duynguyen/k8s-cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
duynguyen
2026-04-12 16:09:15 +07:00
commit 7aa06a183c
21 changed files with 13325 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
argocd-9.1.0/argocd.crt Normal file
View File

@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDYjCCAkqgAwIBAgIQCxXZYUn+27cn5qo8Zz3zgDANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQKEwdBcmdvIENEMB4XDTI2MDQwNzA4MzQwMVoXDTI3MDQwNzA4MzQw
MVowEjEQMA4GA1UEChMHQXJnbyBDRDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANx9LCGWHbDAolMODNdt+r0y3EUPTyQkQJhy0zhcgDGBLKXCg/126f9O
Z+JFePQH385k5k9+pWPV3F8Rnt/5qhP2e4aGYkudcVAbwRmOu/S94R6kD6uCQjbw
ud0j6ptxI9yBhZoktVTihUr13FMZS3nP8BQIEeA5sI5UOmN5xvGNrbAYG2MQdUvq
eYUb6PRmO48WuERuMVdZWpC+AAwi16uCy3DxoE1n5fxMuU9/4c7Y9P12q+ChJsCy
U/JjHyw6dbOnB4BnMIpp1I2HD3bhAG73o5FDzsCmXbHwDBlHoF+HfbQhLpgTqlom
cH4c9YSfwlpM+VUGf6B3mgf2xJI4J3kCAwEAAaOBszCBsDAOBgNVHQ8BAf8EBAMC
BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADB7BgNVHREEdDBy
gglsb2NhbGhvc3SCDWFyZ29jZC1zZXJ2ZXKCFGFyZ29jZC1zZXJ2ZXIuYXJnb2Nk
ghhhcmdvY2Qtc2VydmVyLmFyZ29jZC5zdmOCJmFyZ29jZC1zZXJ2ZXIuYXJnb2Nk
LnN2Yy5jbHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQDHnSImBeQd8uJw
5BiGboVtfGRKTwI0Q8FQu1GzdvW9s9mWdLZZHqBZB8fundXyzvawtxCs2bs6flYN
qqAMJ7ZVfp3s0NBdWkKJZ+At7NYva5idugqL07GWvtAkqXbT2Ll8A2PD5FjZ2J/r
rbC/kb42ak79aBmd4YczBgnoNCwwHsidiLY8t2sedyQz9uvw83/moPQ8eQg/JWb0
FvJYw9IV4wwPZ0ku7r5swPLTYYwy7B5HNgHb5RF6VfENl/x/+2t3F0AYL3Fh0pUd
O5vHxnLpiNic76LKsiCarmRjV3jHyK90qupXqRKE1Q5S5xZNaGkkzmDnsSCA+K24
jwkVSsLZ
-----END CERTIFICATE-----

