diff --git a/.circleci/config.yml b/.circleci/config.yml index 39e815138bbb..26256450302c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -14,7 +14,7 @@ jobs: shellcheck -x test/repo-sync.sh lint-charts: docker: - - image: gcr.io/kubernetes-charts-ci/test-image:v3.2.0 + - image: gcr.io/kubernetes-charts-ci/test-image:v3.3.2 steps: - checkout - run: diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md deleted file mode 100644 index f5910ca76575..000000000000 --- a/.github/ISSUE_TEMPLATE.md +++ /dev/null @@ -1,38 +0,0 @@ - - -**Is this a request for help?**: - ---- - -**Is this a BUG REPORT or FEATURE REQUEST?** (choose one): - - - -**Version of Helm and Kubernetes**: - - -**Which chart**: - - -**What happened**: - - -**What you expected to happen**: - - -**How to reproduce it** (as minimally and precisely as possible): - - -**Anything else we need to know**: diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 000000000000..c784b1dafffa --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,36 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '[name of the chart e.g. stable/chart] issue title' +labels: '' +assignees: '' + +--- + + + +**Describe the bug** +A clear and concise description of what the bug is. + +**Version of Helm and Kubernetes**: + + +**Which chart**: + + +**What happened**: + + +**What you expected to happen**: + + +**How to reproduce it** (as minimally and precisely as possible): + + +**Anything else we need to know**: + diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 000000000000..4816cc513f72 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,27 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '[name of the chart e.g. stable/chart] issue title' +labels: '' +assignees: '' + +--- + + + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index a728453a0a61..44e3cfb96fca 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -35,6 +35,7 @@ even continue reviewing your changes. #### Checklist [Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.] -- [ ] [DCO](https://www.helm.sh/blog/helm-dco/index.html) signed +- [ ] [DCO](https://github.com/helm/charts/blob/master/CONTRIBUTING.md#sign-your-work) signed - [ ] Chart Version bumped - [ ] Variables are documented in the README.md +- [ ] Title of the PR starts with chart name (e.g. `[stable/chart]`) diff --git a/OWNERS b/OWNERS index c50530e72d44..546506debf20 100644 --- a/OWNERS +++ b/OWNERS @@ -3,14 +3,17 @@ approvers: - prydonius - sameersbn - viglesiasce - - foxish - unguiculus - scottrigby - mattfarina - davidkarlsen - paulczar - cpanato + - jlegrone + - maorfr emeritus: + - foxish - linki - mgoodness - - seanknox \ No newline at end of file + - seanknox + diff --git a/REVIEW_GUIDELINES.md b/REVIEW_GUIDELINES.md index 880cbf546a93..979578a29da5 100644 --- a/REVIEW_GUIDELINES.md +++ b/REVIEW_GUIDELINES.md @@ -16,6 +16,17 @@ Note, if a reviewer who is not an approver in an OWNERS file leaves a comment of Chart releases must be immutable. Any change to a chart warrants a chart version bump even if it is only changes to the documentation. +## Versioning + +The chart `version` should follow [semver](https://semver.org/). + +Stable charts should start at `1.0.0` (for maintainability don't create new PRs for stable charts only to meet this criteria, but when reviewing PRs take the opportunity to ensure that this is met). + +Any breaking (backwards incompatible) changes to a chart should: + +1. Bump the MAJOR version +2. In the README, under a section called "Upgrading", describe the manual steps necessary to upgrade to the new (specified) MAJOR version + ## Chart Metadata The `Chart.yaml` should be as complete as possible. The following fields are mandatory: @@ -338,3 +349,13 @@ While reviewing Charts that contain workloads such as [Deployments](https://kube 10. As much as possible complex pre-app setups are configured using [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). More [configuration](https://kubernetes.io/docs/concepts/configuration/overview/) best practices. + + +## Tests + +This repository follows a [test procedure](https://github.com/helm/charts/blob/master/test/README.md). This allows the charts of this repository to be tested according to several rules (linting, semver checking, deployment testing, etc) for every Pull Request. + +The `ci` directory of a given Chart allows testing different use cases, by allowing you to define different sets of values overriding `values.yaml`, one file per set. See the [documentation](https://github.com/helm/charts/blob/master/test/README.md#providing-custom-test-values) for more information. + +This directory MUST exist with at least one test file in it. + diff --git a/incubator/aws-alb-ingress-controller/Chart.yaml b/incubator/aws-alb-ingress-controller/Chart.yaml index 01aec32ddd59..ac100a6bf461 100644 --- a/incubator/aws-alb-ingress-controller/Chart.yaml +++ b/incubator/aws-alb-ingress-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: aws-alb-ingress-controller description: A Helm chart for AWS ALB Ingress Controller -version: 0.1.4 -appVersion: "v1.0.1" +version: 0.1.8 +appVersion: "v1.1.2" engine: gotpl home: https://github.com/kubernetes-sigs/aws-alb-ingress-controller sources: diff --git a/incubator/aws-alb-ingress-controller/OWNERS b/incubator/aws-alb-ingress-controller/OWNERS new file mode 100644 index 000000000000..5f792ea9d6f6 --- /dev/null +++ b/incubator/aws-alb-ingress-controller/OWNERS @@ -0,0 +1,6 @@ +approvers: +- bigkraig +- M00nF1sh +reviewers: +- bigkraig +- M00nF1sh diff --git a/incubator/aws-alb-ingress-controller/README.md b/incubator/aws-alb-ingress-controller/README.md index 831753d6b0b2..bbcab95ce77f 100644 --- a/incubator/aws-alb-ingress-controller/README.md +++ b/incubator/aws-alb-ingress-controller/README.md @@ -56,9 +56,11 @@ The following tables lists the configurable parameters of the alb-ingress-contro | `image.repository` | controller container image repository | `894847497797.dkr.ecr.us-west-2.amazonaws.com/aws-alb-ingress-controller` | | `image.tag` | controller container image tag | `v1.0.1` | | `image.pullPolicy` | controller container image pull policy | `IfNotPresent` | -| `enableReadinessProbe` | enable readinessProbe on controller pod |`false` | +| `enableReadinessProbe` | enable readinessProbe on controller pod | `false` | | `enableLivenessProbe` | enable livenessProbe on controller pod | `false` | | `extraEnv` | map of environment variables to be injected into the controller pod | `{}` | +| `volumesMounts` | volumeMounts into the controller pod | `[]` | +| `volumes` | volumes the controller pod | `[]` | | `nodeSelector` | node labels for controller pod assignment | `{}` | | `tolerations` | controller pod toleration for taints | `{}` | | `podAnnotations` | annotations to be added to controller pod | `{}` | @@ -71,7 +73,7 @@ The following tables lists the configurable parameters of the alb-ingress-contro | `scope.watchNamespace` | If scope.singleNamespace=true, the ALB ingress controller will only act on Ingress resources in this namespace | `""` (namespace of the ALB ingress controller) | ```bash -helm install incubator/aws-alb-ingress-controller --set clusterName=MyClusterName --set autoDiscoverAwsRegion=true --set autoDiscoverAwsVpcID=true --name my-release --namespace kube-system +helm install incubator/aws-alb-ingress-controller --set clusterName=MyClusterName --set autoDiscoverAwsRegion=true --set autoDiscoverAwsVpcID=true --name my-release --namespace kube-system ``` Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, @@ -82,4 +84,4 @@ helm install incubator/aws-alb-ingress-controller --name my-release -f values.ya > **Tip**: You can use the default [values.yaml](values.yaml) -> **Tip**: If you use `aws-alb-ingress-controller` as releaseName, the generated pod name will be shorter.(e.g. `aws-alb-ingress-controller-66cc9fb67c-7mg4w` instead of `my-release-aws-alb-ingress-controller-66cc9fb67c-7mg4w`) \ No newline at end of file +> **Tip**: If you use `aws-alb-ingress-controller` as releaseName, the generated pod name will be shorter.(e.g. `aws-alb-ingress-controller-66cc9fb67c-7mg4w` instead of `my-release-aws-alb-ingress-controller-66cc9fb67c-7mg4w`) diff --git a/incubator/aws-alb-ingress-controller/templates/deployment.yaml b/incubator/aws-alb-ingress-controller/templates/deployment.yaml index 212ac6d31f9b..7832c414bca2 100644 --- a/incubator/aws-alb-ingress-controller/templates/deployment.yaml +++ b/incubator/aws-alb-ingress-controller/templates/deployment.yaml @@ -77,6 +77,10 @@ spec: {{- end }} resources: {{ toYaml .Values.resources | indent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: +{{ toYaml . | indent 12 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} @@ -87,6 +91,10 @@ spec: {{- end }} {{- with .Values.tolerations }} tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.volumes }} + volumes: {{ toYaml . | indent 8 }} {{- end }} serviceAccountName: {{ if .Values.rbac.create }}{{ include "aws-alb-ingress-controller.