diff options
Diffstat (limited to 'deployments/helm/servicemesh/metallb/templates')
8 files changed, 438 insertions, 0 deletions
diff --git a/deployments/helm/servicemesh/metallb/templates/NOTES.txt b/deployments/helm/servicemesh/metallb/templates/NOTES.txt new file mode 100644 index 00000000..64df7a0d --- /dev/null +++ b/deployments/helm/servicemesh/metallb/templates/NOTES.txt @@ -0,0 +1,29 @@ + +#/* +# * Copyright 2019 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +A config map is to applied with available IPs that MetalLB can use to +Assign to service with type:LoadBalancer +MetalLB is now running in the cluster. +{{- if .Values.configInline }} +LoadBalancer Services in your cluster are now available on the IPs you +defined in MetalLB's configuration. To see IP assignments, +try `kubectl get services`. +{{- else }} +WARNING: you specified a ConfigMap that isn't managed by +Helm. LoadBalancer services will not function until you add that +ConfigMap to your cluster yourself. +{{- end }} diff --git a/deployments/helm/servicemesh/metallb/templates/_helpers.tpl b/deployments/helm/servicemesh/metallb/templates/_helpers.tpl new file mode 100644 index 00000000..5e59e6cd --- /dev/null +++ b/deployments/helm/servicemesh/metallb/templates/_helpers.tpl @@ -0,0 +1,80 @@ +#/* +# * Copyright 2019 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + + +Expand the name of the chart. +*/}} +{{- define "metallb.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "metallb.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "metallb.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the controller service account to use +*/}} +{{- define "metallb.controllerServiceAccountName" -}} +{{- if .Values.serviceAccounts.controller.create -}} + {{ default (printf "%s-controller" (include "metallb.fullname" .)) .Values.serviceAccounts.controller.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.controller.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the speaker service account to use +*/}} +{{- define "metallb.speakerServiceAccountName" -}} +{{- if .Values.serviceAccounts.speaker.create -}} + {{ default (printf "%s-speaker" (include "metallb.fullname" .)) .Values.serviceAccounts.speaker.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.speaker.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the settings ConfigMap to use. +*/}} +{{- define "metallb.configMapName" -}} +{{- if .Values.config -}} + {{ include "metallb.fullname" . }} +{{- else -}} + {{ .Values.existingConfigMap }} +{{- end -}} +{{- end -}} diff --git a/deployments/helm/servicemesh/metallb/templates/config.yaml b/deployments/helm/servicemesh/metallb/templates/config.yaml new file mode 100644 index 00000000..da27eb38 --- /dev/null +++ b/deployments/helm/servicemesh/metallb/templates/config.yaml @@ -0,0 +1,9 @@ +{{- if .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "metallb.fullname" . }} +data: + config: | +{{ toYaml .Values.config | indent 4 }} +{{- end }} diff --git a/deployments/helm/servicemesh/metallb/templates/controller.yaml b/deployments/helm/servicemesh/metallb/templates/controller.yaml new file mode 100644 index 00000000..f993ca32 --- /dev/null +++ b/deployments/helm/servicemesh/metallb/templates/controller.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "metallb.fullname" . }}-controller + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} + component: controller +spec: + revisionHistoryLimit: 3 + selector: + matchLabels: + app: {{ template "metallb.name" . }} + component: controller + release: {{ .Release.Name | quote }} + template: + metadata: + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} + component: controller +{{- if .Values.prometheus.scrapeAnnotations }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "7472" +{{- end }} + spec: + serviceAccountName: {{ template "metallb.controllerServiceAccountName" . }} + terminationGracePeriodSeconds: 0 + securityContext: + runAsNonRoot: true + runAsUser: 65534 # nobody + nodeSelector: + "beta.kubernetes.io/os": linux + {{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: controller + image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: + - --port=7472 + - --config={{ template "metallb.configMapName" . }} + ports: + - name: monitoring + containerPort: 7472 + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true diff --git a/deployments/helm/servicemesh/metallb/templates/psp.yaml b/deployments/helm/servicemesh/metallb/templates/psp.yaml new file mode 100644 index 00000000..891aeb60 --- /dev/null +++ b/deployments/helm/servicemesh/metallb/templates/psp.yaml @@ -0,0 +1,33 @@ +{{- if .Values.psp.create -}} + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "metallb.fullname" . }}-speaker + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} +spec: + hostNetwork: true + hostPorts: + - min: 7472 + max: 7472 + privileged: true + allowPrivilegeEscalation: false + allowedCapabilities: + - 'NET_ADMIN' + - 'NET_RAW' + - 'SYS_ADMIN' + volumes: + - '*' + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny +{{- end -}} diff --git a/deployments/helm/servicemesh/metallb/templates/rbac.yaml b/deployments/helm/servicemesh/metallb/templates/rbac.yaml new file mode 100644 index 00000000..658df7e6 --- /dev/null +++ b/deployments/helm/servicemesh/metallb/templates/rbac.yaml @@ -0,0 +1,117 @@ +{{- if .Values.rbac.create -}} + +# Roles +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "metallb.fullname" . }}:controller + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} +rules: +- apiGroups: [""] + resources: ["services"] + verbs: ["get", "list", "watch", "update"] +- apiGroups: [""] + resources: ["services/status"] + verbs: ["update"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "metallb.fullname" . }}:speaker + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} +rules: +- apiGroups: [""] + resources: ["services", "endpoints", "nodes"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +{{- if .Values.psp.create }} +- apiGroups: ["extensions"] + resources: ["podsecuritypolicies"] + resourceNames: [{{ printf "%s-speaker" (include "metallb.fullname" .) | quote}}] + verbs: ["use"] +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "metallb.fullname" . }}-config-watcher + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +--- + +## Role bindings +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "metallb.fullname" . }}:controller + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "metallb.controllerServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "metallb.fullname" . }}:controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "metallb.fullname" . }}:speaker + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "metallb.speakerServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "metallb.fullname" . }}:speaker +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "metallb.fullname" . }}-config-watcher + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "metallb.controllerServiceAccountName" . }} +- kind: ServiceAccount + name: {{ template "metallb.speakerServiceAccountName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "metallb.fullname" . }}-config-watcher +{{- end -}} diff --git a/deployments/helm/servicemesh/metallb/templates/service-accounts.yaml b/deployments/helm/servicemesh/metallb/templates/service-accounts.yaml new file mode 100644 index 00000000..5b87a652 --- /dev/null +++ b/deployments/helm/servicemesh/metallb/templates/service-accounts.yaml @@ -0,0 +1,23 @@ +{{- if .Values.serviceAccounts.controller.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "metallb.controllerServiceAccountName" . }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} +{{- end }} +--- +{{- if .Values.serviceAccounts.speaker.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "metallb.speakerServiceAccountName" . }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} +{{- end }} diff --git a/deployments/helm/servicemesh/metallb/templates/speaker.yaml b/deployments/helm/servicemesh/metallb/templates/speaker.yaml new file mode 100644 index 00000000..53e2c675 --- /dev/null +++ b/deployments/helm/servicemesh/metallb/templates/speaker.yaml @@ -0,0 +1,80 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "metallb.fullname" . }}-speaker + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} + component: speaker +spec: + selector: + matchLabels: + app: {{ template "metallb.name" . }} + component: speaker + release: {{ .Release.Name | quote }} + template: + metadata: + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "metallb.chart" . }} + app: {{ template "metallb.name" . }} + component: speaker +{{- if .Values.prometheus.scrapeAnnotations }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "7472" +{{- end }} + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: {{ template "metallb.speakerServiceAccountName" . }} + terminationGracePeriodSeconds: 0 + hostNetwork: true + containers: + - name: speaker + image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag }} + imagePullPolicy: {{ .Values.speaker.image.pullPolicy }} + args: + - --port=7472 + - --config={{ template "metallb.configMapName" . }} + env: + - name: METALLB_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: METALLB_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + ports: + - name: monitoring + containerPort: 7472 + resources: +{{ toYaml .Values.speaker.resources | indent 10 }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + nodeSelector: + "beta.kubernetes.io/os": linux + {{- with .Values.speaker.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.speaker.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.speaker.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} |