diff --git a/.gitignore b/.gitignore index 0c5d187..d8407b6 100644 --- a/.gitignore +++ b/.gitignore @@ -7,9 +7,12 @@ !/work/cpouta !/work/ddclient.template.conf !/work/supernetes-cluster.yaml +!/work/manifests/cert-approver/** !/work/manifests/flux/** !/work/manifests/gateway-api/** +!/work/manifests/metrics-server/** !/work/manifests/supernetes/** !/work/manifests/kustomization.yaml !/work/patch/cilium.yaml +!/work/patch/metrics-server.yaml !/work/patch/single-node.yaml diff --git a/work/manifests/cert-approver/kustomization.yaml b/work/manifests/cert-approver/kustomization.yaml new file mode 100644 index 0000000..5478f81 --- /dev/null +++ b/work/manifests/cert-approver/kustomization.yaml @@ -0,0 +1,4 @@ +namespace: cert-approver + +resources: + - github.com/alex1989hu/kubelet-serving-cert-approver//deploy/base?ref=main diff --git a/work/manifests/kustomization.yaml b/work/manifests/kustomization.yaml index d103430..d73fadf 100644 --- a/work/manifests/kustomization.yaml +++ b/work/manifests/kustomization.yaml @@ -1,4 +1,6 @@ resources: + - cert-approver - flux - gateway-api + - metrics-server - supernetes diff --git a/work/manifests/metrics-server/charts/metrics-server/.helmignore b/work/manifests/metrics-server/charts/metrics-server/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/work/manifests/metrics-server/charts/metrics-server/CHANGELOG.md b/work/manifests/metrics-server/charts/metrics-server/CHANGELOG.md new file mode 100644 index 0000000..bc073eb --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/CHANGELOG.md @@ -0,0 +1,168 @@ +# Metrics Server Helm Chart Changelog + +> [!NOTE] +> All notable changes to this project will be documented in this file; the format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + + + +## [UNRELEASED] + +## [3.12.2] - TBC + +### Added + +- Explicitly added the app protocol to the service. ([#1540](https://github.com/kubernetes-sigs/metrics-server/pull/1540)) _@seankhliao_ + +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.7.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.2). ([#1568](https://github.com/kubernetes-sigs/metrics-server/pull/1568)) _@stevehipwell_ +- Updated the _addonResizer_ OCI image to [1.8.21](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.21). ([#1504](https://github.com/kubernetes-sigs/metrics-server/pull/1504)) _@jimmy-ungerman_ +- Changed `Deployment` templating to ignore `schedulerName` when value is empty. ([#1475](https://github.com/kubernetes-sigs/metrics-server/pull/1475)) _@senges_ + +### Fixed + +- Fixed PSPs to only be templated for supported K8s versions. ([#1471](https://github.com/kubernetes-sigs/metrics-server/pull/1471)) _@treksler_ +- Fixed nanny's RoleBinding which contained a hard-coded namespace instead of the Helm's release namespace. ([#1479](https://github.com/kubernetes-sigs/metrics-server/pull/1479)) _@the-technat_ +- Fixed the `ServiceMonitor` job label. ([#1568](https://github.com/kubernetes-sigs/metrics-server/pull/1568)) _@stevehipwell_ + +## [3.12.1] - 2024-04-05 + +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.7.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1). ([#1461](https://github.com/kubernetes-sigs/metrics-server/pull/1461)) _@stevehipwell_ + +## [3.12.0] - 2024-02-07 + +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.7.0](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0). ([#1414](https://github.com/kubernetes-sigs/metrics-server/pull/1414)) [@stevehipwell](https://github.com/stevehipwell) +- Updated the _addon-resizer_ OCI image to [v1.8.20](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.20). ([#1414](https://github.com/kubernetes-sigs/metrics-server/pull/1414)) [@stevehipwell](https://github.com/stevehipwell) + +## [3.11.0] - 2023-08-03 + +### Added + +- Added default _Metrics Server_ resource requests. + +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.6.4](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.4). +- Updated the _addon-resizer_ OCI image to [v1.8.19](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.19). + +## [3.10.0] - 2023-04-12 + +### Added + +- Added support for running under PodSecurity restricted. + +### Fixed + +- Fixed `auth-reader` role binding namespace to always use `kube-system`. +- Fixed addon-resizer configuration. +- Fixed container port default not having been updated to `10250`. + +## [3.9.0] - 2023-03-28 + +### Added + +- Added autoscaling support via the addon-resizer. + +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.6.3](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3). + +### Fixed + +- Fixed service labels/annotations. + +## [3.8.4] - 2023-03-06 + +### Changed + +- Changed the image registry location to `registry.k8s.io`. + +## [3.8.3] - 2022-12-08 + +### Added + +- Added support for topologySpreadConstraints. +- Always set resource namespaces explicitly. +- Allow configuring TLS on the APIService. +- Enabled service monitor relabelling. +- Added ability to set the scheduler name. +- Added support for common labels. + +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.6.