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }} diff --git a/incubator/aws-alb-ingress-controller/values.yaml b/incubator/aws-alb-ingress-controller/values.yaml index ac3c4e1aed73..46108af472a7 100644 --- a/incubator/aws-alb-ingress-controller/values.yaml +++ b/incubator/aws-alb-ingress-controller/values.yaml @@ -22,7 +22,7 @@ autoDiscoverAwsVpcID: false scope: ## If provided, the ALB ingress controller will only act on Ingress resources annotated with this class - ## Ref: https://github.com/kubernetes-sigs/aws-alb-ingress-controller/blob/master/docs/configuration.md#limiting-ingress-class + ## Ref: https://github.com/kubernetes-sigs/aws-alb-ingress-controller/blob/master/docs/guide/controller/config.md#limiting-ingress-class ingressClass: alb ## If true, the ALB ingress controller will only act on Ingress resources in a single namespace @@ -30,7 +30,7 @@ scope: singleNamespace: false ## If scope.singleNamespace=true, the ALB ingress controller will only act on Ingress resources in this namespace - ## Ref: https://github.com/kubernetes-sigs/aws-alb-ingress-controller/blob/master/docs/configuration.md#limiting-namespaces + ## Ref: https://github.com/kubernetes-sigs/aws-alb-ingress-controller/blob/master/docs/guide/controller/config.md#limiting-namespaces ## Default: namespace of the ALB ingress controller watchNamespace: "" @@ -71,7 +71,7 @@ rbac: image: repository: docker.io/amazon/aws-alb-ingress-controller - tag: "v1.0.1" + tag: "v1.1.2" pullPolicy: IfNotPresent replicaCount: 1 @@ -99,3 +99,13 @@ tolerations: [] # effect: NoSchedule affinity: {} + +volumeMounts: [] + # - name: aws-iam-credentials + # mountPath: /meta/aws-iam + # readOnly: true + +volumes: [] + # - name: aws-iam-credentials + # secret: + # secretName: alb-ingress-controller-role diff --git a/incubator/azuremonitor-containers/Chart.yaml b/incubator/azuremonitor-containers/Chart.yaml index 883914225e8b..7e88da4357d6 100644 --- a/incubator/azuremonitor-containers/Chart.yaml +++ b/incubator/azuremonitor-containers/Chart.yaml @@ -1,11 +1,14 @@ apiVersion: v1 -appVersion: 2.0.0-3 +appVersion: 4.0.0-0 description: Helm chart for deploying Azure Monitor container monitoring agent in Kubernetes name: azuremonitor-containers -version: 0.4.0 +version: 0.6.0 keywords: - monitoring - azuremonitor + - azure + - oms + - containerinsights - metric - event - logs diff --git a/incubator/azuremonitor-containers/README.md b/incubator/azuremonitor-containers/README.md index 70d9d54b351f..c56b1b9b83b9 100644 --- a/incubator/azuremonitor-containers/README.md +++ b/incubator/azuremonitor-containers/README.md @@ -20,7 +20,7 @@ This article describes how to set up and use [Azure Monitor - Containers](https: 2. [Add the 'AzureMonitor-Containers' Solution to your Log Analytics workspace.](http://aka.ms/coinhelmdoc) -3. [For ACS-engine K8S cluster, add Log Analytics workspace tag to cluster resources, to be able to use Azure Container monitoring User experience (aka.ms/azmon-containers)](http://aka.ms/coin-acs-tag-doc) +3. [For AKS-Engine or ACS-Engine K8S cluster, add required tags on cluster resources, to be able to use Azure Container monitoring User experience (aka.ms/azmon-containers)](http://aka.ms/coin-acs-tag-doc) --- @@ -58,7 +58,7 @@ The following table lists the configurable parameters of the MSOMS chart and the | `omsagent.secret.wsid` | Azure Log analytics workspace id | Does not have a default value, needs to be provided | | `omsagent.secret.key` | Azure Log analytics workspace key | Does not have a default value, needs to be provided | | `omsagent.domain` | Azure Log analytics cloud domain (public / govt) | opinsights.azure.com (Public cloud as default), opinsights.azure.us (Govt Cloud) | -| `omsagent.env.clusterName` | Name of your cluster | Does not have a default value, needs to be provided. If ACS-engine cluster, it is recommended to provide either one of the below as cluster name, to be able to use Azure Container monitoring User experience (aka.ms/azmon-containers)

- Azure Resource group resource ID of ACS-Engine cluster
- Provide a friendly name here and ensure this name is used to 'tag' the cluster master node(s) - see step-3 in pre-requisites above | +| `omsagent.env.clusterName` | Name of your cluster | Does not have a default value, needs to be provided. If AKS-Engine or ACS-Engine K8S cluster, it is recommended to provide either one of the below as cluster name, to be able to use Azure Container monitoring User experience (aka.ms/azmon-containers)

- Azure Resource group resource ID of ACS-Engine cluster
- Provide a friendly name here and ensure this name is used to 'tag' the cluster master node(s) - see step-3 in pre-requisites above | |`omsagent.env.doNotCollectKubeSystemLogs`| Disable collecting logs from containers in 'kube-system' namespace | true| | `omsagent.rbac` | rbac enabled/disabled | true (i.e enabled) | @@ -70,7 +70,7 @@ Specify each parameter using the `--set key=value[,key=value]` argument to `helm ```bash $ helm install --name myrelease-1 \ ---set omsagent.secret.wsid=,omsagent.secret.key=,omsagent.env.clusterName= incubator/azuremonitor-containers +--set omsagent.secret.wsid=,omsagent.secret.key=,omsagent.env.clusterName= incubator/azuremonitor-containers ``` Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, @@ -83,4 +83,4 @@ $ helm install --name myrelease-1 -f values.yaml incubator/azuremonitor-containe After you successfully deploy the chart, you will be able to see your data in the [azure portal](aka.ms/azmon-containers) -If you need help with this chart, please reach us out thru [this](mailto:askcoin@microsoft.com) email. \ No newline at end of file +If you need help with this chart, please reach us out through [this](mailto:askcoin@microsoft.com) email. \ No newline at end of file diff --git a/incubator/azuremonitor-containers/templates/omsagent-daemonset.yaml b/incubator/azuremonitor-containers/templates/omsagent-daemonset.yaml index afa9e12a1144..9c76643e6435 100644 --- a/incubator/azuremonitor-containers/templates/omsagent-daemonset.yaml +++ b/incubator/azuremonitor-containers/templates/omsagent-daemonset.yaml @@ -32,6 +32,8 @@ spec: value: {{ .Values.omsagent.env.clusterName | quote }} - name: DISABLE_KUBE_SYSTEM_LOG_COLLECTION value: {{ .Values.omsagent.env.doNotCollectKubeSystemLogs | quote }} + - name: CONTROLLER_TYPE + value: "DaemonSet" - name: NODE_IP valueFrom: fieldRef: @@ -44,12 +46,17 @@ spec: - containerPort: 25224 protocol: UDP volumeMounts: - - mountPath: /var/run/docker.sock + - mountPath: /hostfs + name: host-root + readOnly: true + - mountPath: /var/run/host name: docker-sock - mountPath: /var/log name: host-log - mountPath: /var/lib/docker/containers name: containerlog-path + - mountPath: /etc/kubernetes/host + name: azure-json-path - mountPath: /etc/omsagent-secret name: omsagent-secret readOnly: true @@ -58,7 +65,7 @@ spec: command: - /bin/bash - -c - - ps -ef | grep omsagent | grep -v "grep" + - (ps -ef | grep omsagent | grep -v "grep") && (ps -ef | grep td-agent-bit | grep -v "grep") initialDelaySeconds: 60 periodSeconds: 60 nodeSelector: @@ -70,9 +77,12 @@ spec: value: "true" effect: "NoSchedule" volumes: + - name: host-root + hostPath: + path: / - name: docker-sock hostPath: - path: /var/run/docker.sock + path: /var/run - name: container-hostname hostPath: path: /etc/hostname @@ -82,6 +92,9 @@ spec: - name: containerlog-path hostPath: path: /var/lib/docker/containers + - name: azure-json-path + hostPath: + path: /etc/kubernetes - name: omsagent-secret secret: secretName: omsagent-secret diff --git a/incubator/azuremonitor-containers/templates/omsagent-deployment.yaml b/incubator/azuremonitor-containers/templates/omsagent-deployment.yaml index f5a0f4d4c9be..ca3699608b32 100644 --- a/incubator/azuremonitor-containers/templates/omsagent-deployment.yaml +++ b/incubator/azuremonitor-containers/templates/omsagent-deployment.yaml @@ -36,6 +36,8 @@ spec: value: {{ .Values.omsagent.env.clusterName | quote }} - name: DISABLE_KUBE_SYSTEM_LOG_COLLECTION value: {{ .Values.omsagent.env.doNotCollectKubeSystemLogs | quote }} + - name: CONTROLLER_TYPE + value: "ReplicaSet" - name: NODE_IP valueFrom: fieldRef: @@ -48,12 +50,14 @@ spec: - containerPort: 25224 protocol: UDP volumeMounts: - - mountPath: /var/run/docker.sock + - mountPath: /var/run/host name: docker-sock - mountPath: /var/log name: host-log - mountPath: /var/lib/docker/containers name: containerlog-path + - mountPath: /etc/kubernetes/host + name: azure-json-path - mountPath: /etc/omsagent-secret name: omsagent-secret readOnly: true @@ -73,7 +77,7 @@ spec: volumes: - name: docker-sock hostPath: - path: /var/run/docker.sock + path: /var/run - name: container-hostname hostPath: path: /etc/hostname @@ -83,6 +87,9 @@ spec: - name: containerlog-path hostPath: path: /var/lib/docker/containers + - name: azure-json-path + hostPath: + path: /etc/kubernetes - name: omsagent-secret secret: secretName: omsagent-secret diff --git a/incubator/azuremonitor-containers/templates/omsagent-rs-configmap.yaml b/incubator/azuremonitor-containers/templates/omsagent-rs-configmap.yaml index 62295c319817..9dc7b5f5045f 100644 --- a/incubator/azuremonitor-containers/templates/omsagent-rs-configmap.yaml +++ b/incubator/azuremonitor-containers/templates/omsagent-rs-configmap.yaml @@ -5,54 +5,76 @@ data: kube.conf: | # Fluentd config file for OMS Docker - cluster components (kubeAPI) - #Kubernetes pod inventory - + #Kubernetes pod inventory + type kubepodinventory tag oms.containerinsights.KubePodInventory run_interval 60s log_level debug - + - #Kubernetes events - + #Kubernetes events + type kubeevents - tag oms.api.KubeEvents.CollectionTime + tag oms.containerinsights.KubeEvents run_interval 60s log_level debug - + - #Kubernetes logs - + #Kubernetes logs + type kubelogs tag oms.api.KubeLogs run_interval 60s - + - #Kubernetes services - + #Kubernetes services + type kubeservices - tag oms.api.KubeServices.CollectionTime + tag oms.containerinsights.KubeServices run_interval 60s log_level debug - + - #Kubernetes Nodes - + #Kubernetes Nodes + type kubenodeinventory tag oms.containerinsights.KubeNodeInventory run_interval 60s log_level debug - + - #Kubernetes perf - + #Kubernetes perf + type kubeperf tag oms.api.KubePerf run_interval 60s log_level debug - + - + #cadvisor perf- Windows nodes + + type wincadvisorperf + tag oms.api.wincadvisorperf + run_interval 60s + log_level debug + + + + type filter_inventory2mdm + custom_metrics_azure_regions eastus,southcentralus,westcentralus,westus2,southeastasia,northeurope,westEurope + log_level info + + + # custom_metrics_mdm filter plugin for perf data from windows nodes + + type filter_cadvisor2mdm + custom_metrics_azure_regions eastus,southcentralus,westcentralus,westus2,southeastasia,northeurope,westEurope + metrics_to_collect cpuUsageNanoCores,memoryWorkingSetBytes + log_level info + + + type out_oms log_level debug num_threads 5 @@ -65,23 +87,24 @@ data: retry_limit 10 retry_wait 30s max_retry_wait 9m - + - - type out_oms_api + + type out_oms log_level debug num_threads 5 buffer_chunk_limit 5m buffer_type file - buffer_path %STATE_DIR_WS%/out_oms_api_kubeevents*.buffer + buffer_path %STATE_DIR_WS%/out_oms_kubeevents*.buffer buffer_queue_limit 10 buffer_queue_full_action drop_oldest_chunk flush_interval 20s retry_limit 10 retry_wait 30s - + max_retry_wait 9m + - + type out_oms_api log_level debug buffer_chunk_limit 10m @@ -91,10 +114,10 @@ data: flush_interval 20s retry_limit 10 retry_wait 30s - + - - type out_oms_api + + type out_oms log_level debug num_threads 5 buffer_chunk_limit 20m @@ -106,9 +129,9 @@ data: retry_limit 10 retry_wait 30s max_retry_wait 9m - + - + type out_oms log_level debug num_threads 5 @@ -121,9 +144,22 @@ data: retry_limit 10 retry_wait 30s max_retry_wait 9m - + - + + type out_oms + log_level debug + buffer_chunk_limit 20m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_containernodeinventory*.buffer + buffer_queue_limit 20 + flush_interval 20s + retry_limit 10 + retry_wait 15s + max_retry_wait 9m + + + type out_oms log_level debug num_threads 5 @@ -136,7 +172,54 @@ data: retry_limit 10 retry_wait 30s max_retry_wait 9m - + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 20m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 30s + max_retry_wait 9m + retry_mdm_post_wait_minutes 60 + + + + type out_oms + log_level debug + num_threads 5 + buffer_chunk_limit 20m + buffer_type file + buffer_path %STATE_DIR_WS%/out_oms_api_wincadvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 30s + max_retry_wait 9m + + + + type out_mdm + log_level debug + num_threads 5 + buffer_chunk_limit 20m + buffer_type file + buffer_path %STATE_DIR_WS%/out_mdm_cdvisorperf*.buffer + buffer_queue_limit 20 + buffer_queue_full_action drop_oldest_chunk + flush_interval 20s + retry_limit 10 + retry_wait 30s + max_retry_wait 9m + retry_mdm_post_wait_minutes 60 + metadata: name: omsagent-rs-config namespace: kube-system diff --git a/incubator/azuremonitor-containers/values.yaml b/incubator/azuremonitor-containers/values.yaml index 6cf3e4c253f0..62e7a35152c8 100644 --- a/incubator/azuremonitor-containers/values.yaml +++ b/incubator/azuremonitor-containers/values.yaml @@ -6,10 +6,10 @@ ## ref: https://github.com/Microsoft/OMS-docker/tree/ci_feature_prod omsagent: image: - tag: "ciprod11292018" + tag: "ciprod04232019" pullPolicy: IfNotPresent - dockerProviderVersion: "3.0.0-2" - agentVersion: "1.6.0-163" + dockerProviderVersion: "4.0.0-0" + agentVersion: "1.10.0.1" ## To get your workspace id and key do the following ## You can create a Azure Loganalytics workspace from portal.azure.com and get its ID & PRIMARY KEY from 'Advanced Settings' tab in the Ux. @@ -29,7 +29,7 @@ omsagent: daemonset: requests: cpu: 50m - memory: 150Mi + memory: 225Mi limits: cpu: 150m memory: 300Mi diff --git a/incubator/buzzfeed-sso/Chart.yaml b/incubator/buzzfeed-sso/Chart.yaml new file mode 100644 index 000000000000..fe2f3f972531 --- /dev/null +++ b/incubator/buzzfeed-sso/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +description: Single sign-on for your Kubernetes services using Google OAuth +name: buzzfeed-sso +version: 0.0.1 +appVersion: 1.1.0 +home: https://github.com/buzzfeed/sso +sources: + - https://hub.docker.com/r/buzzfeed/sso/ +keywords: + - sso + - octoboi + - ssoctopus +icon: https://user-images.githubusercontent.com/10510566/44476420-a64e5980-a605-11e8-8ad9-2820109deb75.png +maintainers: + - name: darioblanco + email: dblanco@minddoc.de diff --git a/incubator/buzzfeed-sso/OWNERS b/incubator/buzzfeed-sso/OWNERS new file mode 100644 index 000000000000..3ee6653c6388 --- /dev/null +++ b/incubator/buzzfeed-sso/OWNERS @@ -0,0 +1,4 @@ +approvers: +- darioblanco +reviewers: +- darioblanco diff --git a/incubator/buzzfeed-sso/README.md b/incubator/buzzfeed-sso/README.md new file mode 100644 index 000000000000..420f0331d8b6 --- /dev/null +++ b/incubator/buzzfeed-sso/README.md @@ -0,0 +1,182 @@ +# Buzzfeed SSO + +Single sign-on for your Kubernetes services using Google OAuth (more providers are welcomed) + +[Blogpost](https://tech.buzzfeed.com/unleashing-the-a6a1a5da39d6?gi=e6db395406ae) +[Quickstart guide](https://github.com/buzzfeed/sso/blob/master/docs/quickstart.md) +[SSO in Kubernetes with Google Auth](https://medium.com/@while1eq1/single-sign-on-for-internal-apps-in-kubernetes-using-google-oauth-sso-2386a34bc433) +[Repo](https://github.com/buzzfeed/sso) + +This helm chart is heavily inspired in [Buzzfeed's example](https://github.com/buzzfeed/sso/tree/master/quickstart/kubernetes), and provides a way of protecting Kubernetes services that have no authentication layer globally from a single OAuth proxy. + +Many of the Kubernetes OAuth solutions require to run an extra container within the pod using [oauth2_proxy](https://github.com/bitly/oauth2_proxy), but the project seems to not be maintained anymore. The approach presented on this chart allows to have a global OAuth2 Proxy that can protect services even in different namespaces, thanks to [Kube DNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/). + +We use this chart in production at [MindDoc](https://minddoc.de) for protecting endpoints that have no built-in authentication (or that would require to run inner containers), like `Kibana`, `Prometheus`, etc... + +## Introduction + +This chart creates a SSO deployment on a [Kubernetes](http://kubernetes.io) +cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.8+ with Beta APIs enabled +- Kube DNS + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install --name my-release stable/buzzfeed-sso +``` + +The command deploys SSO on the Kubernetes cluster using the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +This chart has required variables, see [Configuration](#configuration). + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete --purge my-release +``` +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the SSO chart and their default/required values. + +Parameter | Description | Default +--- | --- | --- +`namespace` | namespace to use | `default` +`emailDomain` | the sso email domain for authentication | REQUIRED +`rootDomain` | the parent domain used for protecting your backends | REQUIRED +`auth.annotations` | extra annotations for auth pods | `{}` +`auth.domain` | the auth domain used for OAuth callbacks | REQUIRED +`auth.replicaCount` | desired number of auth pods | `1` +`auth.resources` | resource limits and requests for auth pods | `{ limits: { memory: "256Mi", cpu: "200m" }}` +`auth.nodeSelector` | node selector logic for auth pods | `{}` +`auth.tolerations` | resource tolerations for auth pods | `{}` +`auth.affinity` | node affinity for auth pods | `{}` +`auth.service.type` | type of auth service to create | `ClusterIP` +`auth.service.port` | port for the http auth service | `80` +`auth.secret` | secrets to be generated randomly with `openssl rand -base64 32 | head -c 32`. | REQUIRED if `auth.customSecret` is not set +`auth.tls` | tls configuration for central sso auth ingress. | `{ secretName: "sso-auth-tls-secret" }` +`auth.customSecret` | the secret key to reuse (avoids secret creation via helm) | REQUIRED if `auth.secret` is not set +`proxy.annotations` | extra annotations for proxy pods | `{}` +`proxy.providerUrlInternal` | url for split dns deployments | +`proxy.cluster` | the cluster name for SSO | `dev` +`proxy.replicaCount` | desired number of proxy pods | `1` +`proxy.resources` | resource limits and requests for proxy pods | `{ limits: { memory: "256Mi", cpu: "200m" }}` +`proxy.nodeSelector` | node selector logic for proxy pods | `{}` +`proxy.tolerations` | resource tolerations for proxy pods | `{}` +`proxy.affinity` | node affinity for proxy pods | `{}` +`proxy.service.type` | type of proxy service to create | `ClusterIP` +`proxy.service.port` | port for the http proxy service | `80` +`proxy.secret` | secrets to be generated randomly with `openssl rand -base64 32 | head -c 32 | base64`. | REQUIRED if `proxy.customSecret` is not set +`proxy.customSecret` | the secret key to reuse (avoids secret creation via helm) | REQUIRED if `proxy.secret` is not set +`provider.google` | the Oauth provider to use (only Google support for now) | REQUIRED +`provider.google.adminEmail` | the Google admin email | `undefined` +`provider.google.secret` | the Google OAuth secrets | REQUIRED if `provider.google.customSecret` is not set +`provider.google.customSecret` | the secret key to reuse instead of creating it via helm | REQUIRED if `provider.google.secret` is not set +`image.repository` | container image repository | `buzzfeed/sso` +`image.tag` | container image tag | `v1.0.0` +`image.pullPolicy` | container image pull policy | `IfNotPresent` +`ingress.annotations` | ingress load balancer annotations | `{}` +`ingress.hosts` | proxied hosts | `[]` +`ingress.tls` | tls certificates for the proxied hosts | `[]` +`upstreams` | configuration of services that use sso | `[]` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install --name my-release \ + --set key_1=value_1,key_2=value_2 \ + stable/buzzfeed-sso +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +$ helm install --name my-release -f values.yaml stable/buzzfeed-sso +``` + +> **Tip**: This will merge parameters with [values.yaml](values.yaml), which does not specify all the required values + +### Example + +**NEVER expose your `auth.secret`, `proxy.secret`, `provider.google.clientId`, `provider.google.clientSecret` and `provider.google.serviceAccount`.