27
argocd-9.1.0/argocd.key Normal file
View File

@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3H0sIZYdsMCiUw4M1236vTLcRQ9PJCRAmHLTOFyAMYEspcKD
/Xbp/05n4kV49AffzmTmT36lY9XcXxGe3/mqE/Z7hoZiS51xUBvBGY679L3hHqQP
q4JCNvC53SPqm3Ej3IGFmiS1VOKFSvXcUxlLec/wFAgR4DmwjlQ6Y3nG8Y2tsBgb
YxB1S+p5hRvo9GY7jxa4RG4xV1lakL4ADCLXq4LLcPGgTWfl/Ey5T3/hztj0/Xar
4KEmwLJT8mMfLDp1s6cHgGcwimnUjYcPduEAbvejkUPOwKZdsfAMGUegX4d9tCEu
mBOqWiZwfhz1hJ/CWkz5VQZ/oHeaB/bEkjgneQIDAQABAoIBAA66yqlzErMIU2/H
/FdMphe19PLPddfcwiH3vcuXRmBy7Y15+VZZTNg89Syvu8erBP+6oYuFqD02AB2r
xYOB9Xjq76VKMfk04JPbns1QdJcCM66tLXd64WXeiWl6vkVkdrhYQMQjl/zpOxgJ
umPPc0mFI4KQaB1Pd/oyKfUToWo+jyaymqn2ot5nzSfKrypGxZBDxOoRjuEaZea/
wfvmMecg5AkL41ZqwhaOaI7xN6T9IUZzbXwilTb+E2KkMnpL1hBr1Kiyy0ZwiXtq
kVVxoG2Ir9MtlTQrVKFXAemctndtfHaN5HuXtWdO8D9DDsuqpBl9t1C2swfeWz0z
V1rOckcCgYEA+kVtOKlEaAA0uD8Lt0lpecSY/kvZLXUWViofl/zp+H03WBcvz0gW
3ho8hUohC5o6TosnKqv+/AhPRLzQtSY8PRYydEwpLDfHGZClEoRguLZdL/nhTJjs
uembAQvAr2cN7YGI3bbns7bUU55MZKQWwaiX8xyQBVN+GJaWNnnxkscCgYEA4Yk5
Q2K+d45tIRWUc0uVkrWMZvXG7I3IZrZ97mE/c6RIomUdaOw+9nClupLdwTs2BMbM
6U0wDtCixZIUWfQpBWNommJ6EbL/qpvQ/0GYsx/tI56NkfeDVL9quzPPJknwVgGE
JpNziIjGIy1ymR5GiKS8tIeTE2LUi4kkLfVSM78CgYBJn0jNBUZBTeY0WR+KMIdd
sc7L5+YgcDQ87rFSla0CU1uHh3KiCHPprFAnabIk5p7GYjsIW4Zr/8nJz72ZvIC1
+6Sl/42RG2tvgtR8iQKm88agCWMUlFv3KNhXS2zIbIl1V8i6aEbq4Bq/6m5QoNCs
8XqZospfNrt+YjYYGnFNGwKBgQCXxifCAEZa4H7x/7q56AiNBR2qAAXRFQziijau
38S6hrjWiCNFg45Pe7kbmFAhBD6y8jHdYrNPlPmk6UxGyLd+R8qR8mlhVcsVvevk
ivk+ueJ00PNGYoF/25zww8nIY4OX7UdISnw6SojEDYaMIkKnG+1ds8q3BhAwoqa1
Qt0BswKBgQDoyf/slG3TvV3JIrUDjPHeJ5wEQtexR7zLWnioPibEMkVeo8QsuMCx
54KHit5dKDgzH5hMjE6iEDOaKOGUPUoNsOBSNVPDkkkYlyZZ2f9LWdKXp7QkrMQQ
bb/hQRsBZtQbneiK0ii+VSqoB708osXt361a/XnYj6dw+rIneqCO+g==
-----END RSA PRIVATE KEY-----

4313
argocd-9.1.0/values.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

14
commands.txt Normal file
View File

@@ -0,0 +1,14 @@
# Run kubespray 2.30.0 docker container with preconfig inventory
docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/duynguyen-cluster,dst=/inventory --mount type=bind,source="${HOME}"/.ssh/id_ed25519,dst=/root/.ssh/id_rsa quay.io/kubespray/kubespray:v2.30.0 bash
# Inside the container you may now run the kubespray playbooks:
ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
# Install longhorn command with helm
helm install longhorn longhorn/longhorn --namespace longhorn-system --create-namespace --version 1.11.1 -f values.yaml
# Install metallb, IPaddresspool
# Install envoy with helm
# Install gatewayclass, envoy-proxy, gateway

24
envoy-gateway/envoy-proxy.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
name: envoy-daemon-proxy
namespace: envoy-gateway-system
spec:
provider:
type: Kubernetes
kubernetes:
envoyDaemonSet:
pod:
# annotations:
# prometheus.io/scrape: "true"
# prometheus.io/port: "19001"
container:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 1024Mi
envoyService:
type: LoadBalancer
externalTrafficPolicy: Cluster

34
envoy-gateway/gateway.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: envoy-gateway
namespace: envoy-gateway-system
spec:
gatewayClassName: envoy-gateway-class
infrastructure:
parametersRef:
group: gateway.envoyproxy.io
kind: EnvoyProxy
name: envoy-daemon-proxy
listeners:
- allowedRoutes:
namespaces:
from: All
name: http
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: All
name: https
port: 443
protocol: TLS
#tls:
#mode: Passthrough
tls:
mode: Terminate
certificateRefs:
- kind: Secret
group: ""
name: argocd-fireflylab-tls

6
envoy-gateway/gatewayclass.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: envoy-gateway-class
spec:
controllerName: gateway.envoyproxy.io/gatewayclass-controller

