From 7ef25c721db1fe1df88df69eeda9df859883983d Mon Sep 17 00:00:00 2001 From: Joel Bennett Date: Sat, 30 Sep 2023 13:18:10 -0400 Subject: [PATCH] Let's do it without logMonitor --- Initialize-Azure.ps1 | 6 +- apps/podinfo/deployment.yaml | 2 +- apps/podinfo/hpa.yaml | 2 +- apps/podinfo/ingress.yaml | 32 +- apps/podinfo/kustomization.yaml | 2 +- apps/podinfo/namespace.yaml | 2 +- apps/podinfo/service.yaml | 2 +- infrastructure/Cluster.bicep | 9 +- infrastructure/modules/users.bicep | 43 +- system/services/contour/kustomization.yaml | 12 - system/services/traefik/kustomization.yaml | 18 + .../mesh-release.yaml} | 13 +- .../{contour => traefik}/namespace.yaml | 2 +- system/services/traefik/repository.yaml | 8 + .../traefik/traefik-24.0.0-values.yaml | 929 ++++++++++++++++++ .../traefik/traefik-mesh-4.1.1-values.yaml | 209 ++++ system/services/traefik/traefik-release.yaml | 30 + .../{cert-manager => traefik}/valuesfrom.yaml | 0 .../cert-manager-0.12.5-values.yaml | 0 zisabled/cert-manager/clusterissuer.yaml | 25 + .../cert-manager/kustomization.yaml | 2 +- .../cert-manager/namespace.yaml | 0 .../cert-manager/release.yaml | 0 .../cert-manager}/valuesfrom.yaml | 0 zisabled/container-azm-ms-agentconfig.yaml | 210 ++++ .../contour/contour-13.1.0-values.yaml | 8 +- 26 files changed, 1489 insertions(+), 77 deletions(-) delete mode 100644 system/services/contour/kustomization.yaml create mode 100644 system/services/traefik/kustomization.yaml rename system/services/{contour/helm-release.yaml => traefik/mesh-release.yaml} (71%) rename system/services/{contour => traefik}/namespace.yaml (73%) create mode 100644 system/services/traefik/repository.yaml create mode 100644 system/services/traefik/traefik-24.0.0-values.yaml create mode 100644 system/services/traefik/traefik-mesh-4.1.1-values.yaml create mode 100644 system/services/traefik/traefik-release.yaml rename system/services/{cert-manager => traefik}/valuesfrom.yaml (100%) rename {system/services => zisabled}/cert-manager/cert-manager-0.12.5-values.yaml (100%) create mode 100644 zisabled/cert-manager/clusterissuer.yaml rename {system/services => zisabled}/cert-manager/kustomization.yaml (90%) rename {system/services => zisabled}/cert-manager/namespace.yaml (100%) rename system/services/cert-manager/helm-release.yaml => zisabled/cert-manager/release.yaml (100%) rename {system/services/contour => zisabled/cert-manager}/valuesfrom.yaml (100%) create mode 100644 zisabled/container-azm-ms-agentconfig.yaml rename {system/services => zisabled}/contour/contour-13.1.0-values.yaml (99%) diff --git a/Initialize-Azure.ps1 b/Initialize-Azure.ps1 index 0ae00b7..b187362 100644 --- a/Initialize-Azure.ps1 +++ b/Initialize-Azure.ps1 @@ -28,7 +28,7 @@ param( # "CiliumDataplanePreview" is not working as far as I can tell Get-AzProviderFeature -ProviderNamespace Microsoft.ContainerService -OutVariable enabledFeatures foreach ($feature in "AKS-KedaPreview", "AKSNetworkModePreview", "AzureOverlayPreview", - "EnableBlobCSIDriver", "EnableNetworkPolicy", "EnableWorkloadIdentityPreview", + "EnableBlobCSIDriver", "EnableNetworkPolicy", "EnableWorkloadIdentityPreview", "NRGLockdownPreview", "NodeOSUpgradeChannelPreview", "IPBasedLoadBalancerPreview") { if ($enabledFeatures.Name -notcontains $feature ) { Register-AzProviderFeature -FeatureName $feature -ProviderNamespace Microsoft.ContainerService @@ -38,7 +38,7 @@ foreach ($feature in "AKS-KedaPreview", "AKSNetworkModePreview", "AzureOverlayPr Get-AzProviderFeature -ProviderNamespace Microsoft.KubernetesConfiguration -OutVariable enabledFeatures foreach ($feature in "FluxConfigurations") { if ($enabledFeatures.Name -notcontains $feature ) { - Register-AzProviderFeature -FeatureName $feature -ProviderNamespace Microsoft.ContainerService + Register-AzProviderFeature -FeatureName $feature -ProviderNamespace Microsoft.KubernetesConfiguration } } @@ -69,7 +69,7 @@ gh secret set --repo https://github.com/$repo AZURE_RG -b $resourceGroupName # gh secret set --repo https://github.com/$repo USER_OBJECT_ID -b $spId # This stuff doesn't HAVE to be done... -$admins = (Get-AzADGroup -Filter "DisplayName eq 'AksAdmins'") ?? +$admins = (Get-AzADGroup -Filter "DisplayName eq 'AksAdmins'") ?? (New-AzADGroup -DisplayName AksAdmins -MailNickname AksAdmins -Description "Kubernetes Admins") gh secret set --repo https://github.com/$repo ADMIN_GROUP_ID -b $admins.Id \ No newline at end of file diff --git a/apps/podinfo/deployment.yaml b/apps/podinfo/deployment.yaml index ee26800..962ef23 100644 --- a/apps/podinfo/deployment.yaml +++ b/apps/podinfo/deployment.yaml @@ -1,5 +1,5 @@ -apiVersion: apps/v1 kind: Deployment +apiVersion: apps/v1 metadata: name: podinfo spec: diff --git a/apps/podinfo/hpa.yaml b/apps/podinfo/hpa.yaml index 1889962..2f2e28e 100644 --- a/apps/podinfo/hpa.yaml +++ b/apps/podinfo/hpa.yaml @@ -1,5 +1,5 @@ -apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler +apiVersion: autoscaling/v2 metadata: name: podinfo spec: diff --git a/apps/podinfo/ingress.yaml b/apps/podinfo/ingress.yaml index 7595a99..7be5183 100644 --- a/apps/podinfo/ingress.yaml +++ b/apps/podinfo/ingress.yaml @@ -15,8 +15,8 @@ # number: 9000 # pathType: Prefix # --- -kind: Ingress apiVersion: networking.k8s.io/v1 +kind: Ingress metadata: name: podinfo namespace: podinfo @@ -33,18 +33,18 @@ spec: name: podinfo port: name: http ---- -kind: IngressBackend -apiVersion: policy.openservicemesh.io/v1alpha1 -metadata: - name: podinfo - namespace: podinfo -spec: - backends: - - name: podinfo - port: - number: 80 # targetPort of podinfo service - protocol: http - sources: - - kind: IPRange - name: 10.0.0.0/8 +# --- +# kind: IngressBackend +# apiVersion: policy.openservicemesh.io/v1alpha1 +# metadata: +# name: podinfo +# namespace: podinfo +# spec: +# backends: +# - name: podinfo +# port: +# number: 80 # targetPort of podinfo service +# protocol: http +# sources: +# - kind: IPRange +# name: 10.0.0.0/8 diff --git a/apps/podinfo/kustomization.yaml b/apps/podinfo/kustomization.yaml index ad62233..cd3dd58 100644 --- a/apps/podinfo/kustomization.yaml +++ b/apps/podinfo/kustomization.yaml @@ -1,5 +1,5 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 namespace: podinfo resources: - namespace.yaml diff --git a/apps/podinfo/namespace.yaml b/apps/podinfo/namespace.yaml index acc2e5c..9674f67 100644 --- a/apps/podinfo/namespace.yaml +++ b/apps/podinfo/namespace.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 kind: Namespace +apiVersion: v1 metadata: name: podinfo \ No newline at end of file diff --git a/apps/podinfo/service.yaml b/apps/podinfo/service.yaml index 0d26eca..a26aa07 100644 --- a/apps/podinfo/service.yaml +++ b/apps/podinfo/service.yaml @@ -1,5 +1,5 @@ -apiVersion: v1 kind: Service +apiVersion: v1 metadata: name: podinfo spec: diff --git a/infrastructure/Cluster.bicep b/infrastructure/Cluster.bicep index 18bd2bf..f360e14 100644 --- a/infrastructure/Cluster.bicep +++ b/infrastructure/Cluster.bicep @@ -43,6 +43,7 @@ param dnsServiceIP string = '10.100.0.10' @description('Optional. Pod CIDR for this cluster. Defaults to: 10.192.0.0/16') param podCidr string = '10.192.0.0/16' +/* @description('The Log Analytics retention period') param logRetentionInDays int = 30 @@ -56,6 +57,7 @@ param diagnosticCategories array = [ 'kube-audit-admin' 'guard' ] +*/ @description('Optional. The AKS AutoscaleProfile has complex defaults I expect to change in production.') param AutoscaleProfile object = { @@ -167,6 +169,7 @@ var deploymentName = deployment().name // ] // } +// The actual cluster's identity does not need federation module uai 'modules/userAssignedIdentity.bicep' = { name: '${deploymentName}_uai' params: { @@ -290,6 +293,6 @@ output userAssignedIdentityPrincipalId string = uai.outputs.principalId @description('User Assigned Identity Client ID, used for application config (so we can use this identity from code)') output userAssignedIdentityClientId