** Always keep them in a safe place and do not push them to any repository. As values are merged, you can always generate a different `.yaml` file. For instance: + +```yaml +# values.yaml +emailDomain: 'email.coolcompany.foo' + +rootDomain: 'coolcompany.foo' + +auth: + domain: sso-auth.coolcompany.foo + +proxy: + cluster: dev + +google: + adminEmail: iamtheadmin@email.coolcompany.foo +``` + +```yaml +# secrets.yaml +auth: + secret: + codeSecret: 'randomSecret1' + cookieSecret: 'randomSecret2' + +proxy: + secret: + clientId: 'randomSecret3' + clientSecret: 'randomSecret4' + cookieSecret: 'randomSecret6' + +google: + secret: + clientId: 'googleSecret!' + clientSecret: 'evenMoreSecret' + serviceAccount: '{ }' +``` + +Therefore, you could push your own `values.yaml` to a repo and keep `secrets.yaml` locally safe, and then install/update the chart: + +```bash +$ helm install --name my-release -f values.yaml -f secrets.yaml stable/buzzfeed-sso +``` + +Alternatively, you can specify your own secret key, if you have already created it in the cluster. The secret should follow the data format defined in `secret.yaml` (auth and proxy) and `google-secret.yaml` (google provider). + +```yaml +# values.yaml +emailDomain: 'email.coolcompany.foo' + +rootDomain: 'coolcompany.foo' + +auth: + domain: sso-auth.coolcompany.foo + customSecret: my-sso-auth-secret + +proxy: + cluster: dev + customSecret: my-sso-proxy-secret + +provider: + google: + adminEmail: iamtheadmin@email.coolcompany.foo + customSecret: my-sso-google-secret +``` + +## Updating the Chart + +You can update the chart values and trigger a pod reload. If the configmap changes, it will automatically retrieve the new values. + +```bash +$ helm upgrade -f values.yaml my-release stable/buzzfeed-sso +``` diff --git a/incubator/buzzfeed-sso/templates/NOTES.txt b/incubator/buzzfeed-sso/templates/NOTES.txt new file mode 100644 index 000000000000..1810b9cf7ff3 --- /dev/null +++ b/incubator/buzzfeed-sso/templates/NOTES.txt @@ -0,0 +1,134 @@ +Please be patient: buzzfeed-sso might take a few minutes to install. + +{{- if eq .Values.emailDomain "" }} + +############################################################################### +#### ERROR: You did not provide an email domain. #### +############################################################################### + +This deployment will be incomplete until you configure a valid email domain. +The email domain is required for the auth and proxy deployments. + +{{- end }} + +{{- if eq .Values.rootDomain "" }} + +############################################################################### +#### ERROR: You did not provide a root domain. #### +############################################################################### + +This deployment will be incomplete until you configure a valid root domain. +The root domain is required for the auth deployment. + +{{- end }} + +{{- if eq .Values.auth.domain "" }} + +############################################################################### +#### ERROR: You did not provide proper auth domain. #### +############################################################################### + +This deployment will be incomplete until you configure a valid auth domain. +For instance, "sso-auth.mydomain.foo". + +{{- end }} + +{{- if not (or .Values.auth.secret .Values.auth.customSecret) }} + +############################################################################### +#### ERROR: You did not provide proper auth secrets. #### +############################################################################### + +This deployment will be incomplete until you configure proper auth secrets. +You can generate an auth secret by running + helm upgrade {{ .Release.Name }} \ + --reuse-values \ + --set auth.secret.codeSecret="$(openssl rand -base64 32 | head -c 32 | base64)" \ + --set auth.secret.cookieSecret="$(openssl rand -base64 32 | head -c 32 | base64)" \ + incubator/buzzfeed-sso + +Or you can provide a custom auth secret that is a reference to an already created +Kubernetes secret resource. + kubectl create secret generic buzzfeed-sso-auth-secret \ + --namespace={{ .Release.Namespace }} \ + --from-literal=auth-code-secret="auth-code-secret" + --from-literal=auth-cookie-secret="auth-cookie-secret" + + helm upgrade {{ .Release.Name }} \ + --reuse-values \ + --set auth.customSecret="buzzfeed-sso-auth-secret" \ + incubator/buzzfeed-sso + +{{- end }} + +{{- if not (or .Values.proxy.secret .Values.proxy.customSecret) }} + +############################################################################### +#### ERROR: You did not provide proper proxy secrets. #### +############################################################################### + +This deployment will be incomplete until you configure proper proxy secrets. +You can generate a proxy secret by running + helm upgrade {{ .Release.Name }} \ + --reuse-values \ + --set proxy.secret.clientId="$(openssl rand -base64 32 | head -c 32 | base64)" \ + --set proxy.secret.clientSecret="$(openssl rand -base64 32 | head -c 32 | base64)" \ + --set proxy.secret.cookieSecret="$(openssl rand -base64 32 | head -c 32 | base64)" \ + incubator/buzzfeed-sso + +Or you can provide a custom proxy secret that is a reference to an already created +Kubernetes secret resource. + kubectl create secret generic buzzfeed-sso-proxy-secret \ + --namespace={{ .Release.Namespace }} \ + --from-literal=proxy-client-id="proxy-client-id" + --from-literal=proxy-client-secret="proxy-client-secret" + --from-literal=proxy-cookie-secret="proxy-cookie-secret" + + helm upgrade {{ .Release.Name }} \ + --reuse-values \ + --set proxy.customSecret="buzzfeed-sso-proxy-secret" \ + incubator/buzzfeed-sso + +{{- end }} + +{{- if not (or .Values.provider.google.secret .Values.provider.google.customSecret) }} + +############################################################################### +#### ERROR: You did not provide a proper Google provider. #### +############################################################################### + +This deployment will be incomplete until you configure a valid provider. + +Currently, the only accepted provider is Google. You need to specify it with +a given secret or custom secret. + +You can define the secret with your Google's client id, client secret and +service account in JSON format. + helm upgrade {{ .Release.Name }} \ + --reuse-values \ + --set provider.google.secret.clientId="foo123123-fake123123.apps.googleusercontent.com" \ + --set provider.google.secret.clientSecret="googleOauthClientSecret" \ + --set provider.google.secret.serviceAccount="$(cat myserviceaccount.json)" \ + incubator/buzzfeed-sso + +Or you can provide a custom secret that is a reference to an already created +Kubernetes secret resource. + kubectl create secret generic buzzfeed-sso-google-secret \ + --namespace={{ .Release.Namespace }} \ + --from-literal=google-client-id="foo123123-fake123123.apps.googleusercontent.com" + --from-literal=google-client-secret="googleOauthClientSecret" + --from-literal=service-account="$(cat myserviceaccount.json)" + + helm upgrade {{ .Release.Name }} \ + --reuse-values \ + --set provider.google.customSecret="buzzfeed-sso-google-secret" \ + incubator/buzzfeed-sso + +{{- end }} + +{{- if .Values.ingress.hosts }} +Visit the external application URLs to use your application: +{{- range .Values.ingress.hosts }} + https://{{ .domain }}{{ .path }} +{{- end }} +{{- end }} diff --git a/incubator/buzzfeed-sso/templates/_helpers.tpl b/incubator/buzzfeed-sso/templates/_helpers.tpl new file mode 100644 index 000000000000..7e2fb0a6633d --- /dev/null +++ b/incubator/buzzfeed-sso/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "buzzfeed-sso.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "buzzfeed-sso.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "buzzfeed-sso.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/incubator/buzzfeed-sso/templates/auth-deployment.yaml b/incubator/buzzfeed-sso/templates/auth-deployment.yaml new file mode 100644 index 000000000000..748879288c36 --- /dev/null +++ b/incubator/buzzfeed-sso/templates/auth-deployment.yaml @@ -0,0 +1,150 @@ +{{- if and (or .Values.auth.customSecret .Values.auth.secret) (or .Values.provider.google.customSecret .Values.provider.google.secret) (ne .Values.auth.domain "") -}} +{{- $fullName := include "buzzfeed-sso.fullname" . -}} +{{- $googleSecret := .Values.provider.google.customSecret | default (printf "%s-google" ($fullName)) -}} +{{- $authSecret := .Values.auth.customSecret | default ($fullName) -}} +{{- $name := include "buzzfeed-sso.name" . -}} +{{- $authDomain := .Values.auth.domain -}} +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: {{ $fullName }}-auth + labels: + app: {{ $name }} + chart: {{ template "buzzfeed-sso.chart" . }} + component: {{ $name }}-auth + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.auth.replicaCount }} + selector: + matchLabels: + app: {{ $name }} + component: {{ $name }}-auth + release: {{ .Release.Name }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- with .Values.auth.