75
envoy-gateway/quickstart.yaml Normal file
View File

@@ -0,0 +1,75 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: backend
---
apiVersion: v1
kind: Service
metadata:
name: backend
labels:
app: backend
service: backend
spec:
ports:
- name: http
port: 3000
targetPort: 3000
selector:
app: backend
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
spec:
replicas: 1
selector:
matchLabels:
app: backend
version: v1
template:
metadata:
labels:
app: backend
version: v1
spec:
serviceAccountName: backend
containers:
- image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
imagePullPolicy: IfNotPresent
name: backend
ports:
- containerPort: 3000
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: backend
spec:
parentRefs:
- name: envoy-gateway
namespace: envoy-gateway-system
hostnames:
- "example.fireflylab.local"
rules:
- backendRefs:
- group: ""
kind: Service
name: backend
port: 3000
weight: 1
matches:
- path:
type: PathPrefix
value: /

148
envoy-gateway/values.yaml Normal file
View File

@@ -0,0 +1,148 @@
# Global settings
global:
# If set, these take highest precedence and change both envoyGateway and ratelimit's container registry and pull secrets.
# -- Global override for image registry
imageRegistry: ""
# -- Global override for image pull secrets
imagePullSecrets: []
# If set, these override image-specific values: useful when installing the chart in a private registry environment.
# Override image-specific values directly if a global override is not desired.
images:
envoyGateway:
# This is the full image name including the hub, repo, and tag.
image: docker.io/envoyproxy/gateway:v1.7.1
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
pullPolicy: IfNotPresent
# List of secrets in the same namespace of the component that can be used to pull images from private repositories.
pullSecrets: []
ratelimit:
# This is the full image name including the hub, repo, and tag.
image: "docker.io/envoyproxy/ratelimit:c8765e89"
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
pullPolicy: IfNotPresent
# List of secrets in the same namespace of the component that can be used to pull images from private repositories.
pullSecrets: []
podDisruptionBudget:
minAvailable: 0
# maxUnavailable: 1
deployment:
annotations: {}
envoyGateway:
image:
# if both this and global.imageRegistry are specified, this has to include both registry and repository explicitly, eg docker.io/envoyproxy/gateway
repository: ""
tag: ""
imagePullPolicy: ""
imagePullSecrets: []
resources:
limits:
memory: 1024Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 65532
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
ports:
- name: grpc
port: 18000
targetPort: 18000
- name: ratelimit
port: 18001
targetPort: 18001
- name: wasm
port: 18002
targetPort: 18002
- name: metrics
port: 19001
targetPort: 19001
priorityClassName: null
replicas: 1
pod:
affinity: {}
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '19001'
labels: {}
topologySpreadConstraints: []
tolerations: []
nodeSelector: {}
service:
# If set to PreferClose, the Envoy fleet will prioritize connecting to the Envoy Gateway pods that are topologically closest to them.
trafficDistribution: ""
annotations: {}
# -- Service type. Can be set to LoadBalancer with specific IP, e.g.:
# type: LoadBalancer
loadBalancerIP: 192.168.1.30
type: "ClusterIP"
hpa:
enabled: false
minReplicas: 1
maxReplicas: 1
metrics: []
behavior: {}
config:
# -- EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options.
envoyGateway:
gateway:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
provider:
type: Kubernetes
logging:
level:
default: info
extensionApis: {}
createNamespace: false
kubernetesClusterDomain: cluster.local
# -- Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected.
certgen:
job:
annotations: {}
args: []
pod:
annotations: {}
labels: {}
resources: {}
affinity: {}
tolerations: []
nodeSelector: {}
ttlSecondsAfterFinished: 30
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: 65532
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
rbac:
annotations: {}
labels: {}
topologyInjector:
enabled: true
annotations: {}