string = uai.outputs.clientId -output LogAnalyticsName string = logAnalytics.name -output LogAnalyticsGuid string = logAnalytics.properties.customerId -output LogAnalyticsId string = logAnalytics.id +// output LogAnalyticsName string = logAnalytics.name +// output LogAnalyticsGuid string = logAnalytics.properties.customerId +// output LogAnalyticsId string = logAnalytics.id diff --git a/infrastructure/modules/users.bicep b/infrastructure/modules/users.bicep index e3fd4ee..257c304 100644 --- a/infrastructure/modules/users.bicep +++ b/infrastructure/modules/users.bicep @@ -1,8 +1,14 @@ // ATTENTION PERSON WHO COPIES THIS IN THE FUTURE: -// baseName MUST be hard-coded here (change "Required" to "Optional" and uncomment the deffinition) -// baseName MUST also match the name of your app in Kubernetes (do not leave it as an empty string!) -@description('Required. The base name') -param baseName string // = '' +// namespace MUST be hard-coded here (change "Required" to "Optional" and uncomment the deffinition) +// namespace MUST match the namespace of your app in Kubernetes (do not leave it as an empty string!) +@description('Required. The kubernetes namespace for your user') +param namespace string // = '' + +@description('Required. The name of the service account. E.g. namespace-workload-identity') +param serviceAccountName string = '${namespace}-workload-identity' + +@description('Required. The OpenID Connect Issuerl URL. E.g. aks.oidcIssuerUrl') +param oidcIssuerUrl string // 63 is our max deployment name, and the longest name in our sub-deployments is 12 characters, 63-12 = 51 @description('Optional. Provide unique deployment name prefix for the module references. Defaults to take(deploymentName().name, 51)') @@ -15,30 +21,15 @@ param location string = resourceGroup().location @description('Optional. Override default tagging with your own tags. Defaults to resourceGroup().tags') param tags object = resourceGroup().tags -module names 'br/lookups:names:7' = { - name: '${deploymentNamePrefix}__names' - params: { - baseName: baseName - location: location - } -} - -module cluster 'br/lookups:akscluster:1' = { - name: '${deploymentNamePrefix}__cluster' - params: { - location: location - } -} - -module uai 'br/resources:userassignedidentity:2.1.0' = { +module uai 'userAssignedIdentity.bicep' = { name: '${deploymentNamePrefix}_uai' params: { - name: names.outputs.userAssignedIdentityName + baseName: '${namespace}-${serviceAccountName}' location: location tags: tags // This is the part that makes it work with AKS -- but the right-hand-side value must be YOUR workload identity azureADTokenExchangeFederatedIdentityCredentials: { - '${cluster.outputs.oidcIssuerUrl}': 'system:serviceaccount:${baseName}:${baseName}-workload-identity' + '${oidcIssuerUrl}': 'system:serviceaccount:${namespace}:${serviceAccountName}' } } } @@ -70,14 +61,14 @@ module keyvault_kubelet_iam 'br/resources:resourceroleassignment:1.0.2' = { // */ @description('The ResourceId is sometimes used for deployment scripts') -output userAssignedResourceId string = uai.outputs.userAssignedResourceID +output userAssignedResourceId string = uai.outputs.id @description('The PrincipalId is used for Azure Resource Role Assignements') -output userAssignedIdentityPrincipalId string = uai.outputs.userAssignedIdentityPrincipalId +output userAssignedIdentityPrincipalId string = uai.outputs.principalId @description('''User Assigned Client ID, put this in your patch-ServiceAccount.yaml: metadata: - name: ${app_name}-workload-identity + name: serviceAccountName annotations: azure.workload.identity/client-id: HERE''') -output userAssignedIdentityClientId string = uai.outputs.userAssignedIdentityClientId +output userAssignedIdentityClientId string = uai.outputs.clientId diff --git a/system/services/contour/kustomization.yaml b/system/services/contour/kustomization.yaml deleted file mode 100644 index 6d5f7a2..0000000 --- a/system/services/contour/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ -resources: - - namespace.yaml - - helm-release.yaml - -configMapGenerator: - - name: contour-values - namespace: flux-system - files: - - values.yaml=contour-13.1.0-values.yaml - -configurations: - - valuesfrom.yaml \ No newline at end of file diff --git a/system/services/traefik/kustomization.yaml b/system/services/traefik/kustomization.yaml new file mode 100644 index 0000000..0904736 --- /dev/null +++ b/system/services/traefik/kustomization.yaml @@ -0,0 +1,18 @@ +resources: + - namespace.yaml + - repository.yaml + #- mesh-release.yaml + - traefik-release.yaml + +configMapGenerator: + - name: mesh-values + namespace: flux-system + files: + - values.yaml=traefik-mesh-4.1.1-values.yaml + - name: traefik-values + namespace: flux-system + files: + - values.yaml=traefik-24.0.0-values.yaml + +configurations: + - valuesfrom.yaml \ No newline at end of file diff --git a/system/services/contour/helm-release.yaml b/system/services/traefik/mesh-release.yaml similarity index 71% rename from system/services/contour/helm-release.yaml rename to system/services/traefik/mesh-release.yaml index ee68da6..30d515c 100644 --- a/system/services/contour/helm-release.yaml +++ b/system/services/traefik/mesh-release.yaml @@ -1,20 +1,19 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: contour + name: traefik-mesh namespace: flux-system spec: interval: 30m timeout: 5m - releaseName: contour - targetNamespace: contour + targetNamespace: ingress chart: spec: - chart: contour - version: "13.1.x" + chart: traefik-mesh + version: "4.x" sourceRef: kind: HelmRepository - name: bitnami + name: traefik namespace: flux-system interval: 12h install: @@ -27,4 +26,4 @@ spec: timeout: 5m valuesFrom: - kind: ConfigMap - name: contour-values \ No newline at end of file + name: mesh-values \ No newline at end of file diff --git a/system/services/contour/namespace.yaml b/system/services/traefik/namespace.yaml similarity index 73% rename from system/services/contour/namespace.yaml rename to system/services/traefik/namespace.yaml index e35ebd8..9011a7f 100644 --- a/system/services/contour/namespace.yaml +++ b/system/services/traefik/namespace.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: contour \ No newline at end of file + name: ingress \ No newline at end of file diff --git a/system/services/traefik/repository.yaml b/system/services/traefik/repository.yaml new file mode 100644 index 0000000..32db750 --- /dev/null +++ b/system/services/traefik/repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: traefik + namespace: flux-system +spec: + interval: 24h + url: https://traefik.github.io/charts \ No newline at end of file diff --git a/system/services/traefik/traefik-24.0.0-values.yaml b/system/services/traefik/traefik-24.0.0-values.yaml new file mode 100644 index 0000000..3deb0a8 --- /dev/null +++ b/system/services/traefik/traefik-24.0.0-values.yaml @@ -0,0 +1,929 @@ +# Default values for Traefik +image: + # -- Traefik image host registry + registry: docker.io + # -- Traefik image repository + repository: traefik + # -- defaults to appVersion + tag: "" + # -- Traefik image pull policy + pullPolicy: IfNotPresent + +# -- Add additional label to all resources +commonLabels: {} + +# +# Configure the deployment +# +deployment: + # -- Enable deployment + enabled: true + # -- Deployment or DaemonSet + kind: Deployment + # -- Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 + # -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # revisionHistoryLimit: 1 + # -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 + # -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 + ## Override the liveness/readiness port. This is useful to integrate traefik + ## with an external Load Balancer that performs healthchecks. + ## Default: ports.traefik.port + # healthchecksPort: 9000 + ## Override the liveness/readiness scheme. Useful for getting ping to + ## respond