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + labels: + app: {{ $name }} + component: {{ $name }}-auth + release: {{ .Release.Name }} + spec: + {{- if .Values.provider.google }} + volumes: + - name: google-service-account + secret: + secretName: {{ $googleSecret }} + items: + - key: service-account + path: sso-serviceaccount.json + {{- end }} + containers: + - name: {{ .Chart.Name }}-auth + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["/bin/sso-auth"] + ports: + - name: http + containerPort: 4180 + protocol: TCP + env: + - name: SSO_EMAIL_DOMAIN + value: {{ .Values.emailDomain | quote }} + - name: HOST + value: {{ $authDomain }} + - name: REDIRECT_URL + value: https://{{ $authDomain }} + - name: PROXY_ROOT_DOMAIN + value: {{ .Values.rootDomain | quote }} + - name: PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ $authSecret }} + key: proxy-client-id + - name: PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ $authSecret }} + key: proxy-client-secret + - name: AUTH_CODE_SECRET + valueFrom: + secretKeyRef: + name: {{ $authSecret }} + key: auth-code-secret + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ $authSecret }} + key: auth-cookie-secret + # # OLD_COOKIE_SECRET is the same as COOKIE_SECRET, not sure why its even needed at this point + - name: OLD_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ $authSecret }} + key: auth-cookie-secret + # STATSD_HOST and STATSD_PORT must be defined or the app wont launch, they dont need to be a real host / port + - name: STATSD_HOST + value: localhost + - name: STATSD_PORT + value: "11111" + - name: COOKIE_SECURE + value: "true" + - name: CLUSTER + value: dev + # Provider variables + {{- with .Values.provider.google }} + {{- if .adminEmail }} + - name: GOOGLE_ADMIN_EMAIL + value: {{ .adminEmail | quote }} + - name: GOOGLE_SERVICE_ACCOUNT_JSON + value: /creds/sso-serviceaccount.json + {{- end }} + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ $googleSecret }} + key: google-client-id + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ $googleSecret }} + key: google-client-secret + {{- end }} + readinessProbe: + httpGet: + path: /ping + port: 4180 + scheme: HTTP + livenessProbe: + httpGet: + path: /ping + port: 4180 + scheme: HTTP + initialDelaySeconds: 10 + timeoutSeconds: 1 + {{- if .Values.provider.google.adminEmail }} + volumeMounts: + - name: google-service-account + mountPath: /creds + readOnly: true + {{- end }} + resources: +{{ toYaml .Values.auth.resources | indent 12 }} + {{- with .Values.auth.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.auth.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.auth.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} diff --git a/incubator/buzzfeed-sso/templates/auth-service.yaml b/incubator/buzzfeed-sso/templates/auth-service.yaml new file mode 100644 index 000000000000..7b24477376e6 --- /dev/null +++ b/incubator/buzzfeed-sso/templates/auth-service.yaml @@ -0,0 +1,22 @@ +{{- $name := include "buzzfeed-sso.name" . -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "buzzfeed-sso.fullname" . }}-auth + labels: + app: {{ $name }} + chart: {{ template "buzzfeed-sso.chart" . }} + component: {{ $name }}-auth + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.auth.service.type }} + ports: + - name: http + port: {{ .Values.auth.service.port }} + targetPort: 4180 + protocol: TCP + selector: + app: {{ $name }} + component: {{ $name }}-auth + release: {{ .Release.Name }} diff --git a/incubator/buzzfeed-sso/templates/configmap.yaml b/incubator/buzzfeed-sso/templates/configmap.yaml new file mode 100644 index 000000000000..12f9a4f6e000 --- /dev/null +++ b/incubator/buzzfeed-sso/templates/configmap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "buzzfeed-sso.fullname" . }} + labels: + app: {{ template "buzzfeed-sso.name" . }} + chart: {{ template "buzzfeed-sso.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{- with .Values.upstreams }} + upstream_configs.yml: |- +{{ toYaml . | indent 4 }} +{{- end }} diff --git a/incubator/buzzfeed-sso/templates/google-secret.yaml b/incubator/buzzfeed-sso/templates/google-secret.yaml new file mode 100644 index 000000000000..9a3f46ea8b6b --- /dev/null +++ b/incubator/buzzfeed-sso/templates/google-secret.yaml @@ -0,0 +1,18 @@ +{{- if .Values.provider.google.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "buzzfeed-sso.fullname" . }}-google + labels: + app: {{ template "buzzfeed-sso.name" . }} + chart: {{ template "buzzfeed-sso.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: +{{- with .Values.provider.google.secret }} + google-client-id: {{ .clientId | b64enc }} + google-client-secret: {{ .clientSecret | b64enc }} + service-account: {{ .serviceAccount | b64enc }} +{{- end }} +{{- end }} diff --git a/incubator/buzzfeed-sso/templates/ingress.yaml b/incubator/buzzfeed-sso/templates/ingress.yaml new file mode 100644 index 000000000000..5f7c3f3b7cf8 --- /dev/null +++ b/incubator/buzzfeed-sso/templates/ingress.yaml @@ -0,0 +1,48 @@ +{{- if ne .Values.auth.domain "" -}} +{{- $fullName := include "buzzfeed-sso.fullname" . -}} +{{- $authDomain := .Values.auth.domain -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + app: {{ template "buzzfeed-sso.name" . }} + chart: {{ template "buzzfeed-sso.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- with .Values.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + tls: + - hosts: + - {{ $authDomain }} + secretName: {{ .Values.auth.tls.secretName -}} + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + rules: + # Upstreams that need SSO authentication + {{- range .Values.ingress.hosts }} + - host: {{ .domain }} + http: + paths: + - path: {{ .path }} + backend: + serviceName: {{ $fullName }}-proxy + servicePort: http + {{- end }} + # Global SSO used in the callback for login + - host: {{ $authDomain }} + http: + paths: + - path: / + backend: + serviceName: {{ $fullName }}-auth + servicePort: http +{{- end }} diff --git a/incubator/buzzfeed-sso/templates/proxy-deployment.yaml b/incubator/buzzfeed-sso/templates/proxy-deployment.yaml new file mode 100644 index 000000000000..e636a8cf5c81 --- /dev/null +++ b/incubator/buzzfeed-sso/templates/proxy-deployment.yaml @@ -0,0 +1,112 @@ +{{- if or .Values.proxy.customSecret .Values.proxy.secret -}} +{{- $fullName := include "buzzfeed-sso.fullname" . -}} +{{- $proxySecret := .Values.proxy.customSecret | default ($fullName) -}} +{{- $name := include "buzzfeed-sso.name" . -}} +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: {{ $fullName }}-proxy + labels: + app: {{ $name }} + chart: {{ template "buzzfeed-sso.chart" . }} + component: {{ $name }}-proxy + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.proxy.replicaCount }} + selector: + matchLabels: + app: {{ $name }} + component: {{ $name }}-proxy + release: {{ .Release.Name }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- with .Values.proxy.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + labels: + app: {{ $name }} + component: {{ $name }}-proxy + release: {{ .Release.Name }} + spec: + volumes: + - name: {{ $fullName }} + configMap: + name: {{ $fullName }} + containers: + - name: {{ .Chart.Name }}-proxy + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["/bin/sso-proxy"] + ports: + - name: http + containerPort: 8080 + protocol: TCP + env: + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ $proxySecret }} + key: proxy-client-id + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ $proxySecret }} + key: proxy-client-secret + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ $proxySecret }} + key: proxy-cookie-secret + - name: EMAIL_DOMAIN + value: {{ .Values.emailDomain | quote }} + - name: UPSTREAM_CONFIGS + value: /sso/upstream_configs.yml + - name: PROVIDER_URL + value: https://{{ .Values.auth.domain }} + # STATSD_HOST and STATSD_PORT must be defined or the app wont launch, they dont need to be a real host / port, but they do need to be defined. + - name: STATSD_HOST + value: localhost + - name: STATSD_PORT + value: "11111" + - name: COOKIE_SECURE + value: "true" + - name: CLUSTER + value: {{ .Values.proxy.cluster | quote }} + {{- if .Values.proxy.providerUrlInternal }} + - name: PROVIDER_URL_INTERNAL + value: {{ .Values.proxy.providerUrlInternal | quote }} + {{- end }} + readinessProbe: + httpGet: + path: /ping + port: 4180 + scheme: HTTP + livenessProbe: + httpGet: + path: /ping + port: 4180 + scheme: HTTP + initialDelaySeconds: 10 + timeoutSeconds: 1 + volumeMounts: + - name: {{ $fullName }} + mountPath: /sso + resources: +{{ toYaml .Values.proxy.resources | indent 12 }} + {{- with .Values.proxy.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.proxy.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.proxy.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} diff --git a/incubator/buzzfeed-sso/templates/proxy-service.yaml b/incubator/buzzfeed-sso/templates/proxy-service.yaml new file mode 100644 index 000000000000..2bf38711f080 --- /dev/null +++ b/incubator/buzzfeed-sso/templates/proxy-service.yaml @@ -0,0 +1,22 @@ +{{- $name := include "buzzfeed-sso.name" . -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "buzzfeed-sso.fullname" . }}-proxy + labels: + app: {{ $name }} + chart: {{ template "buzzfeed-sso.chart" . }} + component: {{ $name }}-proxy + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.proxy.service.type }} + ports: + - name: http + port: {{ .Values.proxy.service.port }} + targetPort: 4180 + protocol: TCP + selector: + app: {{ $name }} + component: {{ $name }}-proxy + release: {{ .Release.Name }} diff --git a/incubator/buzzfeed-sso/templates/secret.yaml b/incubator/buzzfeed-sso/templates/secret.yaml new file mode 100644 index 000000000000..6c27d77240c0 --- /dev/null +++ b/incubator/buzzfeed-sso/templates/secret.yaml @@ -0,0 +1,22 @@ +{{- if or .Values.auth.secret .Values.proxy.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "buzzfeed-sso.fullname" . }} + labels: + app: {{ template "buzzfeed-sso.name" . }} + chart: {{ template "buzzfeed-sso.