From e21889ecea4200a1614b29a0370ff49eed7b7dc9 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Sat, 3 Feb 2024 23:18:34 -0600 Subject: [PATCH] chore: switch Nautobot to the chart broken out Instead of dumping the templated chart out to one file, switch to helm's output-dir option to get spread out set of resource configs and document it. --- components/09-nautobot/.gitignore | 1 + components/09-nautobot/README.md | 26 + .../09-nautobot/base/kustomization.yaml | 9 + .../nautobot/templates/celery-deployment.yaml | 217 ++++++ .../base/nautobot/templates/configmap.yaml | 113 +++ .../templates/nautobot-deployment.yaml | 186 +++++ .../nautobot/templates/nginx-configmap.yaml | 68 ++ .../nautobot/templates/service-account.yaml | 14 + .../base/nautobot/templates/service.yaml | 29 + components/09-nautobot/kustomization.yaml | 6 +- ...nautobot-helm_2.0.5-plus-password-ref.yaml | 660 ------------------ 11 files changed, 664 insertions(+), 665 deletions(-) create mode 100644 components/09-nautobot/.gitignore create mode 100644 components/09-nautobot/README.md create mode 100644 components/09-nautobot/base/kustomization.yaml create mode 100644 components/09-nautobot/base/nautobot/templates/celery-deployment.yaml create mode 100644 components/09-nautobot/base/nautobot/templates/configmap.yaml create mode 100644 components/09-nautobot/base/nautobot/templates/nautobot-deployment.yaml create mode 100644 components/09-nautobot/base/nautobot/templates/nginx-configmap.yaml create mode 100644 components/09-nautobot/base/nautobot/templates/service-account.yaml create mode 100644 components/09-nautobot/base/nautobot/templates/service.yaml delete mode 100644 components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml diff --git a/components/09-nautobot/.gitignore b/components/09-nautobot/.gitignore new file mode 100644 index 000000000..25c4b6c69 --- /dev/null +++ b/components/09-nautobot/.gitignore @@ -0,0 +1 @@ +base/nautobot/templates/secret.yaml diff --git a/components/09-nautobot/README.md b/components/09-nautobot/README.md new file mode 100644 index 000000000..fd3997128 --- /dev/null +++ b/components/09-nautobot/README.md @@ -0,0 +1,26 @@ +# nautobot + +The helm chart for nautobot doesn't actually support taking secrets in by reference. +Instead they're read from the active cluster when supplied by reference which +there might not be access for. +has been opened to attempt to address this but without it being merged, kustomize's +helm support can't consume it directly so the chart is templated out and committed +here. + +The following commmands were run using +from the top level of this repo: + +```bash +helm template \ + --namespace nautobot \ + nautobot \ + /path/to/nautobot/helm-charts/charts/nautobot \ + --skip-tests \ + -f components/09-nautobot/values.yaml \ + --output-dir components/09-nautobot/base +# we do secrets separately +rm -f components/09-nautobot/base/nautobot/templates/secret.yaml +cd components/09-nautobot/base +kustomize create --autodetect --recursive +cd ../../.. +``` diff --git a/components/09-nautobot/base/kustomization.yaml b/components/09-nautobot/base/kustomization.yaml new file mode 100644 index 000000000..e411f2e64 --- /dev/null +++ b/components/09-nautobot/base/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- nautobot/templates/celery-deployment.yaml +- nautobot/templates/configmap.yaml +- nautobot/templates/nautobot-deployment.yaml +- nautobot/templates/nginx-configmap.yaml +- nautobot/templates/service-account.yaml +- nautobot/templates/service.yaml diff --git a/components/09-nautobot/base/nautobot/templates/celery-deployment.yaml b/components/09-nautobot/base/nautobot/templates/celery-deployment.yaml new file mode 100644 index 000000000..1efba4e73 --- /dev/null +++ b/components/09-nautobot/base/nautobot/templates/celery-deployment.yaml @@ -0,0 +1,217 @@ +--- +# Source: nautobot/templates/celery-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nautobot-celery-beat + namespace: "nautobot" + labels: + app.kubernetes.io/name: nautobot + helm.sh/chart: nautobot-2.0.5 + app.kubernetes.io/instance: nautobot + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "2.0.5" + app.kubernetes.io/component: nautobot-celery-beat +spec: + replicas: 1 + revisionHistoryLimit: 3 + strategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: nautobot + app.kubernetes.io/instance: nautobot + app.kubernetes.io/component: nautobot-celery-beat + template: + metadata: + labels: + app.kubernetes.io/name: nautobot + helm.sh/chart: nautobot-2.0.5 + app.kubernetes.io/instance: nautobot + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "2.0.5" + app.kubernetes.io/component: nautobot-celery-beat + spec: + serviceAccountName: nautobot + + affinity: + podAffinity: + + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/instance: nautobot + app.kubernetes.io/name: nautobot + app.kubernetes.io/component: nautobot-celery-beat + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: + + securityContext: + fsGroup: 999 + seccompProfile: + type: RuntimeDefault + initContainers: + containers: + - name: nautobot-celery + tty: true + image: ghcr.io/nautobot/nautobot:2.1.1-py3.11 + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsUser: 999 + command: + - nautobot-server + - celery + - beat + - --loglevel + - $(NAUTOBOT_LOG_LEVEL) + env: + - name: "NAUTOBOT_K8S_COMPONENT" + value: "nautobot-celery-beat" + - name: NAUTOBOT_DB_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-pguser-nautobot + key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password + envFrom: + - configMapRef: + name: nautobot-env + - secretRef: + name: nautobot-env + resources: + limits: + cpu: 3328m + memory: 6656M + requests: + cpu: 5m + memory: 256M + volumeMounts: + - name: "git-repos" + mountPath: "/opt/nautobot/git" + terminationGracePeriodSeconds: 30 + volumes: + - name: "git-repos" + emptyDir: {} +--- +# Source: nautobot/templates/celery-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nautobot-celery-default + namespace: "nautobot" + labels: + app.kubernetes.io/name: nautobot + helm.sh/chart: nautobot-2.0.5 + app.kubernetes.io/instance: nautobot + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "2.0.5" + app.kubernetes.io/component: nautobot-celery-default +spec: + replicas: 1 + revisionHistoryLimit: 3 + strategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: nautobot + app.kubernetes.io/instance: nautobot + app.kubernetes.io/component: nautobot-celery-default + template: + metadata: + labels: + app.kubernetes.io/name: nautobot + helm.sh/chart: nautobot-2.0.5 + app.kubernetes.io/instance: nautobot + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "2.0.5" + app.kubernetes.io/component: nautobot-celery-default + spec: + serviceAccountName: nautobot + + affinity: + podAffinity: + + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/instance: nautobot + app.kubernetes.io/name: nautobot + app.kubernetes.io/component: nautobot-celery-default + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: + + securityContext: + fsGroup: 999 + seccompProfile: + type: RuntimeDefault + initContainers: + containers: + - name: nautobot-celery + tty: true + image: ghcr.io/nautobot/nautobot:2.1.1-py3.11 + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsUser: 999 + command: + - nautobot-server + - celery + - worker + - --loglevel + - $(NAUTOBOT_LOG_LEVEL) + - --queues + - $(CELERY_TASK_QUEUES) + - --events + env: + - name: "NAUTOBOT_K8S_COMPONENT" + value: "nautobot-celery-default" + - name: "CELERY_TASK_QUEUES" + value: "default" + - name: NAUTOBOT_DB_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-pguser-nautobot + key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password + envFrom: + - configMapRef: + name: nautobot-env + - secretRef: + name: nautobot-env + resources: + limits: + cpu: 3328m + memory: 6656M + requests: + cpu: 400m + memory: 1G + volumeMounts: + - name: "git-repos" + mountPath: "/opt/nautobot/git" + terminationGracePeriodSeconds: 30 + volumes: + - name: "git-repos" + emptyDir: {} diff --git a/components/09-nautobot/base/nautobot/templates/configmap.yaml b/components/09-nautobot/base/nautobot/templates/configmap.yaml new file mode 100644 index 000000000..7f8f7b9e7 --- /dev/null +++ b/components/09-nautobot/base/nautobot/templates/configmap.yaml @@ -0,0 +1,113 @@ +--- +# Source: nautobot/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: nautobot-env + namespace: "nautobot" + labels: + app.kubernetes.io/name: nautobot + helm.sh/chart: nautobot-2.0.5 + app.kubernetes.io/instance: nautobot + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "2.0.5" +data: + NAUTOBOT_ALLOWED_HOSTS: "*" + NAUTOBOT_CREATE_SUPERUSER: "true" + NAUTOBOT_DB_ENGINE: "django.db.backends.postgresql" + NAUTOBOT_DB_HOST: "nautobot-primary.nautobot.svc" + NAUTOBOT_DB_NAME: "nautobot" + NAUTOBOT_DB_PORT: "5432" + NAUTOBOT_DB_TIMEOUT: "300" + NAUTOBOT_DB_USER: "nautobot" + NAUTOBOT_DEBUG: "False" + NAUTOBOT_LOG_LEVEL: "INFO" + NAUTOBOT_METRICS_ENABLED: "True" + NAUTOBOT_REDIS_HOST: "nautobot-redis-master" + NAUTOBOT_REDIS_PORT: "6379" + NAUTOBOT_REDIS_USERNAME: "" + NAUTOBOT_REDIS_SSL: "False" + NAUTOBOT_SUPERUSER_EMAIL: "admin@example.com" + NAUTOBOT_SUPERUSER_NAME: "admin" +--- +# Source: nautobot/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: nautobot-config + namespace: "nautobot" + labels: + app.kubernetes.io/name: nautobot + helm.sh/chart: nautobot-2.0.5 + app.kubernetes.io/instance: nautobot + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "2.0.5" +data: + + uwsgi.ini: | + [uwsgi] + ; The IP address (typically localhost) and port that the WSGI process should listen on + http = 0.0.0.0:8080 + https = 0.0.0.0:8443,/opt/nautobot/nautobot.crt,/opt/nautobot/nautobot.key + + + ; Fail to start if any parameter in the configuration file isn’t explicitly understood by uWSGI + strict = true + + ; Enable master process to gracefully re-spawn and pre-fork workers + master = true + + ; Allow Python app-generated threads to run + enable-threads = true + + ;Try to remove all of the generated file/sockets during shutdown + vacuum = true + + ; Do not use multiple interpreters, allowing only Nautobot to run + single-interpreter = true + + ; Shutdown when receiving SIGTERM (default is respawn) + die-on-term = true + + ; Prevents uWSGI from starting if it is unable load Nautobot (usually due to errors) + need-app = true + + ; By default, uWSGI has rather verbose logging that can be noisy + disable-logging = true + + ; Assert that critical 4xx and 5xx errors are still logged + log-4xx = true + log-5xx = true + + ; Enable HTTP 1.1 keepalive support + http-keepalive = 1 + + ; + ; Advanced settings (disabled by default) + ; Customize these for your environment if and only if you need them. + ; Ref: https://uwsgi-docs.readthedocs.io/en/latest/Options.html + ; + + ; Number of uWSGI workers to spawn. This should typically be 2n+1, where n is the number of CPU cores present. Default 3 as n will be >= 1 + processes = 3 + + ; Number of uWSGI threads each worker will be pre-forked into before starting + threads = 2 + + ; set the socket listen queue size, in production the suggested value is 1024, however RHEL based kernels have a max of 128 by default + ; you may need to increase the somaxconn parameter in your kernel + listen = 128 + + ; If using subdirectory hosting e.g. example.com/nautobot, you must uncomment this line. Otherwise you'll get double paths e.g. example.com/nautobot/nautobot/. + ; See: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action + ; route-run = fixpathinfo: + + ; If hosted behind a load balancer uncomment these lines, the harakiri timeout should be greater than your load balancer timeout. + ; Ref: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html?highlight=keepalive#http-keep-alive + ; harakiri = 65 + ; add-header = Connection: Keep-Alive + ; http-keepalive = 1 + + ; For larger installations, certain API calls (example: Relationships, GraphQL) can have a length of query parameters that go over uWSGI default limit. + ; Setting the buffer size to larger than default (4096) can have an impact on memory utilization, but can be set as high as the header limit of 65535. + buffer-size = 4096 diff --git a/components/09-nautobot/base/nautobot/templates/nautobot-deployment.yaml b/components/09-nautobot/base/nautobot/templates/nautobot-deployment.yaml new file mode 100644 index 000000000..ef78e8558 --- /dev/null +++ b/components/09-nautobot/base/nautobot/templates/nautobot-deployment.yaml @@ -0,0 +1,186 @@ +--- +# Source: nautobot/templates/nautobot-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nautobot-default + namespace: "nautobot" + labels: + app.kubernetes.io/name: nautobot + helm.sh/chart: nautobot-2.0.5 + app.kubernetes.io/instance: nautobot + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "2.0.5" + app.kubernetes.io/component: nautobot-default +spec: + replicas: 2 + revisionHistoryLimit: 3 + strategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: nautobot + app.kubernetes.io/instance: nautobot + app.kubernetes.io/component: nautobot-default + template: + metadata: + labels: + app.kubernetes.io/name: nautobot + helm.sh/chart: nautobot-2.0.5 + app.kubernetes.io/instance: nautobot + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "2.0.5" + app.kubernetes.io/component: nautobot-default + spec: + serviceAccountName: nautobot + + affinity: + podAffinity: + + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/instance: nautobot + app.kubernetes.io/name: nautobot + app.kubernetes.io/component: nautobot-default + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: + + securityContext: + fsGroup: 999 + seccompProfile: + type: RuntimeDefault + initContainers: + # This init container will run post_upgrade which initializes/upgrades the DB as well as collects static files + - name: nautobot-init + image: ghcr.io/nautobot/nautobot:2.1.1-py3.11 + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsGroup: 999 + runAsUser: 999 + args: + - "echo" + - "Nautobot Initialization Done" + env: + - name: NAUTOBOT_DB_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-pguser-nautobot + key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password + envFrom: + - configMapRef: + name: nautobot-env + - secretRef: + name: nautobot-env + resources: + limits: + cpu: 1000m + memory: 8704M + requests: + cpu: 300m + memory: 1280M + volumeMounts: + - name: "nautobot-static" + mountPath: "/opt/nautobot/static" + - name: "git-repos" + mountPath: "/opt/nautobot/git" + - name: "nautobot-config" + mountPath: "/opt/nautobot/uwsgi.ini" + subPath: "uwsgi.ini" + containers: + - name: nautobot + tty: true + image: ghcr.io/nautobot/nautobot:2.1.1-py3.11 + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsGroup: 999 + runAsUser: 999 + command: + - nautobot-server + - start + - --ini + - /opt/nautobot/uwsgi.ini + env: + - name: "NAUTOBOT_K8S_COMPONENT" + value: "nautobot-default" + - name: NAUTOBOT_DB_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-pguser-nautobot + key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password + envFrom: + - configMapRef: + name: nautobot-env + - secretRef: + name: nautobot-env + resources: + limits: + cpu: 1000m + memory: 8704M + requests: + cpu: 300m + memory: 1280M + livenessProbe: + failureThreshold: 3 + httpGet: + path: /api/ + port: http + initialDelaySeconds: 3 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health/ + port: http + initialDelaySeconds: 3 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + - name: "nautobot-static" + mountPath: "/opt/nautobot/static" + - name: "git-repos" + mountPath: "/opt/nautobot/git" + - name: "nautobot-config" + mountPath: "/opt/nautobot/uwsgi.ini" + subPath: "uwsgi.ini" + ports: + - name: "https" + containerPort: 8443 + - name: "http" + containerPort: 8080 + + terminationGracePeriodSeconds: 30 + volumes: + - name: "nautobot-static" + emptyDir: {} + - name: "git-repos" + emptyDir: {} + - name: "nautobot-config" + configMap: + name: nautobot-config diff --git a/components/09-nautobot/base/nautobot/templates/nginx-configmap.yaml b/components/09-nautobot/base/nautobot/templates/nginx-configmap.yaml new file mode 100644 index 000000000..9996775d9 --- /dev/null +++ b/components/09-nautobot/base/nautobot/templates/nginx-configmap.yaml @@ -0,0 +1,68 @@ +--- +# Source: nautobot/templates/nginx-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: nautobot-nginx-config + namespace: "nautobot" + labels: + app.kubernetes.io/name: nautobot + helm.sh/chart: nautobot-2.0.5 + app.kubernetes.io/instance: nautobot + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "2.0.5" + app.kubernetes.io/component: nautobot-nginx +data: + nautobot.conf: |- + server { + listen 8443 ssl http2 default_server; + listen [::]:8443 ssl http2 default_server; + + server_name _; + + ssl_certificate /opt/nautobot_certs/nautobot.crt; + ssl_certificate_key /opt/nautobot_certs/nautobot.key; + + client_max_body_size 25m; + + location /static/ { + alias /opt/nautobot/static/; + } + + location / { + include uwsgi_params; + uwsgi_pass 127.0.0.1:8001; + uwsgi_param Host $host; + uwsgi_param X-Real-IP $remote_addr; + uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; + uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto; + } + } + + server { + listen 8080 default_server; + listen [::]:8080 default_server; + + server_name _; + + client_max_body_size 25m; + + location /static/ { + alias /opt/nautobot/static/; + } + + location / { + include uwsgi_params; + uwsgi_pass 127.0.0.1:8001; + uwsgi_param Host $host; + uwsgi_param X-Real-IP $remote_addr; + uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; + uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto; + } + } + server { + listen 8002; + location / { + stub_status; + } + } diff --git a/components/09-nautobot/base/nautobot/templates/service-account.yaml b/components/09-nautobot/base/nautobot/templates/service-account.yaml new file mode 100644 index 000000000..0ee8de24c --- /dev/null +++ b/components/09-nautobot/base/nautobot/templates/service-account.yaml @@ -0,0 +1,14 @@ +--- +# Source: nautobot/templates/service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nautobot + namespace: "nautobot" + labels: + app.kubernetes.io/name: nautobot + helm.sh/chart: nautobot-2.0.5 + app.kubernetes.io/instance: nautobot + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "2.0.5" +automountServiceAccountToken: false diff --git a/components/09-nautobot/base/nautobot/templates/service.yaml b/components/09-nautobot/base/nautobot/templates/service.yaml new file mode 100644 index 000000000..3caf3e0a8 --- /dev/null +++ b/components/09-nautobot/base/nautobot/templates/service.yaml @@ -0,0 +1,29 @@ +--- +# Source: nautobot/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: nautobot-default + namespace: "nautobot" + labels: + app.kubernetes.io/name: nautobot + helm.sh/chart: nautobot-2.0.5 + app.kubernetes.io/instance: nautobot + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: "2.0.5" + app.kubernetes.io/component: nautobot-default +spec: + type: ClusterIP + ports: + - protocol: "TCP" + port: 443 + targetPort: "https" + name: "https" + - protocol: "TCP" + port: 80 + targetPort: "http" + name: "http" + selector: + app.kubernetes.io/name: nautobot + app.kubernetes.io/instance: nautobot + app.kubernetes.io/component: nautobot-default diff --git a/components/09-nautobot/kustomization.yaml b/components/09-nautobot/kustomization.yaml index 425b52865..3b0aaa9b7 100644 --- a/components/09-nautobot/kustomization.yaml +++ b/components/09-nautobot/kustomization.yaml @@ -3,11 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -# the hack for the helm chart rendered this manually from the branch with -# the following command: -# helm template -n nautobot nautobot ./ -f values.yaml > nautobot-helm_2.0.5-plus-password-ref.yaml -# then I hand deleted the Secret kind - - nautobot-helm_2.0.5-plus-password-ref.yaml + - base # can't use the helm chart until # https://github.com/nautobot/helm-charts/pull/356 diff --git a/components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml b/components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml deleted file mode 100644 index 45c18e349..000000000 --- a/components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml +++ /dev/null @@ -1,660 +0,0 @@ ---- -# Source: nautobot/templates/service-account.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nautobot - namespace: "nautobot" - labels: - app.kubernetes.io/name: nautobot - helm.sh/chart: nautobot-2.0.5 - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/version: "2.0.5" -automountServiceAccountToken: false ---- -# Source: nautobot/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: nautobot-env - namespace: "nautobot" - labels: - app.kubernetes.io/name: nautobot - helm.sh/chart: nautobot-2.0.5 - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/version: "2.0.5" -data: - NAUTOBOT_ALLOWED_HOSTS: "*" - NAUTOBOT_CREATE_SUPERUSER: "true" - NAUTOBOT_DB_ENGINE: "django.db.backends.postgresql" - NAUTOBOT_DB_HOST: "nautobot-primary.nautobot.svc" - NAUTOBOT_DB_NAME: "nautobot" - NAUTOBOT_DB_PORT: "5432" - NAUTOBOT_DB_TIMEOUT: "300" - NAUTOBOT_DB_USER: "nautobot" - NAUTOBOT_DEBUG: "False" - NAUTOBOT_LOG_LEVEL: "INFO" - NAUTOBOT_METRICS_ENABLED: "True" - NAUTOBOT_REDIS_HOST: "nautobot-redis-master" - NAUTOBOT_REDIS_PORT: "6379" - NAUTOBOT_REDIS_USERNAME: "" - NAUTOBOT_REDIS_SSL: "False" - NAUTOBOT_SUPERUSER_EMAIL: "admin@example.com" - NAUTOBOT_SUPERUSER_NAME: "admin" ---- -# Source: nautobot/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: nautobot-config - namespace: "nautobot" - labels: - app.kubernetes.io/name: nautobot - helm.sh/chart: nautobot-2.0.5 - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/version: "2.0.5" -data: - - uwsgi.ini: | - [uwsgi] - ; The