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2). + +## [3.8.2] - 2022-02-23 + +### Changed + +- Changed chart to allow probes to be turned off completely (this is not advised unless you know what you're doing). + +## [3.8.1] - 2022-02-09 + +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.6.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1). + +## [3.8.0] - 2022-02-08 + +### Added + +- Added support for unauthenticated access to the /metrics endpoint. +- Added optional _Prometheus Operator_ `ServiceMonitor`. + +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.6.0](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.0). + +## [3.7.0] - 2021-11-18 + +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.5.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2). + +## [3.6.0] - 2021-10-18 + +### Added + +- Added new `defaultArgs`` value to enable overriding the default arguments. + +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.5.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.1). + +## [3.5.0] - 2021-10-07 + +### Added + +- Added initial Helm chart release from official repo. + + +[UNRELEASED]: https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server +[3.12.2]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.2 +[3.12.1]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.1 +[3.12.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.0 +[3.11.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.11.0 +[3.10.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.10.0 +[3.9.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.9.0 +[3.8.4]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.4 +[3.8.3]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.3 +[3.8.2]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.2 +[3.8.1]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.1 +[3.8.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.0 +[3.7.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.7.0 +[3.6.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.6.0 +[3.5.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.5.0 diff --git a/work/manifests/metrics-server/charts/metrics-server/Chart.yaml b/work/manifests/metrics-server/charts/metrics-server/Chart.yaml new file mode 100644 index 0000000..3bff399 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/Chart.yaml @@ -0,0 +1,32 @@ +annotations: + artifacthub.io/changes: | + - kind: added + description: "Explicitly added the app protocol to the service." + - kind: changed + description: "Updated the _Metrics Server_ OCI image to [v0.7.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.2)." + - kind: changed + description: "Updated the _addonResizer_ OCI image to [1.8.21](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.21)" + - kind: fixed + description: "Fixed nanny's RoleBinding which contained a hard-coded namespace instead of the Helm's release namespace." +apiVersion: v2 +appVersion: 0.7.2 +description: Metrics Server is a scalable, efficient source of container resource + metrics for Kubernetes built-in autoscaling pipelines. +home: https://github.com/kubernetes-sigs/metrics-server +icon: https://avatars.githubusercontent.com/u/36015203?s=400&v=4 +keywords: +- kubernetes +- metrics-server +- metrics +maintainers: +- name: stevehipwell + url: https://github.com/stevehipwell +- name: krmichel + url: https://github.com/krmichel +- name: endrec + url: https://github.com/endrec +name: metrics-server +sources: +- https://github.com/kubernetes-sigs/metrics-server +type: application +version: 3.12.2 diff --git a/work/manifests/metrics-server/charts/metrics-server/README.md b/work/manifests/metrics-server/charts/metrics-server/README.md new file mode 100644 index 0000000..4b6ce65 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/README.md @@ -0,0 +1,92 @@ +# Kubernetes Metrics Server + +[Metrics Server](https://github.com/kubernetes-sigs/metrics-server/) is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. + +## Installing