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: +{{- with .Values.proxy.secret }} + proxy-client-id: {{ .clientId | b64enc }} + proxy-client-secret: {{ .clientSecret | b64enc }} + proxy-cookie-secret: {{ .cookieSecret | b64enc }} +{{- end }} +{{- with .Values.auth.secret }} + auth-code-secret: {{ .codeSecret | b64enc }} + auth-cookie-secret: {{ .cookieSecret | b64enc }} +{{- end }} +{{- end }} diff --git a/incubator/buzzfeed-sso/values.yaml b/incubator/buzzfeed-sso/values.yaml new file mode 100644 index 000000000000..dfaf3c1ca54d --- /dev/null +++ b/incubator/buzzfeed-sso/values.yaml @@ -0,0 +1,98 @@ +# Default values for buzzfeed-sso. + +emailDomain: "" # Required. e.g "email.mydomain.foo" +rootDomain: "" # Required. e.g "mydomain.foo" + +auth: + annotations: {} + domain: "" # Required. e.g "sso-auth.mydomain.foo" + replicaCount: 1 + resources: + limits: + memory: "256Mi" + cpu: "200m" + nodeSelector: {} + tolerations: [] + affinity: {} + service: + type: ClusterIP + port: 80 + # Generate these secrets with the command: + # 'openssl rand -base64 32 | head -c 32 | base64' + secret: {} # Required (if customSecret is not set) + # codeSecret: '' + # cookieSecret: '' + # # Or if you do not want to create the secret via helm + # customSecret: my-sso-auth-secret + tls: + secretName: sso-auth-tls-secret + +proxy: + annotations: {} + # providerUrlInternal: https://sso-auth.mydomain.com + cluster: dev + replicaCount: 1 + resources: + limits: + memory: "256Mi" + cpu: "200m" + nodeSelector: {} + tolerations: [] + affinity: {} + service: + type: ClusterIP + port: 80 + # Generate these secrets with the command: + # 'openssl rand -base64 32 | head -c 32 | base64' + secret: {} # Required (if customSecret is not set) + # clientId: '' + # clientSecret: '' + # cookieSecret: '' + # # Or if you do not want to create the secret via helm + # customSecret: my-sso-proxy-secret + +provider: + google: {} # Required. + # google: + # adminEmail: me@mydomain.foo + # secret: + # clientId: foo123123-fake123123.apps.googleusercontent.com + # clientSecret: googleOauthClientSecret + # serviceAccount: 'service account content in JSON format' + # # Or if you do not want to create the secret via helm + # google: + # adminEmail: me@mydomain.foo + # customSecret: my-sso-google-secret + +image: + repository: buzzfeed/sso + tag: v1.1.0 + pullPolicy: IfNotPresent + +ingress: + annotations: {} + # kubernetes.io/ingress.class: nginx + # certmanager.k8s.io/cluster-issuer: my-letsencrypt-issuer + # ingress.kubernetes.io/ssl-redirect: "true" + hosts: [] + # - domain: mybackend.mydomain.foo + # path: / + tls: [] + # - secretName: mybackend-mydomain-tls + # hosts: + # - mybackend.mydomain.foo + +upstreams: [] +# See https://github.com/buzzfeed/sso/blob/f437f237ac977201f15868601c9bc0e9dff11f40/docs/sso_config.md#proxy-config +# - service: mybackend +# default: +# from: mybackend.mydomain.foo +# to: http://mybackend.mynamespace.svc.cluster.local:9091 +# options: +# allowed_groups: +# - sso-test-group-1@example.com +# - sso-test-group-2@example.com +# skip_auth_regex: +# - ^\/github-webhook\/$ +# header_overrides: +# X-Frame-Options: DENY diff --git a/incubator/kube-spot-termination-notice-handler/.helmignore b/incubator/cassandra-reaper/.helmignore similarity index 100% rename from incubator/kube-spot-termination-notice-handler/.helmignore rename to incubator/cassandra-reaper/.helmignore diff --git a/incubator/cassandra-reaper/Chart.yaml b/incubator/cassandra-reaper/Chart.yaml new file mode 100644 index 000000000000..01706cd2c49b --- /dev/null +++ b/incubator/cassandra-reaper/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +appVersion: 1.3.0 +description: Reaper is a centralized, stateful, and highly configurable tool for running Apache Cassandra repairs against single or multi-site clusters. +name: cassandra-reaper +home: http://cassandra-reaper.io/ +keywords: + - cassandra +version: 0.2.0 +maintainers: + - name: kamsz + email: kamil@szczygiel.io +engine: gotpl diff --git a/incubator/cassandra-reaper/OWNERS b/incubator/cassandra-reaper/OWNERS new file mode 100644 index 000000000000..abbcc2e89966 --- /dev/null +++ b/incubator/cassandra-reaper/OWNERS @@ -0,0 +1,6 @@ +approvers: +- kamsz +- reillybrogan +reviewers: +- kamsz +- reillybrogan diff --git a/incubator/cassandra-reaper/README.md b/incubator/cassandra-reaper/README.md new file mode 100644 index 000000000000..4b99e4429747 --- /dev/null +++ b/incubator/cassandra-reaper/README.md @@ -0,0 +1,53 @@ +# Cassandra +A cassandra-reaper Chart for Kubernetes + +## Install Chart +To install the cassandra-reaper Chart into your Kubernetes cluster + +```bash +helm install --namespace cassandra -n cassandra-reaper incubator/cassandra-reaper +``` + +If you want to delete your Chart, use this command +```bash +helm delete --purge cassandra-reaper +``` + +## Configuration + +The following table lists the configurable parameters of the cassandra-reaper chart and their default values. + +To properly configure `cassandra-reaper`, please refer to [the environment variables documentation](http://cassandra-reaper.io/docs/configuration/docker_vars/). + +As `cassandra-reaper` currently lacks an authentication mechanism basic auth support is provided (whether this will work for you is dependent on your chosen ingress +controller). Check your ingress controllers documentation for how to specifically configure this as each implementation is slightly different. Note that you need to +provide a base64-encoded version of the auth string if you enable this feature. + +Example: +```bash +htpassword -c ./auth myuser +cat ./auth | base64 +``` + + +| Parameter | Description | Default | +| -------------------------- | ------------------------------------------------------ | ---------------------------------------------------------- | +| `replicaCount` | The number of `cassandra-reaper` replicas | `1` | +| `image.repository` | `cassandra-reaper` image repository | `thelastpickle/cassandra-reaper` | +| `image.tag` | `cassandra-reaper` image tag | `1.3.0` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `service.type` | Kubernetes service type exposing ports, e.g. `NodePort`| `ClusterIP` | +| `ingress.enabled` | Enable Ingress resource | `false` | +| `ingress.annotations` | Annotations for Ingress resource | `{}` | +| `ingress.labels` | Additional labels for Ingress resource | `{}` | +| `ingress.path` | Path for Ingress resource | `/` | +| `ingress.hosts` | Ingress resource hosts | `[]` | +| `ingress.tls` | Ingress resource TLS definition | `[]` | +| `ingress.basicAuth.enabled`| Creates basic auth secret if true | `false` | +| `ingress.basicAuth.name` | Name of the basic auth secret resource | `basic-auth` | +| `ingress.basicAuth.secret` | Base64 encoded contents of the basic auth file | MUST be provided if basic auth is enabled | +| `env` | Environment variables | `{}` | +| `resources` | Resource requests/limits | `{}` | +| `nodeSelector` | Kubernetes node selector | `{}` | +| `tolerations` | Kubernetes node tolerations | `[]` | +| `affinity` | Kubernetes node affinity | `{}` | diff --git a/incubator/cassandra-reaper/templates/_helpers.tpl b/incubator/cassandra-reaper/templates/_helpers.tpl new file mode 100644 index 000000000000..5deeb223aed5 --- /dev/null +++ b/incubator/cassandra-reaper/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cassandra-reaper.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cassandra-reaper.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cassandra-reaper.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/incubator/cassandra-reaper/templates/deployment.yaml b/incubator/cassandra-reaper/templates/deployment.yaml new file mode 100644 index 000000000000..0db5ff57a10f --- /dev/null +++ b/incubator/cassandra-reaper/templates/deployment.yaml @@ -0,0 +1,65 @@ +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: {{ include "cassandra-reaper.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "cassandra-reaper.name" . }} + helm.sh/chart: {{ include "cassandra-reaper.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "cassandra-reaper.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "cassandra-reaper.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + {{- range $key, $value := .Values.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + - name: api + containerPort: 8081 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: api + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: / + port: api + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/incubator/cassandra-reaper/templates/ingress.yaml b/incubator/cassandra-reaper/templates/ingress.yaml new file mode 100644 index 000000000000..a96c3ac27378 --- /dev/null +++ b/incubator/cassandra-reaper/templates/ingress.yaml @@ -0,0 +1,39 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "cassandra-reaper.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + app.kubernetes.io/name: {{ include "cassandra-reaper.name" . }} + helm.sh/chart: {{ include "cassandra-reaper.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{ toYaml .Values.ingress.labels | indent 4 }} +{{- with .Values.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ . | quote }} + http: + paths: + - path: {{ $ingressPath }} + backend: + serviceName: {{ $fullName }} + servicePort: http + {{- end }} +{{- end }} diff --git a/incubator/cassandra-reaper/templates/secret.yaml b/incubator/cassandra-reaper/templates/secret.yaml new file mode 100644 index 000000000000..53b9593e2bb1 --- /dev/null +++ b/incubator/cassandra-reaper/templates/secret.yaml @@ -0,0 +1,14 @@ +{{- if and (.Values.ingress.enabled) (.Values.ingress.basicAuth.enabled) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.ingress.basicAuth.name | default "basic-auth" }} + labels: + app.kubernetes.io/name: {{ include "cassandra-reaper.name" . }} + helm.sh/chart: {{ include "cassandra-reaper.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque +data: + auth: {{ required ".Values.ingress.basicAuth.secret is required when basicAuth is enabled" .Values.ingress.basicAuth.secret }} +{{- end }} diff --git a/incubator/cassandra-reaper/templates/service.yaml b/incubator/cassandra-reaper/templates/service.yaml new file mode 100644 index 000000000000..cf54babd06df --- /dev/null +++ b/incubator/cassandra-reaper/templates/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "cassandra-reaper.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "cassandra-reaper.name" . }} + helm.sh/chart: {{ include "cassandra-reaper.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "cassandra-reaper.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/incubator/cassandra-reaper/values.yaml b/incubator/cassandra-reaper/values.yaml new file mode 100644 index 000000000000..f147e72027b3 --- /dev/null +++ b/incubator/cassandra-reaper/values.yaml @@ -0,0 +1,40 @@ +# Default values for cassandra-reaper. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +nameOverride: "" +fullnameOverride: "" + +replicaCount: 1 + +image: + repository: thelastpickle/cassandra-reaper + tag: 1.3.0 + pullPolicy: IfNotPresent + +service: + type: ClusterIP + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + path: / + hosts: [] + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + basicAuth: + enabled: false + name: ~ + # base64 encoded version of the basic auth file + secret: ~ + +env: {} +resources: {} +nodeSelector: {} +tolerations: [] +affinity: {} diff --git a/incubator/cassandra/Chart.yaml b/incubator/cassandra/Chart.yaml index 16fd4b92ed8d..0b9a2e38f667 100644 --- a/incubator/cassandra/Chart.yaml +++ b/incubator/cassandra/Chart.yaml @@ -1,5 +1,6 @@ +apiVersion: v1 name: cassandra -version: 0.10.3 +version: 0.12.2 appVersion: 3.11.3 description: Apache Cassandra is a free and open-source distributed database management system designed to handle large amounts of data across many commodity servers, providing @@ -13,4 +14,6 @@ home: http://cassandra.apache.org maintainers: - name: KongZ email: goonohc@gmail.com +- name: maorfr + email: maor.friedman@redhat.com engine: gotpl diff --git a/incubator/cassandra/README.md b/incubator/cassandra/README.md index 6cdbb8aa0cd4..c33754b49033 100644 --- a/incubator/cassandra/README.md +++ b/incubator/cassandra/README.md @@ -19,6 +19,24 @@ If you want to delete your Chart, use this command helm delete --purge "cassandra" ``` +## Upgrading + +To upgrade your Cassandra release, simply run + +```bash +helm upgrade "cassandra" incubator/cassandra +``` + +### 0.12.0 + +This version fixes https://github.com/helm/charts/issues/7803 by removing mutable labels in `spec.VolumeClaimTemplate.metadata.labels` so that it is upgradable. + +Until this version, in order to upgrade, you have to delete the Cassandra StatefulSet before upgrading: +```bash +$ kubectl delete statefulset --cascade=false my-cassandra-release +``` + + ## Persist data You need to create `StorageClass` before able to persist data in persistent volume. To create a `StorageClass` on Google Cloud, run the following @@ -88,6 +106,7 @@ The following table lists the configurable parameters of the Cassandra chart and | `config.cluster_name` | The name of the cluster. | `cassandra` | | `config.cluster_size` | The number of nodes in the cluster. | `3` | | `config.seed_size` | The number of seed nodes used to bootstrap new clients joining the cluster. | `2` | +| `config.seeds` | The comma-separated list of seed nodes. | Automatically generated according to `.Release.Name` and `config.seed_size` | | `config.num_tokens` | Initdb Arguments | `256` | | `config.dc_name` | Initdb Arguments | `DC1` | | `config.rack_name` | Initdb Arguments | `RAC1` | @@ -128,17 +147,19 @@ The following table lists the configurable parameters of the Cassandra chart and | `backup.enabled` | Enable backup on chart installation | `false` | | `backup.schedule` | Keyspaces to backup, each with cron time | | | `backup.annotations` | Backup pod annotations | iam.amazonaws.com/role: `cain` | -| `backup.image.repo` | Backup image repository | `nuvo/cain` | -| `backup.image.tag` | Backup image tag | `0.4.1` | +| `backup.image.repository` | Backup image repository | `maorfr/cain` | +| `backup.image.tag` | Backup image tag | `0.6.0` | | `backup.extraArgs` | Additional arguments for cain | `[]` | | `backup.env` | Backup environment variables | AWS_REGION: `us-east-1` | | `backup.resources` | Backup CPU/Memory resource requests/limits | Memory: `1Gi`, CPU: `1` | | `backup.destination` | Destination to store backup artifacts | `s3://bucket/cassandra` | +| `backup.google.serviceAccountSecret` | Secret containing credentials if GCS is used as destination | | | `exporter.enabled` | Enable Cassandra exporter | `false` | | `exporter.image.repo` | Exporter image repository | `criteord/cassandra_exporter` | | `exporter.image.tag` | Exporter image tag | `2.0.2` | | `exporter.port` | Exporter port | `5556` | | `exporter.jvmOpts` | Exporter additional JVM options | | +| `exporter.resources` | Exporter CPU/Memory resource requests/limits | `{}` | | `affinity` | Kubernetes node affinity | `{}` | | `tolerations` | Kubernetes node tolerations | `[]` | diff --git a/incubator/cassandra/templates/backup/cronjob.yaml b/incubator/cassandra/templates/backup/cronjob.yaml index 36461f6ab80e..28d7b1419136 100644 --- a/incubator/cassandra/templates/backup/cronjob.yaml +++ b/incubator/cassandra/templates/backup/cronjob.yaml @@ -7,7 +7,7 @@ apiVersion: batch/v1beta1 kind: CronJob metadata: - name: {{ template "cassandra.fullname" $ }}-backup-{{ $schedule.keyspace }} + name: {{ template "cassandra.fullname" $ }}-backup-{{ $schedule.keyspace | replace "_" "-" }} labels: app: {{ template "cassandra.name" $ }}-cain chart: {{ template "cassandra.chart" $ }} @@ -28,7 +28,7 @@ spec: serviceAccountName: {{ template "cassandra.serviceAccountName" $ }} containers: - name: cassandra-backup - image: "{{ $backup.image.repos }}:{{ $backup.image.tag }}" + image: "{{ $backup.image.repository }}:{{ $backup.image.tag }}" command: ["cain"] args: - backup @@ -42,15 +42,30 @@ spec: - {{ $backup.destination }} {{- with $backup.extraArgs }} {{ toYaml . | indent 12 }} - {{- end }} - {{- with $backup.env }} + {{- end }} env: +{{- if $backup.google.serviceAccountSecret }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: "/etc/secrets/google/credentials.json" +{{- end }} + {{- with $backup.env }} {{ toYaml . | indent 12 }} {{- end }} {{- with $backup.resources }} resources: {{ toYaml . | indent 14 }} {{- end }} +{{- if $backup.google.serviceAccountSecret }} + volumeMounts: + - name: google-service-account + mountPath: /etc/secrets/google/ +{{- end }} +{{- if $backup.google.serviceAccountSecret }} + volumes: + - name: google-service-account + secret: + secretName: {{ $backup.google.serviceAccountSecret | quote }} +{{- end }} affinity: podAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/incubator/cassandra/templates/statefulset.yaml b/incubator/cassandra/templates/statefulset.yaml index 412a4cbcf215..d2b47450b5ce 100644 --- a/incubator/cassandra/templates/statefulset.yaml +++ b/incubator/cassandra/templates/statefulset.yaml @@ -30,6 +30,7 @@ spec: {{ toYaml .Values.podAnnotations | indent 8 }} {{- end }} spec: + hostNetwork: {{ .Values.hostNetwork }} {{- if .Values.selector }} {{ toYaml .Values.selector | indent 6 }} {{- end }} @@ -50,6 +51,8 @@ spec: {{- if .Values.exporter.enabled }} - name: cassandra-exporter image: "{{ .Values.exporter.image.repo }}:{{ .Values.exporter.image.tag }}" + resources: +{{ toYaml .Values.exporter.resources | indent 10 }} env: - name: CASSANDRA_EXPORTER_CONFIG_listenPort value: {{ .Values.exporter.port | quote }} @@ -86,7 +89,11 @@ spec: {{- $seed_size := default 1 .Values.config.seed_size | int -}} {{- $global := . }} - name: CASSANDRA_SEEDS + {{- if .Values.hostNetwork }} + value: {{ required "You must fill \".Values.config.seeds\" with list of Cassandra seeds when hostNetwork is set to true" .Values.config.seeds | quote }} + {{- else }} value: "{{- range $i, $e := until $seed_size }}{{ template "cassandra.fullname" $global }}-{{ $i }}.{{ template "cassandra.fullname" $global }}.{{ $global.Release.Namespace }}.svc.{{ $global.Values.config.cluster_domain }}{{- if (lt ( add1 $i ) $seed_size ) }},{{- end }}{{- end }}" + {{- end }} - name: MAX_HEAP_SIZE value: {{ default "8192M" .Values.config.max_heap_size | quote }} - name: HEAP_NEWSIZE @@ -176,9 +183,7 @@ spec: name: data labels: app: {{ template "cassandra.name" . }} - chart: {{ template "cassandra.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: accessModes: - {{ .Values.persistence.accessMode | quote }} diff --git a/incubator/cassandra/values.yaml b/incubator/cassandra/values.yaml index 86cec364e33c..9607cab599b0 100644 --- a/incubator/cassandra/values.yaml +++ b/incubator/cassandra/values.yaml @@ -148,8 +148,12 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template # name: +# Use host network for Cassandra pods +# You must pass seed list into config.seeds property if set to true +hostNetwork: false + ## Backup cronjob configuration -## Ref: https://github.com/nuvo/cain +## Ref: https://github.com/maorfr/cain backup: enabled: false @@ -167,11 +171,11 @@ backup: iam.amazonaws.com/role: cain image: - repos: nuvo/cain - tag: 0.4.1 + repository: maorfr/cain + tag: 0.6.0 # Additional arguments for cain - # Ref: https://github.com/nuvo/cain#usage + # Ref: https://github.com/maorfr/cain#usage extraArgs: [] # Add additional environment variables @@ -188,10 +192,14 @@ backup: memory: 1Gi cpu: 1 + # Name of the secret containing the credentials of the service account used by GOOGLE_APPLICATION_CREDENTIALS, as a credentials.json file + # google: + # serviceAccountSecret: + # Destination to store the backup artifacts - # Supported cloud storage services: AWS S3, Minio S3, Azure Blob Storage + # Supported cloud storage services: AWS S3, Minio S3, Azure Blob Storage, Google Cloud Storage # Additional support can added. Visit this repository for details - # Ref: https://github.com/nuvo/skbn + # Ref: https://github.com/maorfr/skbn destination: s3://bucket/cassandra ## Cassandra exported configuration @@ -203,3 +211,10 @@ exporter: tag: 2.0.2 port: 5556 jvmOpts: "" + resources: {} + # limits: + # cpu: 1 + # memory: 1Gi + # requests: + # cpu: 1 + # memory: 1Gi diff --git a/incubator/couchdb/Chart.yaml b/incubator/couchdb/Chart.yaml index 657d1d905d2e..1c2879c44ed3 100644 --- a/incubator/couchdb/Chart.yaml +++ b/incubator/couchdb/Chart.yaml @@ -1,5 +1,6 @@ +apiVersion: v1 name: couchdb -version: 1.1.1 +version: 1.1.3 appVersion: 2.3.0 description: A database featuring seamless multi-master sync, that scales from big data to