on websecure entryPoint. + # healthchecksScheme: HTTPS + # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # -- Additional deployment labels (e.g. for filtering deployment by custom labels) + labels: {} + # -- Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + # -- Additional Pod labels (e.g. for filtering Pod by custom labels) + podLabels: {} + # -- Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] + # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host + # - name: socat-proxy + # image: alpine/socat:1.0.5 + # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] + # volumeMounts: + # - name: dsdsocket + # mountPath: /socket + # -- Additional volumes available for use with initContainers and additionalContainers + additionalVolumes: [] + # - name: dsdsocket + # hostPath: + # path: /var/run/statsd-exporter + # -- Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. + # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 + # - name: volume-permissions + # image: busybox:latest + # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] + # securityContext: + # runAsNonRoot: true + # runAsGroup: 65532 + # runAsUser: 65532 + # volumeMounts: + # - name: data + # mountPath: /data + # -- Use process namespace sharing + shareProcessNamespace: false + # -- Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + dnsConfig: {} + # nameservers: + # - 192.0.2.1 # this is an example + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + # -- Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName + # -- Pod lifecycle actions + lifecycle: {} + # preStop: + # exec: + # command: ["/bin/sh", "-c", "sleep 40"] + # postStart: + # httpGet: + # path: /ping + # port: 9000 + # host: localhost + # scheme: HTTP + +# -- Pod disruption budget +podDisruptionBudget: + enabled: false + # maxUnavailable: 1 + # maxUnavailable: 33% + # minAvailable: 0 + # minAvailable: 25% + +# -- Create a default IngressClass for Traefik +ingressClass: + enabled: true + isDefaultClass: true + # name: my-custom-class + +# Traefik experimental features +experimental: + #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" + #v3: + # -- Enable traefik version 3 + # enabled: false + plugins: + # -- Enable traefik experimental plugins + enabled: false + kubernetesGateway: + # -- Enable traefik experimental GatewayClass CRD + enabled: false + gateway: + # -- Enable traefik regular kubernetes gateway + enabled: true + # certificate: + # group: "core" + # kind: "Secret" + # name: "mysecret" + # -- By default, Gateway would be created to the Namespace you are deploying Traefik to. + # You may create that Gateway in another namespace, setting its name below: + # namespace: default + # Additional gateway annotations (e.g. for cert-manager.io/issuer) + # annotations: + # cert-manager.io/issuer: letsencrypt + +## Create an IngressRoute for the dashboard +ingressRoute: + dashboard: + # -- Create an IngressRoute for the dashboard + enabled: true + # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} + # -- The router match rule used for the dashboard ingressRoute + matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + # -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + # /!\ Do not expose your dashboard without any protection over the internet /!\ + entryPoints: ["traefik"] + # -- Additional ingressRoute middlewares (e.g. for authentication) + middlewares: [] + # -- TLS options (e.g. secret containing certificate) + tls: {} + +updateStrategy: + # -- Customize updateStrategy: RollingUpdate or OnDelete + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + +readinessProbe: + # -- The number of consecutive failures allowed before considering the probe as failed. + failureThreshold: 1 + # -- The number of seconds to wait before starting the first probe. + initialDelaySeconds: 2 + # -- The number of seconds to wait between consecutive probes. + periodSeconds: 10 + # -- The minimum consecutive successes required to consider the probe successful. + successThreshold: 1 + # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 +livenessProbe: + # -- The number of consecutive failures allowed before considering the probe as failed. + failureThreshold: 3 + # -- The number of seconds to wait before starting the first probe. + initialDelaySeconds: 2 + # -- The number of seconds to wait between consecutive probes. + periodSeconds: 10 + # -- The minimum consecutive successes required to consider the probe successful. + successThreshold: 1 + # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 + +providers: + kubernetesCRD: + # -- Load Kubernetes IngressRoute provider + enabled: true + # -- Allows IngressRoute to reference resources in namespace other than theirs + allowCrossNamespace: false + # -- Allows to reference ExternalName services in IngressRoute + allowExternalNameServices: false + # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # - "default" + + kubernetesIngress: + # -- Load Kubernetes IngressRoute provider + enabled: true + # -- Allows to reference ExternalName services in Ingress + allowExternalNameServices: false + # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # - "default" + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false + # Published Kubernetes Service to copy status from. Format: namespace/servicename + # By default this Traefik service + # pathOverride: "" + +# +# -- Add volumes to the traefik pod. The volume name will be passed to tpl. +# This can be used to mount a cert pair or a configmap that holds a config.toml file. +# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +# `additionalArguments: +# - "--providers.file.filename=/config/dynamic.toml" +# - "--ping" +# - "--ping.entrypoint=web"` +volumes: [] +# - name: public-cert +# mountPath: "/certs" +# type: secret +# - name: '{{ printf "%s-configs" .Release.Name }}' +# mountPath: "/config" +# type: configMap + +# -- Additional volumeMounts to add to the Traefik container +additionalVolumeMounts: [] + # -- For instance when using a logshipper for access logs + # - name: traefik-logs + # mountPath: /var/log/traefik + +logs: + general: + # -- By default, the logs use a text format (common), but you can + # also ask for the json format in the format option + # format: json + # By default, the level is set to ERROR. + # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + access: + # -- To enable access logs + enabled: false + ## By default, logs are written using the Common Log Format (CLF) on stdout. + ## To write logs in JSON, use json in the format option. + ## If the given format is unsupported, the default (CLF) is used instead. + # format: json + # filePath: "/var/log/traefik/access.log + ## To write the logs in an asynchronous fashion, specify a bufferingSize option. + ## This option represents the number of log lines Traefik will keep in memory before writing + ## them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 + ## Filtering + # -- https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms + fields: + general: + # -- Available modes: keep, drop, redact. + defaultmode: keep + # -- Names of the fields to limit. + names: {} + ## Examples: + # ClientUsername: drop + headers: + # -- Available modes: keep, drop, redact. + defaultmode: drop + # -- Names of the headers to limit. + names: {} + ## Examples: + # User-Agent: redact + # Authorization: drop + # Content-Type: keep + +metrics: + ## -- Prometheus is enabled by default. + ## -- It can be disabled by setting "prometheus: null" + prometheus: + # -- Entry point used to expose metrics. + entryPoint: metrics + ## Enable metrics on entry points. Default=true + # addEntryPointsLabels: false + ## Enable metrics on routers. Default=false + # addRoutersLabels: true + ## Enable metrics on services. Default=true + # addServicesLabels: false + ## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0" + # buckets: "0.5,1.0,2.5" + ## When manualRouting