the Chart + +Before you can install the chart you will need to add the `metrics-server` repo to [Helm](https://helm.sh/). + +```shell +helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server/ +``` + +After you've installed the repo you can install the chart. + +```shell +helm upgrade --install metrics-server metrics-server/metrics-server +``` + +## Configuration + +The following table lists the configurable parameters of the _Metrics Server_ chart and their default values. + +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ | +| `image.repository` | Image repository. | `registry.k8s.io/metrics-server/metrics-server` | +| `image.tag` | Image tag, will override the default tag derived from the chart app version. | `""` | +| `image.pullPolicy` | Image pull policy. | `IfNotPresent` | +| `imagePullSecrets` | Image pull secrets. | `[]` | +| `nameOverride` | Override the `name` of the chart. | `nil` | +| `fullnameOverride` | Override the `fullname` of the chart. | `nil` | +| `serviceAccount.create` | If `true`, create a new service account. | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account. | `{}` | +| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the full name template. | `nil` | +| `serviceAccount.secrets` | The list of secrets mountable by this service account. See | `[]` | +| `rbac.create` | If `true`, create the RBAC resources. | `true` | +| `rbac.pspEnabled` | If `true`, create a pod security policy resource, unless Kubernetes version is 1.25 or later. | `false` | +| `apiService.create` | If `true`, create the `v1beta1.metrics.k8s.io` API service. You typically want this enabled! If you disable API service creation you have to manage it outside of this chart for e.g horizontal pod autoscaling to work with this release. | `true` | +| `apiService.annotations` | Annotations to add to the API service | `{}` | +| `apiService.insecureSkipTLSVerify` | Specifies whether to skip TLS verification (NOTE: this setting is not a proxy for the `--kubelet-insecure-tls` metrics-server flag) | `true` | +| `apiService.caBundle` | The PEM encoded CA bundle for TLS verification | `""` | +| `commonLabels` | Labels to add to each object of the chart. | `{}` | +| `podLabels` | Labels to add to the pod. | `{}` | +| `podAnnotations` | Annotations to add to the pod. | `{}` | +| `podSecurityContext` | Security context for the pod. | `{}` | +| `securityContext` | Security context for the _metrics-server_ container. | _See values.yaml_ | +| `priorityClassName` | Priority class name to use. | `system-cluster-critical` | +| `containerPort` | port for the _metrics-server_ container. | `10250` | +| `hostNetwork.enabled` | If `true`, start _metric-server_ in hostNetwork mode. You would require this enabled if you use alternate overlay networking for pods and API server unable to communicate with metrics-server. As an example, this is required if you use Weave network on EKS. | `false` | +| `replicas` | Number of replicas to run. | `1` | +| `revisionHistoryLimit` | Number of revisions to keep. | `nil` | +| `updateStrategy` | Customise the default update strategy. | `{}` | +| `podDisruptionBudget.enabled` | If `true`, create `PodDisruptionBudget` resource. | `{}` | +| `podDisruptionBudget.minAvailable` | Set the `PodDisruptionBudget` minimum available pods. | `nil` | +| `podDisruptionBudget.maxUnavailable` | Set the `PodDisruptionBudget` maximum unavailable pods. | `nil` | +| `defaultArgs` | Default arguments to pass to the _metrics-server_ command. | See _values.yaml_ | +| `args` | Additional arguments to pass to the _metrics-server_ command. | `[]` | +| `livenessProbe` | Liveness probe. | See _values.yaml_ | +| `readinessProbe` | Readiness probe. | See _values.yaml_ | +| `service.type` | Service type. | `ClusterIP` | +| `service.port` | Service port. | `443` | +| `service.annotations` | Annotations to add to the service. | `{}` | +| `service.labels` | Labels to add to the service. | `{}` | +| `addonResizer.enabled` | If `true`, run the addon-resizer as a sidecar to automatically scale resource requests with cluster size. | `false` | +| `addonResizer.securityContext` | Security context for the _metrics_server_container. | _See values.yaml | +| `addonResizer.image.repository` | addon-resizer image repository | `registry.k8s.io/autoscaling/addon-resizer` | +| `addonResizer.image.tag` | addon-resizer image tag | `1.8.21` | +| `addonResizer.resources` | Resource requests and limits for the _nanny_ container. | `{ requests: { cpu: 