IP address (typically localhost) and port that the WSGI process should listen on - http = 0.0.0.0:8080 - https = 0.0.0.0:8443,/opt/nautobot/nautobot.crt,/opt/nautobot/nautobot.key - - - ; Fail to start if any parameter in the configuration file isn’t explicitly understood by uWSGI - strict = true - - ; Enable master process to gracefully re-spawn and pre-fork workers - master = true - - ; Allow Python app-generated threads to run - enable-threads = true - - ;Try to remove all of the generated file/sockets during shutdown - vacuum = true - - ; Do not use multiple interpreters, allowing only Nautobot to run - single-interpreter = true - - ; Shutdown when receiving SIGTERM (default is respawn) - die-on-term = true - - ; Prevents uWSGI from starting if it is unable load Nautobot (usually due to errors) - need-app = true - - ; By default, uWSGI has rather verbose logging that can be noisy - disable-logging = true - - ; Assert that critical 4xx and 5xx errors are still logged - log-4xx = true - log-5xx = true - - ; Enable HTTP 1.1 keepalive support - http-keepalive = 1 - - ; - ; Advanced settings (disabled by default) - ; Customize these for your environment if and only if you need them. - ; Ref: https://uwsgi-docs.readthedocs.io/en/latest/Options.html - ; - - ; Number of uWSGI workers to spawn. This should typically be 2n+1, where n is the number of CPU cores present. Default 3 as n will be >= 1 - processes = 3 - - ; Number of uWSGI threads each worker will be pre-forked into before starting - threads = 2 - - ; set the socket listen queue size, in production the suggested value is 1024, however RHEL based kernels have a max of 128 by default - ; you may need to increase the somaxconn parameter in your kernel - listen = 128 - - ; If using subdirectory hosting e.g. example.com/nautobot, you must uncomment this line. Otherwise you'll get double paths e.g. example.com/nautobot/nautobot/. - ; See: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action - ; route-run = fixpathinfo: - - ; If hosted behind a load balancer uncomment these lines, the harakiri timeout should be greater than your load balancer timeout. - ; Ref: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html?highlight=keepalive#http-keep-alive - ; harakiri = 65 - ; add-header = Connection: Keep-Alive - ; http-keepalive = 1 - - ; For larger installations, certain API calls (example: Relationships, GraphQL) can have a length of query parameters that go over uWSGI default limit. - ; Setting the buffer size to larger than default (4096) can have an impact on memory utilization, but can be set as high as the header limit of 65535. - buffer-size = 4096 ---- -# Source: nautobot/templates/nginx-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: nautobot-nginx-config - namespace: "nautobot" - labels: - app.kubernetes.io/name: nautobot - helm.sh/chart: nautobot-2.0.5 - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/version: "2.0.5" - app.kubernetes.io/component: nautobot-nginx -data: - nautobot.conf: |- - server { - listen 8443 ssl http2 default_server; - listen [::]:8443 ssl http2 default_server; - - server_name _; - - ssl_certificate /opt/nautobot_certs/nautobot.crt; - ssl_certificate_key /opt/nautobot_certs/nautobot.key; - - client_max_body_size 25m; - - location /static/ { - alias /opt/nautobot/static/; - } - - location / { - include uwsgi_params; - uwsgi_pass 127.0.0.1:8001; - uwsgi_param Host $host; - uwsgi_param X-Real-IP $remote_addr; - uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; - uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto; - } - } - - server { - listen 8080 default_server; - listen [::]:8080 default_server; - - server_name _; - - client_max_body_size 25m; - - location /static/ { - alias /opt/nautobot/static/; - } - - location / { - include uwsgi_params; - uwsgi_pass 127.0.0.1:8001; - uwsgi_param Host $host; - uwsgi_param X-Real-IP $remote_addr; - uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; - uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto; - } - } - server { - listen 8002; - location / { - stub_status; - } - } ---- -# Source: nautobot/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: nautobot-default - namespace: "nautobot" - labels: - app.kubernetes.io/name: nautobot - helm.sh/chart: nautobot-2.0.5 - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/version: "2.0.5" - app.kubernetes.io/component: nautobot-default -spec: - type: ClusterIP - ports: - - protocol: "TCP" - port: 443 - targetPort: "https" - name: "https" - - protocol: "TCP" - port: 80 - targetPort: "http" - name: "http" - selector: - app.kubernetes.io/name: nautobot - app.kubernetes.io/instance: nautobot - app.kubernetes.io/component: nautobot-default ---- -# Source: nautobot/templates/celery-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nautobot-celery-beat - namespace: "nautobot" - labels: - app.kubernetes.io/name: nautobot - helm.sh/chart: nautobot-2.0.5 - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/version: "2.0.5" - app.kubernetes.io/component: nautobot-celery-beat -spec: - replicas: 1 - revisionHistoryLimit: 3 - strategy: - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/name: nautobot - app.kubernetes.io/instance: nautobot - app.kubernetes.io/component: nautobot-celery-beat - template: - metadata: - labels: - app.kubernetes.io/name: nautobot - helm.sh/chart: nautobot-2.0.5 - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/version: "2.0.5" - app.kubernetes.io/component: nautobot-celery-beat - spec: - serviceAccountName: nautobot - - affinity: - podAffinity: - - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: nautobot - app.kubernetes.io/component: nautobot-celery-beat - topologyKey: kubernetes.io/hostname - weight: 1 - nodeAffinity: - - securityContext: - fsGroup: 999 - seccompProfile: - type: RuntimeDefault - initContainers: - containers: - - name: nautobot-celery - tty: true - image: ghcr.io/nautobot/nautobot:2.1.1-py3.11 - imagePullPolicy: Always - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsUser: 999 - command: - - nautobot-server - - celery - - beat - - --loglevel - - $(NAUTOBOT_LOG_LEVEL) - env: - - name: "NAUTOBOT_K8S_COMPONENT" - value: "nautobot-celery-beat" - - name: NAUTOBOT_DB_PASSWORD - valueFrom: - secretKeyRef: - name: nautobot-pguser-nautobot - key: password - - name: NAUTOBOT_REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: nautobot-redis - key: redis-password - envFrom: - - configMapRef: - name: nautobot-env - - secretRef: - name: nautobot-env - resources: - limits: - cpu: 3328m - memory: 6656M - requests: - cpu: 5m - memory: 256M - volumeMounts: - - name: "git-repos" - mountPath: "/opt/nautobot/git" - terminationGracePeriodSeconds: 30 - volumes: - - name: "git-repos" - emptyDir: {} ---- -# Source: nautobot/templates/celery-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nautobot-celery-default - namespace: "nautobot" - labels: - app.kubernetes.io/name: nautobot - helm.sh/chart: nautobot-2.0.5 - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/version: "2.0.5" - app.kubernetes.io/component: nautobot-celery-default -spec: - replicas: 1 - revisionHistoryLimit: 3 - strategy: - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/name: nautobot - app.kubernetes.io/instance: nautobot - app.kubernetes.io/component: nautobot-celery-default - template: - metadata: - labels: - app.kubernetes.io/name: nautobot - helm.sh/chart: nautobot-2.0.5 - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/version: "2.0.5" - app.kubernetes.io/component: nautobot-celery-default - spec: - serviceAccountName: nautobot - - affinity: - podAffinity: - - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: nautobot - app.kubernetes.io/component: nautobot-celery-default - topologyKey: kubernetes.io/hostname - weight: 1 - nodeAffinity: - - securityContext: - fsGroup: 999 - seccompProfile: - type: RuntimeDefault - initContainers: - containers: - - name: nautobot-celery - tty: true - image: ghcr.io/nautobot/nautobot:2.1.1-py3.11 - imagePullPolicy: Always - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsUser: 999 - command: - - nautobot-server - - celery - - worker - - --loglevel - - $(NAUTOBOT_LOG_LEVEL) - - --queues - - $(CELERY_TASK_QUEUES) - - --events - env: - - name: "NAUTOBOT_K8S_COMPONENT" - value: "nautobot-celery-default" - - name: "CELERY_TASK_QUEUES" - value: "default" - - name: NAUTOBOT_DB_PASSWORD - valueFrom: - secretKeyRef: - name: nautobot-pguser-nautobot - key: password - - name: NAUTOBOT_REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: nautobot-redis - key: redis-password - envFrom: - - configMapRef: - name: nautobot-env - - secretRef: - name: nautobot-env - resources: - limits: - cpu: 3328m - memory: 6656M - requests: - cpu: 400m - memory: 1G - volumeMounts: - - name: "git-repos" - mountPath: "/opt/nautobot/git" - terminationGracePeriodSeconds: 30 - volumes: - - name: "git-repos" - emptyDir: {} ---- -# Source: nautobot/templates/nautobot-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nautobot-default - namespace: "nautobot" - labels: - app.kubernetes.io/name: nautobot - helm.sh/chart: nautobot-2.0.5 - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/version: "2.0.5" - app.kubernetes.io/component: nautobot-default -spec: - replicas: 2 - revisionHistoryLimit: 3 - strategy: - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/name: nautobot - app.kubernetes.io/instance: nautobot - app.kubernetes.io/component: nautobot-default - template: - metadata: - labels: - app.kubernetes.io/name: nautobot - helm.sh/chart: nautobot-2.0.5 - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/version: "2.0.5" - app.kubernetes.io/component: nautobot-default - spec: - serviceAccountName: nautobot - - affinity: - podAffinity: - - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: nautobot - app.kubernetes.io/component: nautobot-default - topologyKey: kubernetes.io/hostname - weight: 1 - nodeAffinity: - - securityContext: - fsGroup: 999 - seccompProfile: - type: RuntimeDefault - initContainers: - # This init container will run post_upgrade which initializes/upgrades the DB as well as collects static files - - name: nautobot-init - image: ghcr.io/nautobot/nautobot:2.1.1-py3.11 - imagePullPolicy: Always - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsGroup: 999 - runAsUser: 999 - args: - - "echo" - - "Nautobot Initialization Done" - env: - - name: NAUTOBOT_DB_PASSWORD - valueFrom: - secretKeyRef: - name: nautobot-pguser-nautobot - key: password - - name: NAUTOBOT_REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: nautobot-redis - key: redis-password - envFrom: - - configMapRef: - name: nautobot-env - - secretRef: - name: nautobot-env - resources: - limits: - cpu: 1000m - memory: 8704M - requests: - cpu: 300m - memory: 1280M - volumeMounts: - - name: "nautobot-static" - mountPath: "/opt/nautobot/static" - - name: "git-repos" - mountPath: "/opt/nautobot/git" - - name: "nautobot-config" - mountPath: "/opt/nautobot/uwsgi.ini" - subPath: "uwsgi.ini" - containers: - - name: nautobot - tty: true - image: ghcr.io/nautobot/nautobot:2.1.1-py3.11 - imagePullPolicy: Always - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsGroup: 999 - runAsUser: 999 - command: - - nautobot-server - - start - - --ini - - /opt/nautobot/uwsgi.ini - env: - - name: "NAUTOBOT_K8S_COMPONENT" - value: "nautobot-default" - - name: NAUTOBOT_DB_PASSWORD - valueFrom: - secretKeyRef: - name: nautobot-pguser-nautobot - key: password - - name: NAUTOBOT_REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: nautobot-redis - key: redis-password - envFrom: - - configMapRef: - name: nautobot-env - - secretRef: - name: nautobot-env - resources: - limits: - cpu: 1000m - memory: 8704M - requests: - cpu: 300m - memory: 1280M - livenessProbe: - failureThreshold: 3 - httpGet: - path: /api/ - port: http - initialDelaySeconds: 3 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /health/ - port: http - initialDelaySeconds: 3 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - volumeMounts: - - name: "nautobot-static" - mountPath: "/opt/nautobot/static" - - name: "git-repos" - mountPath: "/opt/nautobot/git" - - name: "nautobot-config" - mountPath: "/opt/nautobot/uwsgi.ini" - subPath: "uwsgi.ini" - ports: - - name: "https" - containerPort: 8443 - - name: "http" - containerPort: 8080 - - terminationGracePeriodSeconds: 30 - volumes: - - name: "nautobot-static" - emptyDir: {} - - name: "git-repos" - emptyDir: {} - - name: "nautobot-config" - configMap: - name: nautobot-config ---- -# Source: nautobot/templates/tests/test-connection.yaml -apiVersion: v1 -kind: Pod -metadata: - name: "nautobot-default-test" - namespace: "nautobot" - labels: - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: "docker.io/library/busybox" - imagePullPolicy: "Always" - command: ['wget'] - args: ['-O', '/dev/null', 'nautobot-default.nautobot.svc:80'] - resources: - limits: - memory: "128Mi" - cpu: "500m" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 10000 - capabilities: - drop: - - "ALL" - restartPolicy: Never - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true