mobile, with an intuitive HTTP/JSON API and designed for diff --git a/incubator/couchdb/README.md b/incubator/couchdb/README.md index 7cd31a8b810d..9440d59295d7 100644 --- a/incubator/couchdb/README.md +++ b/incubator/couchdb/README.md @@ -125,6 +125,7 @@ A variety of other parameters are also configurable. See the comments in the | `podManagementPolicy` | Parallel | | `affinity` | | | `resources` | | +| `service.annotations` | | | `service.enabled` | true | | `service.type` | ClusterIP | | `service.externalPort` | 5984 | diff --git a/incubator/couchdb/templates/service.yaml b/incubator/couchdb/templates/service.yaml index 3393d0447b1f..d4325b903b56 100644 --- a/incubator/couchdb/templates/service.yaml +++ b/incubator/couchdb/templates/service.yaml @@ -8,6 +8,10 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} spec: ports: - port: {{ .Values.service.externalPort }} diff --git a/incubator/couchdb/values.yaml b/incubator/couchdb/values.yaml index d1a981696424..ee8c75457766 100644 --- a/incubator/couchdb/values.yaml +++ b/incubator/couchdb/values.yaml @@ -77,6 +77,7 @@ affinity: ## chart without any additional configuration. The Service block below refers ## to a second Service that governs how clients connect to the CouchDB cluster. service: + # annotations: enabled: true type: ClusterIP externalPort: 5984 diff --git a/incubator/etcd/Chart.yaml b/incubator/etcd/Chart.yaml index 20967c30527f..022384e13c17 100755 --- a/incubator/etcd/Chart.yaml +++ b/incubator/etcd/Chart.yaml @@ -1,6 +1,7 @@ +apiVersion: v1 name: etcd home: https://github.com/coreos/etcd -version: 0.6.2 +version: 0.6.3 appVersion: 2.2.5 description: Distributed reliable key-value store for the most critical data of a distributed system. diff --git a/incubator/fluentd-cloudwatch/Chart.yaml b/incubator/fluentd-cloudwatch/Chart.yaml index 36d329d3d9ad..89076e753650 100644 --- a/incubator/fluentd-cloudwatch/Chart.yaml +++ b/incubator/fluentd-cloudwatch/Chart.yaml @@ -1,6 +1,7 @@ +apiVersion: v1 name: fluentd-cloudwatch -version: 0.6.4 -appVersion: v0.12.43-cloudwatch +version: 0.10.0 +appVersion: v1.3.3-debian-cloudwatch-1.0 description: A Fluentd CloudWatch Helm chart for Kubernetes. home: https://www.fluentd.org/ icon: https://raw.githubusercontent.com/fluent/fluentd-docs/master/public/logo/Fluentd_square.png diff --git a/incubator/fluentd-cloudwatch/README.md b/incubator/fluentd-cloudwatch/README.md index fec16b71722c..93d82cb3774f 100644 --- a/incubator/fluentd-cloudwatch/README.md +++ b/incubator/fluentd-cloudwatch/README.md @@ -46,30 +46,34 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the Fluentd Cloudwatch chart and their default values. -| Parameter | Description | Default | -| ------------------------------- | ------------------------------------------------------------------------- | --------------------------------------| -| `image.repository` | Image repository | `fluent/fluentd-kubernetes-daemonset` | -| `image.tag` | Image tag | `v0.12.43-cloudwatch` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `resources.limits.cpu` | CPU limit | `100m` | -| `resources.limits.memory` | Memory limit | `200Mi` | -| `resources.requests.cpu` | CPU request | `100m` | -| `resources.requests.memory` | Memory request | `200Mi` | -| `hostNetwork` | Host network | `false` | -| `annotations` (removed for now) | Annotations | `nil` | -| `awsRegion` | AWS Cloudwatch region | `us-east-1` | -| `awsRole` | AWS IAM Role To Use | `nil` | -| `awsAccessKeyId` | AWS Access Key Id of a AWS user with a policy to access Cloudwatch | `nil` | -| `awsSecretAccessKey` | AWS Secret Access Key of a AWS user with a policy to access Cloudwatch | `nil` | -| `fluentdConfig` | Fluentd configuration | `example configuration` | -| `logGroupName` | AWS Cloudwatch log group | `kubernetes` | -| `rbac.create` | If true, create & use RBAC resources | `false` | -| `rbac.serviceAccountName` | existing ServiceAccount to use (ignored if rbac.create=true) | `default` | -| `tolerations` | Add tolerations | `[]` | -| `extraVars` | Add pod environment variables (must be specified as a single line object) | `[]` | -| `updateStrategy` | Define daemonset update strategy | `OnDelete` | - -Starting with fluentd-kubernetes-daemonset v0.12.43-cloudwatch, the container runs as user fluentd. To be able to write pos files to the host system, you'll need to run fluentd as root. Add the following extraVars value to run as root. +| Parameter | Description | Default | +| ---------------------------- | ------------------------------------------------------------------------- | --------------------------------------| +| `image.repository` | Image repository | `fluent/fluentd-kubernetes-daemonset` | +| `image.tag` | Image tag | `v1.3.3-debian-cloudwatch-1.0` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `resources.limits.cpu` | CPU limit | `100m` | +| `resources.limits.memory` | Memory limit | `200Mi` | +| `resources.requests.cpu` | CPU request | `100m` | +| `resources.requests.memory` | Memory request | `200Mi` | +| `hostNetwork` | Host network | `false` | +| `podAnnotations` | Annotations | `{}` | +| `podSecurityContext` | Security Context | `{}` | +| `awsRegion` | AWS Cloudwatch region | `us-east-1` | +| `awsRole` | AWS IAM Role To Use | `nil` | +| `awsAccessKeyId` | AWS Access Key Id of a AWS user with a policy to access Cloudwatch | `nil` | +| `awsSecretAccessKey` | AWS Secret Access Key of a AWS user with a policy to access Cloudwatch | `nil` | +| `fluentdConfig` | Fluentd configuration | `example configuration` | +| `logGroupName` | AWS Cloudwatch log group | `kubernetes` | +| `rbac.create` | If true, create & use RBAC resources | `false` | +| `rbac.serviceAccountName` | existing ServiceAccount to use (ignored if rbac.create=true) | `default` | +| `tolerations` | Add tolerations | `[]` | +| `extraVars` | Add pod environment variables (must be specified as a single line object) | `[]` | +| `updateStrategy` | Define daemonset update strategy | `OnDelete` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `affinity` | Node affinity for pod assignment | `{}` | +| `priorityClassName` | Set priority class for daemon set | `nil` | + +If using fluentd-kubernetes-daemonset v0.12.43-cloudwatch, the container runs as user fluentd. To be able to write pos files to the host system, you'll need to run fluentd as root. Add the following extraVars value to run as root. ```code "{ name: FLUENT_UID, value: '0' }" diff --git a/incubator/fluentd-cloudwatch/templates/configmap.yaml b/incubator/fluentd-cloudwatch/templates/configmap.yaml index b6f89a09ee8e..e6eac5077bc8 100644 --- a/incubator/fluentd-cloudwatch/templates/configmap.yaml +++ b/incubator/fluentd-cloudwatch/templates/configmap.yaml @@ -8,4 +8,4 @@ metadata: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} data: - fluent.conf: {{ toYaml .Values.fluentdConfig | indent 2 }} +{{ toYaml .Values.data | indent 2 }} diff --git a/incubator/fluentd-cloudwatch/templates/daemonset.yaml b/incubator/fluentd-cloudwatch/templates/daemonset.yaml index b72a6e1f472c..c517f40e8a1e 100644 --- a/incubator/fluentd-cloudwatch/templates/daemonset.yaml +++ b/incubator/fluentd-cloudwatch/templates/daemonset.yaml @@ -20,6 +20,8 @@ spec: {{ toYaml .Values.podAnnotations | indent 8 }} {{- end }} spec: + securityContext: +{{ toYaml .Values.podSecurityContext | indent 8 }} serviceAccountName: {{ if .Values.rbac.create }}{{ template "fluentd-cloudwatch.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }} initContainers: - name: copy-fluentd-config @@ -69,6 +71,9 @@ spec: readOnly: true - name: config mountPath: /fluentd/etc +{{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" +{{- end }} terminationGracePeriodSeconds: 30 volumes: - name: varlog @@ -86,5 +91,13 @@ spec: tolerations: {{ toYaml .Values.tolerations | indent 6 }} {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} updateStrategy: -{{ toYaml .Values.updateStrategy | indent 4 }} \ No newline at end of file +{{ toYaml .Values.updateStrategy | indent 4 }} diff --git a/incubator/fluentd-cloudwatch/values.yaml b/incubator/fluentd-cloudwatch/values.yaml index ebc8dc25bec8..5e09b03b3a23 100644 --- a/incubator/fluentd-cloudwatch/values.yaml +++ b/incubator/fluentd-cloudwatch/values.yaml @@ -1,6 +1,6 @@ image: repository: fluent/fluentd-kubernetes-daemonset - tag: v0.12.43-cloudwatch + tag: v1.3.3-debian-cloudwatch-1.0 ## Specify an imagePullPolicy (Required) ## It's recommended to change this to 'Always' if the image tag is 'latest' ## ref: http://kubernetes.io/docs/user-guide/images/#updating-images @@ -9,24 +9,52 @@ image: ## Configure resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## -resources: - limits: - cpu: 100m - memory: 200Mi - requests: - cpu: 100m - memory: 200Mi +resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 200Mi +# requests: +# cpu: 100m +# memory: 200Mi # hostNetwork: false +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + # kubernetes.io/role: node +# Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core +# Expects input structure as per specification for example: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: foo.bar.com/role +# operator: In +# values: +# - master +affinity: {} ## Add tolerations if specified tolerations: [] # - key: node-role.kubernetes.io/master # operator: Exists # effect: NoSchedule +podSecurityContext: {} + podAnnotations: {} +# Pod priority +# Sets PriorityClassName if defined. +# +# priorityClassName: "my-priority-class" + awsRegion: us-east-1 awsRole: awsAccessKeyId: @@ -46,146 +74,147 @@ extraVars: [] updateStrategy: type: OnDelete -fluentdConfig: | - - type null - - - - type tail - enable_stat_watcher false - path /var/log/containers/*.log - pos_file /var/log/fluentd-containers.log.pos - time_format %Y-%m-%dT%H:%M:%S.%NZ - tag kubernetes.* - format json - read_from_head true - - - - type tail - enable_stat_watcher false - format /^(?