40m, memory: 25Mi }, limits: { cpu: 40m, memory: 25Mi } }` | +| `addonResizer.nanny.cpu` | The base CPU requirement. | `0m` | +| `addonResizer.nanny.extraCPU` | The amount of CPU to add per node. | `1m` | +| `addonResizer.nanny.memory` | The base memory requirement. | `0Mi` | +| `addonResizer.nanny.extraMemory` | The amount of memory to add per node. | `2Mi` | +| `addonResizer.nanny.minClusterSize` | Specifies the smallest number of nodes resources will be scaled to. | `100` | +| `addonResizer.nanny.pollPeriod` | The time, in milliseconds, to poll the dependent container. | `300000` | +| `addonResizer.nanny.threshold` | A number between 0-100. The dependent's resources are rewritten when they deviate from expected by more than threshold. | `5` | +| `metrics.enabled` | If `true`, allow unauthenticated access to `/metrics`. | `false` | +| `serviceMonitor.enabled` | If `true`, create a _Prometheus_ service monitor. This needs `metrics.enabled` to be `true`. | `false` | +| `serviceMonitor.additionalLabels` | Additional labels to be set on the ServiceMonitor. | `{}` | +| `serviceMonitor.metricRelabelings` | _Prometheus_ metric relabeling. | `[]` | +| `serviceMonitor.relabelings` | _Prometheus_ relabeling. | `[]` | +| `serviceMonitor.interval` | _Prometheus_ scrape frequency. | `1m` | +| `serviceMonitor.scrapeTimeout` | _Prometheus_ scrape timeout. | `10s` | +| `resources` | Resource requests and limits for the _metrics-server_ container. See | `{ requests: { cpu: 100m, memory: 200Mi }}` | +| `extraVolumeMounts` | Additional volume mounts for the _metrics-server_ container. | `[]` | +| `extraVolumes` | Additional volumes for the pod. | `[]` | +| `nodeSelector` | Node labels for pod assignment. | `{}` | +| `tolerations` | Tolerations for pod assignment. | `[]` | +| `affinity` | Affinity for pod assignment. | `{}` | +| `topologySpreadConstraints` | Pod Topology Spread Constraints. | `[]` | +| `deploymentAnnotations` | Annotations to add to the deployment. | `{}` | +| `schedulerName` | scheduler to set to the deployment. | `""` | +| `dnsConfig` | Set the dns configuration options for the deployment. | `{}` | +| `tmpVolume` | Volume to be mounted in Pods for temporary files. | `{"emptyDir":{}}` | diff --git a/work/manifests/metrics-server/charts/metrics-server/RELEASE.md b/work/manifests/metrics-server/charts/metrics-server/RELEASE.md new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/RELEASE.md @@ -0,0 +1 @@ + diff --git a/work/manifests/metrics-server/charts/metrics-server/ci/ci-values.yaml b/work/manifests/metrics-server/charts/metrics-server/ci/ci-values.yaml new file mode 100644 index 0000000..b9e9ef7 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/ci/ci-values.yaml @@ -0,0 +1,2 @@ +args: + - --kubelet-insecure-tls diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/NOTES.txt b/work/manifests/metrics-server/charts/metrics-server/templates/NOTES.txt new file mode 100644 index 0000000..0ad6bb0 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/NOTES.txt @@ -0,0 +1,7 @@ +*********************************************************************** +* Metrics Server * +*********************************************************************** + Chart version: {{ .Chart.Version }} + App version: {{ .Chart.AppVersion }} + Image tag: {{ include "metrics-server.image" . }} +*********************************************************************** diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/_helpers.tpl b/work/manifests/metrics-server/charts/metrics-server/templates/_helpers.tpl new file mode 100644 index 0000000..9b87f11 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/_helpers.tpl @@ -0,0 +1,102 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "metrics-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "metrics-server.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "metrics-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "metrics-server.labels" -}} +helm.sh/chart: {{ include "metrics-server.chart" . }} +{{ include "metrics-server.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.commonLabels }} +{{ toYaml .Values.commonLabels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "metrics-server.selectorLabels" -}} +app.kubernetes.io/name: {{ include "metrics-server.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "metrics-server.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "metrics-server.