is true, it disables the default internal router in + ## order to allow creating a custom router for prometheus@internal service. + # manualRouting: true +# datadog: +# ## Address instructs exporter to send metrics to datadog-agent at this address. +# address: "127.0.0.1:8125" +# ## The interval used by the exporter to push metrics to datadog-agent. Default=10s +# # pushInterval: 30s +# ## The prefix to use for metrics collection. Default="traefik" +# # prefix: traefik +# ## Enable metrics on entry points. Default=true +# # addEntryPointsLabels: false +# ## Enable metrics on routers. Default=false +# # addRoutersLabels: true +# ## Enable metrics on services. Default=true +# # addServicesLabels: false +# influxdb: +# ## Address instructs exporter to send metrics to influxdb at this address. +# address: localhost:8089 +# ## InfluxDB's address protocol (udp or http). Default="udp" +# protocol: udp +# ## InfluxDB database used when protocol is http. Default="" +# # database: "" +# ## InfluxDB retention policy used when protocol is http. Default="" +# # retentionPolicy: "" +# ## InfluxDB username (only with http). Default="" +# # username: "" +# ## InfluxDB password (only with http). Default="" +# # password: "" +# ## The interval used by the exporter to push metrics to influxdb. Default=10s +# # pushInterval: 30s +# ## Additional labels (influxdb tags) on all metrics. +# # additionalLabels: +# # env: production +# # foo: bar +# ## Enable metrics on entry points. Default=true +# # addEntryPointsLabels: false +# ## Enable metrics on routers. Default=false +# # addRoutersLabels: true +# ## Enable metrics on services. Default=true +# # addServicesLabels: false +# influxdb2: +# ## Address instructs exporter to send metrics to influxdb v2 at this address. +# address: localhost:8086 +# ## Token with which to connect to InfluxDB v2. +# token: xxx +# ## Organisation where metrics will be stored. +# org: "" +# ## Bucket where metrics will be stored. +# bucket: "" +# ## The interval used by the exporter to push metrics to influxdb. Default=10s +# # pushInterval: 30s +# ## Additional labels (influxdb tags) on all metrics. +# # additionalLabels: +# # env: production +# # foo: bar +# ## Enable metrics on entry points. Default=true +# # addEntryPointsLabels: false +# ## Enable metrics on routers. Default=false +# # addRoutersLabels: true +# ## Enable metrics on services. Default=true +# # addServicesLabels: false +# statsd: +# ## Address instructs exporter to send metrics to statsd at this address. +# address: localhost:8125 +# ## The interval used by the exporter to push metrics to influxdb. Default=10s +# # pushInterval: 30s +# ## The prefix to use for metrics collection. Default="traefik" +# # prefix: traefik +# ## Enable metrics on entry points. Default=true +# # addEntryPointsLabels: false +# ## Enable metrics on routers. Default=false +# # addRoutersLabels: true +# ## Enable metrics on services. Default=true +# # addServicesLabels: false +# openTelemetry: +# ## Address of the OpenTelemetry Collector to send metrics to. +# address: "localhost:4318" +# ## Enable metrics on entry points. +# addEntryPointsLabels: true +# ## Enable metrics on routers. +# addRoutersLabels: true +# ## Enable metrics on services. +# addServicesLabels: true +# ## Explicit boundaries for Histogram data points. +# explicitBoundaries: +# - "0.1" +# - "0.3" +# - "1.2" +# - "5.0" +# ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. +# headers: +# foo: bar +# test: test +# ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. +# insecure: true +# ## Interval at which metrics are sent to the OpenTelemetry Collector. +# pushInterval: 10s +# ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. +# path: /foo/v1/traces +# ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. +# tls: +# ## The path to the certificate authority, it defaults to the system bundle. +# ca: path/to/ca.crt +# ## The path to the public certificate. When using this option, setting the key option is required. +# cert: path/to/foo.cert +# ## The path to the private key. When using this option, setting the cert option is required. +# key: path/to/key.key +# ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +# insecureSkipVerify: true +# ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. +# grpc: true + +## -- enable optional CRDs for Prometheus Operator +## + ## Create a dedicated metrics service for use with ServiceMonitor + # service: + # enabled: false + # labels: {} + # annotations: {} + ## When set to true, it won't check if Prometheus Operator CRDs are deployed + # disableAPICheck: false + # serviceMonitor: + # metricRelabelings: [] + # - sourceLabels: [__name__] + # separator: ; + # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ + # replacement: $1 + # action: drop + # relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + # jobLabel: traefik + # interval: 30s + # honorLabels: true + # # (Optional) + # # scrapeTimeout: 5s + # # honorTimestamps: true + # # enableHttp2: true + # # followRedirects: true + # # additionalLabels: + # # foo: bar + # # namespace: "another-namespace" + # # namespaceSelector: {} + # prometheusRule: + # additionalLabels: {} + # namespace: "another-namespace" + # rules: + # - alert: TraefikDown + # expr: up{job="traefik"} == 0 + # for: 5m + # labels: + # context: traefik + # severity: warning + # annotations: + # summary: "Traefik Down" + # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" + +## Tracing +# -- https://doc.traefik.io/traefik/observability/tracing/overview/ +tracing: {} + # openTelemetry: # traefik v3+ only + # grpc: {} + # insecure: true + # address: localhost:4317 + # instana: + # localAgentHost: 127.0.0.1 + # localAgentPort: 42699 + # logLevel: info + # enableAutoProfile: true + # datadog: + # localAgentHostPort: 127.0.0.1:8126 + # debug: false + # globalTag: "" + # prioritySampling: false + # jaeger: + # samplingServerURL: http://localhost:5778/sampling + # samplingType: const + # samplingParam: 1.0 + # localAgentHostPort: 127.0.0.1:6831 + # gen128Bit: false + # propagation: jaeger + # traceContextHeaderName: uber-trace-id + # disableAttemptReconnecting: true + # collector: + # endpoint: "" + # user: "" + # password: "" + # zipkin: + # httpEndpoint: http://localhost:9411/api/v2/spans + # sameSpan: false + # id128Bit: true + # sampleRate: 1.0 + # haystack: + # localAgentHost: 127.0.0.1 + # localAgentPort: 35000 + # globalTag: "" + # traceIDHeaderName: "" + # parentIDHeaderName: "" + # spanIDHeaderName: "" + # baggagePrefixHeaderName: "" + # elastic: + # serverURL: http://localhost:8200 + # secretToken: "" + # serviceEnvironment: "" + +# -- Global command arguments to be passed to all traefik's pods +globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" + +# +# Configure Traefik static configuration +# -- Additional arguments to be passed at Traefik's binary +# All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` +additionalArguments: [] +# - "--providers.kubernetesingress.ingressclass=traefik-internal" +# - "--log.level=DEBUG" + +# -- Environment variables to be passed to Traefik's binary +env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace +# - name: SOME_VAR +# value: some-var-value +# - name: SOME_VAR_FROM_CONFIG_MAP +# valueFrom: +# configMapRef: +# name: configmap-name +# key: config-key +# - name: SOME_SECRET +# valueFrom: +# secretKeyRef: +# name: secret-name +# key: secret-key + +# -- Environment variables to be passed to Traefik's binary from configMaps or secrets +envFrom: [] +# - configMapRef: +# name: config-map-name +# - secretRef: +# name: secret-name + +ports: + traefik: + port: 9000 + # -- Use hostPort if set. + # hostPort: 9000 + # + # -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. + # hostIP: 192.168.100.10 + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # -- You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # -- The