: %%IMG_PREFIX%%upgrade-controller:0.1.0 +#!BuildTag: %%IMG_PREFIX%%upgrade-controller:0.1.0-%RELEASE% +#!BuildVersion: 15.6 +ARG SLE_VERSION +FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro + +FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base +COPY --from=micro / /installroot/ +RUN zypper --installroot /installroot --non-interactive install --no-recommends upgrade-controller-010; zypper -n clean; rm -rf /var/log/* + +FROM micro AS final + +# Define labels according to https://en.opensuse.org/Building_derived_containers +# labelprefix=com.suse.application.upgrade-controller +LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)" +LABEL org.opencontainers.image.title="SLE Edge Upgrade Controller Container Image" +LABEL org.opencontainers.image.description="Edge Update Controller Image based on the SLE Base Container Image." +LABEL org.opencontainers.image.version="0.1.0" +LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/" +LABEL org.opencontainers.image.created="%BUILDTIME%" +LABEL org.opencontainers.image.vendor="SUSE LLC" +LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%upgrade-controller:0.1.0-%RELEASE%" +LABEL org.openbuildservice.disturl="%DISTURL%" +LABEL com.suse.supportlevel="techpreview" +LABEL com.suse.eula="SUSE Combined EULA February 2024" +LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle" +LABEL com.suse.image-type="application" +LABEL com.suse.release-stage="released" +# endlabelprefix + +COPY --from=base /installroot / +RUN mv /usr/bin/upgrade-controller /manager +# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies +USER 65532 + +ENTRYPOINT [ "/manager" ] + diff --git a/upgrade-controller-image/_service b/upgrade-controller-image/_service new file mode 100644 index 0000000..0041dd1 --- /dev/null +++ b/upgrade-controller-image/_service @@ -0,0 +1,10 @@ + + + + Dockerfile + IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix) + IMG_PREFIX + IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo) + IMG_REPO + +