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +The image to use +*/}} +{{- define "metrics-server.image" -}} +{{- printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- end }} + +{{/* +The image to use for the addon resizer +*/}} +{{- define "metrics-server.addonResizer.image" -}} +{{- printf "%s:%s" .Values.addonResizer.image.repository .Values.addonResizer.image.tag }} +{{- end }} + +{{/* +ConfigMap name of addon resizer +*/}} +{{- define "metrics-server.addonResizer.configMap" -}} +{{- printf "%s-%s" (include "metrics-server.fullname" .) "nanny-config" }} +{{- end }} + +{{/* +Role name of addon resizer +*/}} +{{- define "metrics-server.addonResizer.role" -}} +{{ printf "system:%s-nanny" (include "metrics-server.fullname" .) }} +{{- end }} + +{{/* Get PodDisruptionBudget API Version */}} +{{- define "metrics-server.pdb.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">= 1.21-0" .Capabilities.KubeVersion.Version) -}} + {{- print "policy/v1" -}} + {{- else -}} + {{- print "policy/v1beta1" -}} + {{- end -}} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/apiservice.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/apiservice.yaml new file mode 100644 index 0000000..f58931d --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/apiservice.yaml @@ -0,0 +1,25 @@ +{{- if .Values.apiService.create -}} +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta1.metrics.k8s.io + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + {{- with .Values.apiService.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.apiService.caBundle }} + caBundle: {{ b64enc . }} + {{- end }} + group: metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: {{ .Values.apiService.insecureSkipTLSVerify }} + service: + name: {{ include "metrics-server.fullname" . }} + namespace: {{ .Release.Namespace }} + port: {{ .Values.service.port }} + version: v1beta1 + versionPriority: 100 +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/clusterrole-aggregated-reader.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrole-aggregated-reader.yaml new file mode 100644 index 0000000..d5e8fe1 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrole-aggregated-reader.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ printf "system:%s-aggregated-reader" (include "metrics-server.name" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/clusterrole-nanny.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrole-nanny.yaml new file mode 100644 index 0000000..24edd81 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrole-nanny.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.rbac.create .Values.addonResizer.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ printf "system:%s-nanny" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +rules: + - nonResourceURLs: + - /metrics + verbs: + - get +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/clusterrole.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrole.yaml new file mode 100644 index 0000000..5d25c1e --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrole.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ printf "system:%s" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - nodes/metrics + verbs: + - get + - apiGroups: + - "" + resources: + - pods + - nodes + - namespaces + - configmaps + verbs: + - get + - list + - watch + {{- if .Values.rbac.pspEnabled }} + - apiGroups: + - extensions + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ printf "privileged-%s" (include "metrics-server.fullname" .) }} + verbs: + - use + {{- end -}} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/clusterrolebinding-auth-delegator.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrolebinding-auth-delegator.yaml new file mode 100644 index 0000000..826c3b7 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrolebinding-auth-delegator.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ printf "%s:system:auth-delegator" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: {{ include "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/clusterrolebinding-nanny.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrolebinding-nanny.yaml new file mode 100644 index 0000000..43738cc --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrolebinding-nanny.yaml @@ -0,0 +1,18 @@ +{{- if .Values.rbac.create -}} +{{- if .Values.addonResizer.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ printf "system:%s-nanny" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:{{ template "metrics-server.fullname" . }}-nanny +subjects: + - kind: ServiceAccount + name: {{ include "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/clusterrolebinding.