exposed port for this service + exposedPort: 9000 + # -- The port protocol (TCP/UDP) + protocol: TCP + web: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 + # containerPort: 8000 + expose: true + exposedPort: 80 + ## -- Different target traefik port on the cluster, useful for IP type LB + # targetPort: 80 + # The port protocol (TCP/UDP) + protocol: TCP + # -- Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer. + # nodePort: 32080 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection + # redirectTo: websecure + # + # Trust forwarded headers information (X-Forwarded-*). + # forwardedHeaders: + # trustedIPs: [] + # insecure: false + # + # Enable the Proxy Protocol header parsing for the entry point + # proxyProtocol: + # trustedIPs: [] + # insecure: false + websecure: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 + # hostPort: 8443 + # containerPort: 8443 + expose: true + exposedPort: 443 + ## -- Different target traefik port on the cluster, useful for IP type LB + # targetPort: 80 + ## -- The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 + ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer. + # appProtocol: https + # + ## -- Enable HTTP/3 on the entrypoint + ## Enabling it will also enable http3 experimental feature + ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 + ## There are known limitations when trying to listen on same ports for + ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. + ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 + http3: + enabled: false + # advertisedPort: 4443 + # + ## -- Trust forwarded headers information (X-Forwarded-*). + #forwardedHeaders: + # trustedIPs: [] + # insecure: false + # + ## -- Enable the Proxy Protocol header parsing for the entry point + #proxyProtocol: + # trustedIPs: [] + # insecure: false + # + ## Set TLS at the entrypoint + ## https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: + enabled: true + # this is the name of a TLSOption definition + options: "" + certResolver: "" + domains: [] + # - main: example.com + # sans: + # - foo.example.com + # - bar.example.com + # + # -- One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares + # -- /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ + # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace + # middlewares: + # - namespace-name1@kubernetescrd + # - namespace-name2@kubernetescrd + middlewares: [] + metrics: + # -- When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 + # hostPort: 9100 + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # -- You may not want to expose the metrics port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # -- The exposed port for this service + exposedPort: 9100 + # -- The port protocol (TCP/UDP) + protocol: TCP + +# -- TLS Options are created as TLSOption CRDs +# https://doc.traefik.io/traefik/https/tls/#tls-options +# When using `labelSelector`, you'll need to set labels on tlsOption accordingly. +# Example: +# tlsOptions: +# default: +# labels: {} +# sniStrict: true +# preferServerCipherSuites: true +# customOptions: +# labels: {} +# curvePreferences: +# - CurveP521 +# - CurveP384 +tlsOptions: {} + +# -- TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate +# https://doc.traefik.io/traefik/https/tls/#default-certificate +# Example: +# tlsStore: +# default: +# defaultCertificate: +# secretName: tls-cert +tlsStore: {} + +service: + enabled: true + ## -- Single service is using `MixedProtocolLBService` feature gate. + ## -- When set to false, it will create two Service, one for TCP and one for UDP. + single: true + type: LoadBalancer + # -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} + # -- Additional annotations for TCP service only + annotationsTCP: {} + # -- Additional annotations for UDP service only + annotationsUDP: {} + # -- Additional service labels (e.g. for filtering Service by custom labels) + labels: {} + # -- Additional entries here will be added to the service spec. + # -- Cannot contain type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 + ## -- Class of the load balancer implementation + # loadBalancerClass: service.k8s.aws/nlb + externalIPs: [] + # - 1.2.3.4 + ## One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack + ## List of IP families (e.g. IPv4 and/or IPv6). + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # ipFamilies: + # - IPv4 + # - IPv6 + ## + ## -- An additionnal and optional internal Service. + ## Same parameters as external Service + # internal: + # type: ClusterIP + # # labels: {} + # # annotations: {} + # # spec: {} + # # loadBalancerSourceRanges: [] + # # externalIPs: [] + # # ipFamilies: [ "IPv4","IPv6" ] + +autoscaling: + # -- Create HorizontalPodAutoscaler object. + enabled: false +# minReplicas: 1 +# maxReplicas: 10 +# metrics: +# - type: Resource +# resource: +# name: cpu +# target: +# type: Utilization +# averageUtilization: 60 +# - type: Resource +# resource: +# name: memory +# target: +# type: Utilization +# averageUtilization: 60 +# behavior: +# scaleDown: +# stabilizationWindowSeconds: 300 +# policies: +# - type: Pods +# value: 1 +# periodSeconds: 60 + +persistence: + # -- Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # It can be used to store TLS certificates, see `storage` in certResolvers + enabled: false + name: data +# existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" + # volumeName: "" + path: /data + annotations: {} + # -- Only mount a subpath of the Volume into the pod + # subPath: "" + +# -- Certificates resolvers configuration +certResolvers: {} +# letsencrypt: +# # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ +# email: email@example.com +# dnsChallenge: +# # also add the provider's required configuration under env +# # or expand then from secrets/configmaps with envfrom +# # cf. https://doc.traefik.io/traefik/https/acme/#providers +# provider: digitalocean +# # add futher options for the dns challenge as needed +# # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge +# delayBeforeCheck: 30 +# resolvers: +# - 1.1.1.1 +# - 8.8.8.8 +# tlsChallenge: true +# httpChallenge: +# entryPoint: "web" +# # It has to match the path with a persistent volume +# storage: /data/acme.json + +# -- If hostNetwork is true, runs traefik in the host network namespace +# To prevent unschedulabel pods due to port collisions, if hostNetwork=true +# and replicas>1, a pod anti-affinity is recommended and will be set if the +# affinity is left as default. +hostNetwork: false + +# -- Whether Role Based Access Control objects like roles and rolebindings should be created +rbac: + enabled: true + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. + # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. + namespaced: false + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + # aggregateTo: [ "admin" ] + +# -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding +podSecurityPolicy: + enabled: false + +# -- The service account the pods will use to interact with the Kubernetes API +serviceAccount: + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" + +# -- Additional serviceAccount annotations (e.g. for oidc authentication) +serviceAccountAnnotations: {} + +# -- The resources parameter defines CPU and memory requirements and limits for Traefik's containers. +resources: {} + # requests: + # cpu: "100m" + # memory: "50Mi" + # limits: + # cpu: "300m" + # memory: "150Mi" + +# -- This example pod anti-affinity forces the scheduler to put traefik pods +# -- on nodes where no other traefik pods are scheduled. +# It should be used when hostNetwork: true to prevent port conflicts +affinity: {} +# podAntiAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# - labelSelector: +# matchLabels: +# app.kubernetes.io/name: '{{ template "traefik.name" . }}' +# app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' +# topologyKey: kubernetes.io/hostname + +# -- nodeSelector is the simplest recommended form of node selection constraint. +nodeSelector: {} +# -- Tolerations allow the scheduler to schedule pods with matching taints. +tolerations: [] +# -- You can use topology spread constraints to control +# how Pods are spread across your cluster among failure-domains. +topologySpreadConstraints: [] +# This example topologySpreadConstraints forces the scheduler to put traefik pods +# on nodes where no other traefik pods are scheduled. +# - labelSelector: +# matchLabels: +# app: '{{ template "traefik.name" . }}' +# maxSkew: 1 +# topologyKey: kubernetes.io/hostname +# whenUnsatisfiable: DoNotSchedule + +# -- Pods can have priority. +# -- Priority indicates the importance of a Pod relative to other Pods. +priorityClassName: "" + +# -- Set the container security context +# -- To run the container with ports below 1024 this will need to be adjusted to run as root +securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + +podSecurityContext: + # /!