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..512cb65 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ printf "system:%s" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:{{ template "metrics-server.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/configmaps-nanny.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/configmaps-nanny.yaml new file mode 100644 index 0000000..c25005e --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/configmaps-nanny.yaml @@ -0,0 +1,17 @@ +{{- if .Values.addonResizer.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "metrics-server.addonResizer.configMap" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +data: + NannyConfiguration: |- + apiVersion: nannyconfig/v1alpha1 + kind: NannyConfiguration + baseCPU: {{ .Values.addonResizer.nanny.cpu }} + cpuPerNode: {{ .Values.addonResizer.nanny.extraCpu }} + baseMemory: {{ .Values.addonResizer.nanny.memory }} + memoryPerNode: {{ .Values.addonResizer.nanny.extraMemory }} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/deployment.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/deployment.yaml new file mode 100644 index 0000000..37e7f95 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/deployment.yaml @@ -0,0 +1,159 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "metrics-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + {{- with .Values.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicas }} + {{- if not (has (quote .Values.revisionHistoryLimit) (list "" (quote ""))) }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- end }} + {{- with .Values.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "metrics-server.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "metrics-server.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.schedulerName }} + schedulerName: {{ . }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "metrics-server.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- if .Values.hostNetwork.enabled }} + hostNetwork: true + {{- end }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: metrics-server + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: {{ include "metrics-server.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - {{ printf "--secure-port=%d" (int .Values.containerPort) }} + {{- range .Values.defaultArgs }} + - {{ . }} + {{- end }} + {{- if .Values.metrics.enabled }} + - --authorization-always-allow-paths=/metrics + {{- end }} + {{- range .Values.args }} + - {{ . }} + {{- end }} + ports: + - name: https + protocol: TCP + containerPort: {{ .Values.containerPort }} + {{- with .Values.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.addonResizer.enabled }} + - name: metrics-server-nanny + {{- with .Values.addonResizer.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: {{ include "metrics-server.addonResizer.image" . }} + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - /pod_nanny + - --config-dir=/etc/config + - --deployment={{ include "metrics-server.fullname" . }} + - --container=metrics-server + - --threshold={{ .Values.addonResizer.nanny.threshold }} + - --poll-period={{ .Values.addonResizer.nanny.pollPeriod }} + - --estimator=exponential + - --minClusterSize={{ .Values.addonResizer.nanny.minClusterSize }} + - --use-metrics=true + volumeMounts: + - name: nanny-config-volume + mountPath: /etc/config + {{- with .Values.addonResizer.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- toYaml .Values.tmpVolume | nindent 10 }} + {{- if .Values.addonResizer.enabled }} + - name: nanny-config-volume + configMap: + name: {{ include "metrics-server.addonResizer.configMap" . }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/pdb.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/pdb.yaml new file mode 100644 index 0000000..1f5eddf --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/pdb.yaml @@ -0,0 +1,19 @@ +{{- if .Values.podDisruptionBudget.enabled -}} +apiVersion: {{ include "metrics-server.pdb.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "metrics-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + selector: + matchLabels: + {{- include "metrics-server.selectorLabels" . | nindent 6 }} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/psp.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/psp.yaml new file mode 100644 index 0000000..d5710de --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/psp.yaml @@ -0,0 +1,28 @@ +{{- if and (.Values.rbac.pspEnabled) (semverCompare "<1.25-0" .Capabilities.KubeVersion.GitVersion) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ printf "privileged-%s" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +spec: + allowedCapabilities: + - '*' + fsGroup: + rule: RunAsAny + privileged: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - '*' + hostPID: true + hostIPC: true + hostNetwork: true + hostPorts: + - min: 1 + max: 65536 +{{- end }} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/role-nanny.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/role-nanny.yaml new file mode 100644 index 0000000..f0bf8fc --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/role-nanny.yaml @@ -0,0 +1,27 @@ +{{- if .Values.rbac.create -}} +{{- if .Values.addonResizer.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "metrics-server.addonResizer.role" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ include "metrics-server.fullname" . }} + verbs: + - get + - patch +{{- end -}} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/rolebinding-nanny.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/rolebinding-nanny.yaml new file mode 100644 index 0000000..228c0cf --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/rolebinding-nanny.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create -}} +{{- if .Values.addonResizer.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ printf "%s-nanny" (include "metrics-server.fullname" .) }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "metrics-server.addonResizer.role" . }} +subjects: + - kind: ServiceAccount + name: {{ include "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/rolebinding.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/rolebinding.yaml new file mode 100644 index 0000000..3fda743 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ printf "%s-auth-reader" (include "metrics-server.fullname" .) }} + namespace: kube-system + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: {{ include "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/service.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/service.yaml new file mode 100644 index 0000000..35318a4 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "metrics-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + {{- with .Values.service.labels -}} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - name: https + port: {{ .Values.service.port }} + protocol: TCP + targetPort: https + appProtocol: https + selector: + {{- include "metrics-server.selectorLabels" . | nindent 4 }} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/serviceaccount.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/serviceaccount.yaml new file mode 100644 index 0000000..80ef699 --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- with .Values.serviceAccount.secrets }} +secrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/templates/servicemonitor.yaml b/work/manifests/metrics-server/charts/metrics-server/templates/servicemonitor.yaml new file mode 100644 index 0000000..079318d --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/templates/servicemonitor.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.serviceMonitor.enabled .Values.metrics.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "metrics-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + {{- with .Values.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + jobLabel: app.kubernetes.io/instance + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "metrics-server.selectorLabels" . | nindent 6 }} + endpoints: + - port: https + path: /metrics + scheme: https + tlsConfig: + insecureSkipVerify: true + {{- with .Values.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end -}} diff --git a/work/manifests/metrics-server/charts/metrics-server/values.yaml b/work/manifests/metrics-server/charts/metrics-server/values.yaml new file mode 100644 index 0000000..be843db --- /dev/null +++ b/work/manifests/metrics-server/charts/metrics-server/values.yaml @@ -0,0 +1,200 @@ +# Default values for metrics-server. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + repository: registry.k8s.io/metrics-server/metrics-server + # Overrides the image tag whose default is v{{ .Chart.AppVersion }} + tag: "" + pullPolicy: IfNotPresent + +imagePullSecrets: [] +# - name: registrySecretName + +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # The list of secrets mountable by this service account. + # See https://kubernetes.io/docs/reference/labels-annotations-taints/#enforce-mountable-secrets + secrets: [] + +rbac: + # Specifies whether RBAC resources should be created + create: true + # Note: PodSecurityPolicy will not be created when Kubernetes version is 1.25 or later. + pspEnabled: false + +apiService: + # Specifies if the v1beta1.metrics.k8s.io API service should be created. + # + # You typically want this enabled! If you disable API service creation you have to + # manage it outside of this chart for e.g horizontal pod autoscaling to + # work with this release. + create: true + # Annotations to add to the API service + annotations: {} + # Specifies whether to skip TLS verification + insecureSkipTLSVerify: true + # The PEM encoded CA bundle for TLS verification + caBundle: "" + +commonLabels: {} +podLabels: {} +podAnnotations: {} + +podSecurityContext: {} + +securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + +priorityClassName: system-cluster-critical + +containerPort: 10250 + +hostNetwork: + # Specifies if metrics-server should be started in hostNetwork mode. + # + # You would require this enabled if you use alternate overlay networking for pods and + # API server unable to communicate with metrics-server. As an example, this is required + # if you use Weave network on EKS + enabled: false + +replicas: 1 + +revisionHistoryLimit: + +updateStrategy: {} +# type: RollingUpdate +# rollingUpdate: +# maxSurge: 0 +# maxUnavailable: 1 + +podDisruptionBudget: + # https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + enabled: false + minAvailable: + maxUnavailable: + +defaultArgs: + - --cert-dir=/tmp + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + +args: [] + +livenessProbe: + httpGet: + path: /livez + port: https + scheme: HTTPS + initialDelaySeconds: 0 + periodSeconds: 10 + failureThreshold: 3 + +readinessProbe: + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 10 + failureThreshold: 3 + +service: + type: ClusterIP + port: 443 + annotations: {} + labels: {} + # Add these labels to have metrics-server show up in `kubectl cluster-info` + # kubernetes.io/cluster-service: "true" + # kubernetes.io/name: "Metrics-server" + +addonResizer: + enabled: false + image: + repository: registry.k8s.io/autoscaling/addon-resizer + tag: 1.8.21 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + cpu: 40m + memory: 25Mi + limits: + cpu: 40m + memory: 25Mi + nanny: + cpu: 0m + extraCpu: 1m + memory: 0Mi + extraMemory: 2Mi + minClusterSize: 100 + pollPeriod: 300000 + threshold: 5 + +metrics: + enabled: false + +serviceMonitor: + enabled: false + additionalLabels: {} + interval: 1m + scrapeTimeout: 10s + metricRelabelings: [] + relabelings: [] + +# See https://github.com/kubernetes-sigs/metrics-server#scaling +resources: + requests: + cpu: 100m + memory: 200Mi + # limits: + # cpu: + # memory: + +extraVolumeMounts: [] + +extraVolumes: [] + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +topologySpreadConstraints: [] + +dnsConfig: {} + +# Annotations to add to the deployment +deploymentAnnotations: {} + +schedulerName: "" + +tmpVolume: + emptyDir: {} diff --git a/work/manifests/metrics-server/kustomization.yaml b/work/manifests/metrics-server/kustomization.yaml new file mode 100644 index 0000000..a94d3ce --- /dev/null +++ b/work/manifests/metrics-server/kustomization.yaml @@ -0,0 +1,11 @@ +helmCharts: + - name: metrics-server + repo: https://kubernetes-sigs.github.io/metrics-server/ + namespace: kube-system + releaseName: metrics-server + valuesInline: + service: + labels: + # Show Metrics Server in `kubectl cluster-info` + kubernetes.io/cluster-service: "true" + kubernetes.io/name: "metrics-server" diff --git a/work/patch/metrics-server.yaml b/work/patch/metrics-server.yaml new file mode 100644 index 0000000..17e82ca --- /dev/null +++ b/work/patch/metrics-server.yaml @@ -0,0 +1,6 @@ +# Metrics Server requires Kubelet certificate autorotation, see +# https://www.talos.dev/v1.8/kubernetes-guides/configuration/deploy-metrics-server/ +machine: + kubelet: + extraArgs: + rotate-server-certificates: true diff --git a/work/supernetes-cluster.yaml b/work/supernetes-cluster.yaml index d6f8780..f37524f 100644 --- a/work/supernetes-cluster.yaml +++ b/work/supernetes-cluster.yaml @@ -15,6 +15,7 @@ cluster: all-namespaces: false # Set to "false" to make Flux only watch the installation namespace (optional) patches: # Any cluster-wide patches to apply when creating the configuration with `talosctl gen config` (optional) - "@patch/cilium.yaml" + - "@patch/metrics-server.yaml" - "@patch/single-node.yaml" manifests: manifests # Kustomization directory for additional manifests to be applied into the cluster (optional)