\ When setting fsGroup, Kubernetes will recursively change ownership and + # permissions for the contents of each volume to match the fsGroup. This can + # be an issue when storing sensitive content like TLS Certificates /!\ + # fsGroup: 65532 + # -- Specifies the policy for changing ownership and permissions of volume contents to match the fsGroup. + fsGroupChangePolicy: "OnRootMismatch" + # -- The ID of the group for all containers in the pod to run as. + runAsGroup: 65532 + # -- Specifies whether the containers should run as a non-root user. + runAsNonRoot: true + # -- The ID of the user for all containers in the pod to run as. + runAsUser: 65532 + +# +# -- Extra objects to deploy (value evaluated as a template) +# +# In some cases, it can avoid the need for additional, extended or adhoc deployments. +# See #595 for more details and traefik/tests/values/extra.yaml for example. +extraObjects: [] + +# This will override the default Release Namespace for Helm. +# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` +# namespaceOverride: traefik +# +## -- This will override the default app.kubernetes.io/instance label for all Objects. +# instanceLabelOverride: traefik + diff --git a/system/services/traefik/traefik-mesh-4.1.1-values.yaml b/system/services/traefik/traefik-mesh-4.1.1-values.yaml new file mode 100644 index 0000000..ad25ebc --- /dev/null +++ b/system/services/traefik/traefik-mesh-4.1.1-values.yaml @@ -0,0 +1,209 @@ +# Default values for Traefik Mesh. + +# acl: true + +# kubedns: true + +# clusterDomain: cluster.local + +# logLevel: error +# logFormat: common + +# defaultMode: http + +limits: + http: 10 + tcp: 25 + udp: 25 + +controller: + image: + name: traefik/mesh + # (Optional) + # pullPolicy: IfNotPresent + # (Optional) + # tag: v1.1.0 + # (Optional) + # pullSecret: xxx + + # logLevel: error + # logFormat: common + + # ignoreNamespaces: + # - example + + # watchNamespaces: + # - example + + resources: + limit: + mem: 100Mi + cpu: 200m + request: + mem: 50Mi + cpu: 100m + + # Added so we can launch on nodes with restrictions. + nodeSelector: {} + tolerations: [] + affinity: {} + +proxy: + image: + name: traefik + # (Optional) + # pullPolicy: IfNotPresent + # (Optional) + # tag: v2.5 + # (Optional) + # pullSecret: xxx + + # logLevel: error + # logFormat: common + + # pollInterval: 1s + # pollTimeout: 1s + + # forwardingTimeouts: + # dialTimeout: 30s + # (Optional) + # responseHeaderTimeout: 0s + # (Optional) + # idleConnTimeout: 1s + + # env: + # - name: NAME + # value: "value" + + # envFrom: + # - configMapRef: + # name: config + + # additionalArguments: + # - "--name=value" + + resources: + limit: + mem: 100Mi + cpu: 200m + request: + mem: 50Mi + cpu: 100m + + # Added so we can launch on nodes with restrictions. + nodeSelector: {} + tolerations: [] + + # Additional deployment annotations. + # annotations: {} + + # Additional pod annotations. + # podAnnotations: {} + +# +# Tracing configuration. +# +tracing: + deploy: true + jaeger: + enabled: true + # (Optional) + # localAgentHostPort: "127.0.0.1:6831" + # (Optional) + # samplingServerURL: "http://localhost:5778/sampling" + # datadog: + # localAgentHostPort: "127.0.0.1:8126" + # (Optional) + # debug: true + # (Optional) + # globalTag: "sample" + # (Optional) + # prioritySampling: true + # zipkin: + # httpEndpoint: "127.0.0.1:8125" + # (Optional) + # sameSpan: true + # (Optional) + # id128Bit: false + # (Optional) + # sampleRate: 0.2 + # instana: + # localAgentHost: "127.0.0.1" + # localAgentPort: 42699 + # logLevel: info + # haystack: + # localAgentHost: "127.0.0.1" + # localAgentPort: 42699 + # (Optional) + # globalTag: "sample:test" + # (Optional) + # traceIDHeaderName: "sample" + # (Optional) + # parentIDHeaderName: "sample" + # (Optional) + # spanIDHeaderName: "sample" + # (Optional) + # baggagePrefixHeaderName: "sample" + +# +# Metrics configuration. +# +metrics: + deploy: true + prometheus: + # whether to expose Prometheus metrics + enabled: true + # (Optional) + # addEntrypointsLabels: true + # (Optional) + # addServiceLabels: true + # (Optional) + # buckets: 0.100000, 0.300000, 1.200000, 5.000000 + ## you can override values of the metrics subchart here. + ## check charts/metrics/values.yaml for the defaults. + ## example: + # grafana: + # storageClassName: "metrics-storage" + # resources: + # limit: + # mem: "500Mi" + # cpu: "500m" + # request: + # mem: "200Mi" + # cpu: "200m" + # datadog: + # address: "127.0.0.1:8125" + # (Optional) + # addEntrypointsLabels: true + # (Optional) + # addServiceLabels: true + # (Optional) + # pushInterval: 10s + # influxdb: + # address: "localhost:8089" + # protocol: "udp" + # (Optional) + # database: "db" + # (Optional) + # retentionPolicy: "two_hours" + # (Optional) + # username: "john" + # (Optional) + # password: "secret" + # (Optional) + # addEntrypointsLabels: true + # (Optional) + # addServiceLabels: true + # (Optional) + # pushInterval: 10s + # statsd: + # address: "127.0.0.1:8125" + # (Optional) + # addEntrypointsLabels: true + # (Optional) + # addServiceLabels: true + # (Optional) + # pushInterval: 10s + # (Optional) + # prefix: traefik + diff --git a/system/services/traefik/traefik-release.yaml b/system/services/traefik/traefik-release.yaml new file mode 100644 index 0000000..bc207ae --- /dev/null +++ b/system/services/traefik/traefik-release.yaml @@ -0,0 +1,30 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: traefik + namespace: flux-system +spec: + interval: 30m + timeout: 5m + releaseName: traefik + targetNamespace: ingress + chart: + spec: + chart: traefik + version: "24.x" + sourceRef: + kind: HelmRepository + name: traefik + namespace: flux-system + interval: 12h + install: + remediation: + retries: 2 + upgrade: + remediation: + retries: 5 + rollback: + timeout: 5m + valuesFrom: + - kind: ConfigMap + name: traefik-values \ No newline at end of file diff --git a/system/services/cert-manager/valuesfrom.yaml b/system/services/traefik/valuesfrom.yaml similarity index 100% rename from system/services/cert-manager/valuesfrom.yaml rename to system/services/traefik/valuesfrom.yaml diff --git a/system/services/cert-manager/cert-manager-0.12.5-values.yaml b/zisabled/cert-manager/cert-manager-0.12.5-values.yaml similarity index 100% rename from system/services/cert-manager/cert-manager-0.12.5-values.yaml rename to zisabled/cert-manager/cert-manager-0.12.5-values.yaml diff --git a/zisabled/cert-manager/clusterissuer.yaml b/zisabled/cert-manager/clusterissuer.yaml new file mode 100644 index 0000000..947dcf9 --- /dev/null +++ b/zisabled/cert-manager/clusterissuer.yaml @@ -0,0 +1,25 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # The ACME server URL + server: https://acme-staging-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: jaykul@huddledmasses.org + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: "letsencrypt-staging" + # Enable the HTTP-01 challenge provider + solvers: + #- dns01: + # Add azureDNS resolver for Private endpoints, but this need to be fixed: https://github.com/cert-manager/website/issues/662 + #azureDNS: + # clientID: $(az aks show -g az-k8s-e0hm-rg -n aks-az-k8s-e0hm --query identityProfile.kubeletidentity.clientId -o tsv) + # subscriptionID: 2d5bb2c8-8be8-4539-b48f-fbfd86852fa9 + # resourceGroupName: domainssl + # hostedZoneName: azdemo.co.uk + - http01: + ingress: + class: contour \ No newline at end of file diff --git a/system/services/cert-manager/kustomization.yaml b/zisabled/cert-manager/kustomization.yaml similarity index 90% rename from system/services/cert-manager/kustomization.yaml rename to zisabled/cert-manager/kustomization.yaml index 35aa00b..5716439 100644 --- a/system/services/cert-manager/kustomization.yaml +++ b/zisabled/cert-manager/kustomization.yaml @@ -1,6 +1,6 @@ resources: - namespace.yaml - - helm-release.yaml + - release.yaml configMapGenerator: - name: cert-manager-values diff --git a/system/services/cert-manager/namespace.yaml b/zisabled/cert-manager/namespace.yaml similarity index 100% rename from system/services/cert-manager/namespace.yaml rename to zisabled/cert-manager/namespace.yaml diff --git a/system/services/cert-manager/helm-release.yaml b/zisabled/cert-manager/release.yaml similarity index 100% rename from system/services/cert-manager/helm-release.yaml rename to zisabled/cert-manager/release.yaml diff --git a/system/services/contour/valuesfrom.yaml b/zisabled/cert-manager/valuesfrom.yaml similarity index 100% rename from system/services/contour/valuesfrom.yaml rename to zisabled/cert-manager/valuesfrom.yaml diff --git a/zisabled/container-azm-ms-agentconfig.yaml b/zisabled/container-azm-ms-agentconfig.yaml new file mode 100644 index 0000000..4aff86d --- /dev/null +++ b/zisabled/container-azm-ms-agentconfig.yaml @@ -0,0 +1,210 @@ +kind: ConfigMap +apiVersion: v1 +data: + schema-version: + #string.used by agent to parse config. supported versions are {v1}. Configs with other schema versions will be rejected by the agent. + v1 + config-version: + #string.used by customer to keep track of this config file's version in their source control/repository (max allowed 10 chars, other chars will be truncated) + ver1 + log-data-collection-settings: |- + # Log data collection settings + # Any errors related to config map settings can be found in the KubeMonAgentEvents table in the Log Analytics workspace that the cluster is sending data to. + + [log_collection_settings] + [log_collection_settings.stdout] + # In the absense of this configmap, default value for enabled is true + enabled = true + # exclude_namespaces setting holds good only if enabled is set to true + # kube-system,gatekeeper-system log collection are disabled by default in the absence of 'log_collection_settings.stdout' setting. If you want to enable kube-system,gatekeeper-system, remove them from the following setting. + # If you want to continue to disable kube-system,gatekeeper-system log collection keep the namespaces in the following setting and add any other namespace you want to disable log collection to the array. + # In the absense of this configmap, default value for exclude_namespaces = ["kube-system","gatekeeper-system"] + exclude_namespaces = ["kube-system","gatekeeper-system"] + + [log_collection_settings.stderr] + # Default value for enabled is true + enabled = true + # exclude_namespaces setting holds good only if enabled is set to true + # kube-system,gatekeeper-system log collection are disabled by default in the absence of 'log_collection_settings.stderr' setting. If you want to enable kube-system,gatekeeper-system, remove them from the following setting. + # If you want to continue to disable kube-system,gatekeeper-system log collection keep the namespaces in the following setting and add any other namespace you want to disable log collection to the array. + # In the absense of this configmap, default value for exclude_namespaces = ["kube-system","gatekeeper-system"] + exclude_namespaces = ["kube-system","gatekeeper-system"] + + [log_collection_settings.env_var] + # In the absense of this configmap, default value for enabled is true + enabled = true + [log_collection_settings.enrich_container_logs] + # In the absense of this configmap, default value for enrich_container_logs is false + enabled = false + # When this is enabled (enabled = true), every container log entry (both stdout & stderr) will be enriched with container Name & container Image + [log_collection_settings.collect_all_kube_events] + # In the absense of this configmap, default value for collect_all_kube_events is false + # When the setting is set to false, only the kube events with !normal event type will be collected + enabled = false + # When this is enabled (enabled = true), all kube events including normal events will be collected + [log_collection_settings.schema] + # In the absence of this configmap, default value for containerlog_schema_version is "v1" + # Supported values for this setting are "v1","v2" + # See documentation at https://aka.ms/ContainerLogv2 for benefits of v2 schema over v1 schema before opting for "v2" schema + containerlog_schema_version = "v2" + #[log_collection_settings.enable_multiline_logs] + # fluent-bit based multiline log collection for go (stacktrace), dotnet (stacktrace) + # if enabled will also stitch together container logs split by docker/cri due to size limits(16KB per log line) + # enabled = "false" + + + prometheus-data-collection-settings: |- + # Custom Prometheus metrics data collection settings + [prometheus_data_collection_settings.cluster] + # Cluster level scrape endpoint(s). These metrics will be scraped from agent's Replicaset (singleton) + # Any errors related to prometheus scraping can be found in the KubeMonAgentEvents table in the Log Analytics workspace that the cluster is sending data to. + + #Interval specifying how often to scrape for metrics. This is duration of time and can be specified for supporting settings by combining an integer value and time unit as a string value. Valid time units are ns, us (or ??s), ms, s, m, h. + interval = "1m" + + ## Uncomment the following settings with valid string arrays for prometheus scraping + #fieldpass = ["metric_to_pass1", "metric_to_pass12"] + + #fielddrop = ["metric_to_drop"] + + # An array of urls to scrape metrics from. + # urls = ["http://myurl:9101/metrics"] + + # An array of Kubernetes services to scrape metrics from. + # kubernetes_services = ["http://my-service-dns.my-namespace:9102/metrics"] + + # When monitor_kubernetes_pods = true, replicaset will scrape Kubernetes pods for the following prometheus annotations: + # - prometheus.io/scrape: Enable scraping for this pod + # - prometheus.io/scheme: Default is http + # - prometheus.io/path: If the metrics path is not /metrics, define it with this annotation. + # - prometheus.io/port: If port is not 9102 use this annotation + monitor_kubernetes_pods = false + + ## Restricts Kubernetes monitoring to namespaces for pods that have annotations set and are scraped using the monitor_kubernetes_pods setting. + ## This will take effect when monitor_kubernetes_pods is set to true + ## ex: monitor_kubernetes_pods_namespaces = ["default1", "default2", "default3"] + # monitor_kubernetes_pods_namespaces = ["default1"] + + ## Label selector to target pods which have the specified label + ## This will take effect when monitor_kubernetes_pods is set to true + ## Reference the docs at https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + # kubernetes_label_selector = "env=dev,app=nginx" + + ## Field selector to target pods which have the specified field + ## This will take effect when monitor_kubernetes_pods is set to true + ## Reference the docs at https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/ + ## eg. To scrape pods on a specific node + # kubernetes_field_selector = "spec.nodeName=$HOSTNAME" + + [prometheus_data_collection_settings.node] + # Node level scrape endpoint(s). These metrics will be scraped from agent's DaemonSet running in every node in the cluster + # Any errors related to prometheus scraping can be found in the KubeMonAgentEvents table in the Log Analytics workspace that the cluster is sending data to. + + #Interval specifying how often to scrape for metrics. This is duration of time and can be specified for supporting settings by combining an integer value and time unit as a string value. Valid time units are ns, us (or ??s), ms, s, m, h. + interval = "1m" + + ## Uncomment the following settings with valid string arrays for prometheus scraping + + # An array of urls to scrape metrics from. $NODE_IP (all upper case) will substitute of running Node's IP address + # urls = ["http://$NODE_IP:9103/metrics"] + + #fieldpass = ["metric_to_pass1", "metric_to_pass12"] + + #fielddrop = ["metric_to_drop"] + + metric_collection_settings: |- + # Metrics collection settings for metrics sent to Log Analytics and MDM + [metric_collection_settings.collect_kube_system_pv_metrics] + # In the absense of this configmap, default value for collect_kube_system_pv_metrics is false + # When the setting is set to false, only the persistent volume metrics outside the kube-system namespace will be collected + enabled = false + # When this is enabled (enabled = true), persistent volume metrics including those in the kube-system namespace will be collected + + alertable-metrics-configuration-settings: |- + # Alertable metrics configuration settings for container resource utilization + [alertable_metrics_configuration_settings.container_resource_utilization_thresholds] + # The threshold(Type Float) will be rounded off to 2 decimal points + # Threshold for container cpu, metric will be sent only when cpu utilization exceeds or becomes equal to the following percentage + container_cpu_threshold_percentage = 95.0 + # Threshold for container memoryRss, metric will be sent only when memory rss exceeds or becomes equal to the following percentage + container_memory_rss_threshold_percentage = 95.0 + # Threshold for container memoryWorkingSet, metric will be sent only when memory working set exceeds or becomes equal to the following percentage + container_memory_working_set_threshold_percentage = 95.0 + + # Alertable metrics configuration settings for persistent volume utilization + [alertable_metrics_configuration_settings.pv_utilization_thresholds] + # Threshold for persistent volume usage bytes, metric will be sent only when persistent volume utilization exceeds or becomes equal to the following percentage + pv_usage_threshold_percentage = 60.0 + + # Alertable metrics configuration settings for completed jobs count + [alertable_metrics_configuration_settings.job_completion_threshold] + # Threshold for completed job count , metric will be sent only for those jobs which were completed earlier than the following threshold + job_completion_threshold_time_minutes = 360 + integrations: |- + [integrations.azure_network_policy_manager] + collect_basic_metrics = false + collect_advanced_metrics = false + [integrations.azure_subnet_ip_usage] + enabled = false + +# Doc - https://github.com/microsoft/Docker-Provider/blob/ci_prod/Documentation/AgentSettings/ReadMe.md + agent-settings: |- + # prometheus scrape fluent bit settings for high scale + # buffer size should be greater than or equal to chunk size else we set it to chunk size. + # settings scoped to prometheus sidecar container. all values in mb + [agent_settings.prometheus_fbit_settings] + tcp_listener_chunk_size = 10 + tcp_listener_buffer_size = 10 + tcp_listener_mem_buf_limit = 200 + + # prometheus scrape fluent bit settings for high scale + # buffer size should be greater than or equal to chunk size else we set it to chunk size. + # settings scoped to daemonset container. all values in mb + # [agent_settings.node_prometheus_fbit_settings] + # tcp_listener_chunk_size = 1 + # tcp_listener_buffer_size = 1 + # tcp_listener_mem_buf_limit = 10 + + # prometheus scrape fluent bit settings for high scale + # buffer size should be greater than or equal to chunk size else we set it to chunk size. + # settings scoped to replicaset container. all values in mb + # [agent_settings.cluster_prometheus_fbit_settings] + # tcp_listener_chunk_size = 1 + # tcp_listener_buffer_size = 1 + # tcp_listener_mem_buf_limit = 10 + + # The following settings are "undocumented", we don't recommend uncommenting them unless directed by Microsoft. + # They increase the maximum stdout/stderr log collection rate but will also cause higher cpu/memory usage. + ## Ref for more details about Ignore_Older - https://docs.fluentbit.io/manual/v/1.7/pipeline/inputs/tail + # [agent_settings.fbit_config] + # log_flush_interval_secs = "1" # default value is 15 + # tail_mem_buf_limit_megabytes = "10" # default value is 10 + # tail_buf_chunksize_megabytes = "1" # default value is 32kb (comment out this line for default) + # tail_buf_maxsize_megabytes = "1" # default value is 32kb (comment out this line for default) + # tail_ignore_older = "5m" # default value same as fluent-bit default i.e.0m + + # On both AKS & Arc K8s enviornments, if Cluster has configured with Forward Proxy then Proxy settings automatically applied and used for the agent + # Certain configurations, proxy config should be ignored for example Cluster with AMPLS + Proxy + # in such scenarios, use the following config to ignore proxy settings + # [agent_settings.proxy_config] + # ignore_proxy_settings = "true" # if this is not applied, default value is false + + # The following settings are "undocumented", we don't recommend uncommenting them unless directed by Microsoft. + # Configuration settings for the waittime for the network listeners to be available + # [agent_settings.network_listener_waittime] + # tcp_port_25226 = 45 # Port 25226 is used for telegraf to fluent-bit data in ReplicaSet + # tcp_port_25228 = 60 # Port 25228 is used for telegraf to fluentd data + # tcp_port_25229 = 45 # Port 25229 is used for telegraf to fluent-bit data in DaemonSet + + # The following settings are "undocumented", we don't recommend uncommenting them unless directed by Microsoft. + # [agent_settings.mdsd_config] + # monitoring_max_event_rate = "50000" # default 20K eps + # backpressure_memory_threshold_in_mb = "1500" # default 3500MB + # upload_max_size_in_mb = "20" # default 2MB + # upload_frequency_seconds = "1" # default 60 upload_frequency_seconds + # compression_level = "0" # supported levels 0 to 9 and 0 means no compression + +metadata: + name: container-azm-ms-agentconfig + namespace: kube-system + diff --git a/system/services/contour/contour-13.1.0-values.yaml b/zisabled/contour/contour-13.1.0-values.yaml similarity index 99% rename from system/services/contour/contour-13.1.0-values.yaml rename to zisabled/contour/contour-13.1.0-values.yaml index f1df706..090246e 100644 --- a/system/services/contour/contour-13.1.0-values.yaml +++ b/zisabled/contour/contour-13.1.0-values.yaml @@ -40,7 +40,9 @@ kubeVersion: "" extraDeploy: [] ## @param commonLabels Labels to add to all deployed objects ## -commonLabels: {} +commonLabels: { + release: monitoring +} ## @param commonAnnotations Annotations to add to all deployed objects ## commonAnnotations: {} @@ -1351,10 +1353,10 @@ metrics: serviceMonitor: ## @param metrics.serviceMonitor.namespace Specify if the servicemonitors will be deployed into a different namespace (blank deploys into same namespace as chart) ## - namespace: "" + namespace: "monitor" ## @param metrics.serviceMonitor.enabled Specify if a servicemonitor will be deployed for prometheus-operator. ## - enabled: false + enabled: true ## @param metrics.serviceMonitor.jobLabel Specify the jobLabel to use for the prometheus-operator ## jobLabel: "app.kubernetes.io/name"