409
headlamp/values.yaml Normal file
View File

@@ -0,0 +1,409 @@
# Default values for headlamp.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- Number of desired pods
replicaCount: 1
image:
# -- Container image registry
registry: ghcr.io
# -- Container image name
repository: headlamp-k8s/headlamp
# -- Image pull policy. One of Always, Never, IfNotPresent
pullPolicy: IfNotPresent
# -- Container image tag, If "" uses appVersion in Chart.yaml
tag: ""
# -- An optional list of references to secrets in the same namespace to use for pulling any of the images used
imagePullSecrets: []
# -- Overrides the name of the chart
nameOverride: ""
# -- Overrides the full name of the chart
fullnameOverride: ""
# -- Override the deployment namespace; defaults to .Release.Namespace
namespaceOverride: ""
# -- An optional list of init containers to be run before the main containers.
initContainers: []
# -- An optional list of extra containers to be run along side the main containers.
extraContainers: []
config:
inCluster: true
inClusterContextName: "main"
# -- base url path at which headlamp should run
baseURL: ""
# -- session token TTL in seconds (default is 24 hours)
sessionTTL: 86400
oidc:
# Option 1:
# @param config.oidc.secret - OIDC secret configuration
# If you want to use an existing secret, set create to false and provide the name of the secret.
# If you want to create a new secret, set create to true and provide the name of the secret.
# Also provide the values for clientID, clientSecret, issuerURL, and scopes.
# Example:
# config:
# oidc:
# secret:
# create: true
# name: oidc
secret:
# -- Generate OIDC secret. If true, will generate a secret using .config.oidc.
create: true
# -- Name of the OIDC secret.
name: oidc
# Option 2:
# @param config.oidc - OIDC env configuration
# If you want to set the OIDC configuration directly, set the following values.
# Example:
# config:
# oidc:
# clientID: "clientID"
# clientSecret: "clientSecret"
# issuerURL: "issuerURL"
# scopes: "scopes"
# -- OIDC client ID
clientID: ""
# -- OIDC client secret
clientSecret: ""
# -- OIDC issuer URL
issuerURL: ""
# -- OIDC scopes to be used
scopes: ""
# -- OIDC callback URL
callbackURL: ""
# -- OIDC client to be used during token validation
validatorClientID: ""
# -- OIDC Issuer URL to be used during token validation
validatorIssuerURL: ""
# -- Use 'access_token' instead of 'id_token' when authenticating using OIDC
useAccessToken: false
# -- Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow
usePKCE: false
# -- Enable using OIDC cookie for authentication outside of cluster
useCookie: false
# Option 3:
# @param config.oidc - External OIDC secret configuration
# If you want to use an external secret for OIDC configuration, enable this option.
# Provide the name of the secret to use.
# Example:
# config:
# oidc:
# secret:
# create: false
# externalSecret:
# enabled: true
# name: oidc
externalSecret:
enabled: false
name: ""
# -- URL to fetch additional user info for the /me endpoint.
# For oauth2proxy /oauth2/userinfo can be used. Empty and it will not be used.
meUserInfoURL: ""
# -- directory to look for plugins
pluginsDir: "/headlamp/plugins"
enableHelm: false
watchPlugins: false
# tlsCertPath: "/headlamp-cert/headlamp-ca.crt"
# tlsKeyPath: "/headlamp-cert/headlamp-tls.key"
# Extra arguments that can be given to the container. See charts/headlamp/README.md for more information.
extraArgs: []
# -- An optional list of environment variables
# env:
# - name: KUBERNETES_SERVICE_HOST
# value: "localhost"
# - name: KUBERNETES_SERVICE_PORT
# value: "6443"
# -- Mount Service Account token in pod
automountServiceAccountToken: true
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use.(If not set and create is true, a name is generated using the fullname template)
name: ""
clusterRoleBinding:
# -- Specified whether a cluster role binding should be created
create: true
# -- Set name of the Cluster Role with limited permissions from you cluster
# for example - clusterRoleName: user-ro
clusterRoleName: cluster-admin
# -- Annotations to add to the cluster role binding
annotations: {}
# -- Annotations to add to the deployment
deploymentAnnotations: {}
# -- Annotations to add to the pod
podAnnotations: {}
# -- Labels to add to the pod
podLabels: {}
# -- Controls user namespace isolation for the Headlamp pod.
# When true (default), the pod shares the host user namespace (user namespaces are DISABLED).
# When false, the pod uses a separate user namespace (user namespaces are ENABLED) for stronger isolation,
# if supported by the cluster. Set this to false if your cluster supports user namespaces and you want
# additional isolation; leave as true if user namespaces are not available.
# See: https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
hostUsers: true
# -- Headlamp pod's Security Context
podSecurityContext:
{}
# fsGroup: 2000
# -- Headlamp containers Security Context
securityContext:
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
runAsNonRoot: true
privileged: false
runAsUser: 100
runAsGroup: 101
# Uses these defaults if this is empty.
# allowPrivilegeEscalation: false
# runAsNonRoot: true
# seccompProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL
service:
# -- Annotations to add to the service
annotations: {}
# -- Kubernetes Service type
#type: ClusterIP
type: NodePort
# -- Kubernetes Service port
port: 80
# -- Kubernetes Service clusterIP
clusterIP: ""
# -- Kubernetes Service loadBalancerIP
loadBalancerIP: ""
# -- Kubernetes Service loadBalancerSourceRanges
loadBalancerSourceRanges: []
# -- Kubernetes Service Nodeport
nodePort: 30052
# -- Headlamp containers volume mounts
volumeMounts: []
# -- Headlamp pod's volumes
volumes: []
persistentVolumeClaim:
# -- Enable Persistent Volume Claim
enabled: false
# -- Annotations to add to the persistent volume claim (if enabled)
annotations:
{}
# -- accessModes for the persistent volume claim, eg: ReadWriteOnce, ReadOnlyMany, ReadWriteMany etc.
accessModes: []
# -- size of the persistent volume claim, eg: 10Gi. Required if enabled is true.
size: ""
# -- storageClassName for the persistent volume claim.
storageClassName: ""
# -- selector for the persistent volume claim.
selector: {}
# -- volumeMode for the persistent volume claim, eg: Filesystem, Block.
volumeMode: ""
ingress:
# -- Enable ingress controller resource
enabled: false
# -- Annotations for Ingress resource
annotations:
{}
# kubernetes.io/tls-acme: "true"
# -- Additional labels to add to the Ingress resource
labels: {}
# app.kubernetes.io/part-of: traefik
# environment: prod
# -- Ingress class name. replacement for the deprecated "kubernetes.io/ingress.class" annotation
ingressClassName: ""
# -- Hostname(s) for the Ingress resource
# Please refer to https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec for more information.
hosts:
[]
# - host: chart-example.local
# paths:
# - path: /
# type: ImplementationSpecific
# -- Ingress TLS configuration
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# HTTPRoute configuration for Gateway API
# Please refer to https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute
httpRoute:
# -- Enable HTTPRoute resource for Gateway API
enabled: true
# -- Annotations for HTTPRoute resource
annotations: {}
# -- Additional labels for HTTPRoute resource
labels: {}
# -- Parent references (REQUIRED when enabled - HTTPRoute will not work without this)
# Example:
# parentRefs:
# - name: my-gateway
# namespace: gateway-namespace
parentRefs:
- name: envoy-gateway
namespace: envoy-gateway-system
# -- Hostnames for the HTTPRoute
# Example:
# hostnames:
# - headlamp.example.com
hostnames:
- headlamp.fireflylab.local
# -- Custom routing rules (optional, defaults to path prefix /)
# If not specified, a default rule routing all traffic to the service is used
rules: []
# Example custom rules:
# rules:
# - matches:
# - path:
# type: PathPrefix
# value: /headlamp
# backendRefs:
# - name: "{{ .Release.Name }}-headlamp"
# port: 80
# -- CPU/Memory resource requests/limits
resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# -- Node labels for pod assignment
nodeSelector: {}
# -- Toleration labels for pod assignment
tolerations: []
# -- Affinity settings for pod assignment
affinity: {}
# -- Topology Spread Constraints for pod assignment
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# matchLabelKeys:
# - pod-template-hash
# - maxSkew: 1
# topologyKey: kubernetes.io/hostname
# whenUnsatisfiable: DoNotSchedule
# matchLabelKeys:
# - pod-template-hash
# -- Pod priority class
priorityClassName: ""
# Plugin Manager Sidecar Container Configuration
pluginsManager:
# -- Enable plugin manager
enabled: false
# -- Plugin configuration file name
configFile: "plugin.yml"
# -- Plugin configuration content in YAML format. This is required if plugins.enabled is true.
configContent: ""
# -- Base node image to use
baseImage: node:lts-alpine
# -- Headlamp plugin package version to install
version: latest
# -- Plugin manager containers volume mounts
volumeMounts: []
# -- Plugin manager env variable configuration
# env:
# - name: HTTPS_PROXY
# value: "proxy.example.com:8080"
# -- Specify resrouces
# resources:
# requests:
# cpu: "500m"
# memory: "2048Mi"
# limits:
# cpu: "1000m"
# memory: "4096Mi"
# If omitted, the plugin manager will inherit the global securityContext
securityContext:
{}
# runAsUser: 1001
# runAsNonRoot: true
# allowPrivilegeEscalation: false
# readOnlyRootFilesystem: true
# capabilities:
# drop:
# - ALL
podDisruptionBudget:
# -- enable PodDisruptionBudget
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
enabled: false
# @schema
# type: [null, integer, string]
# @schema
# -- Minimum number/percentage of pods that should remain scheduled.
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
minAvailable: 0
# @schema
# type: [null, integer, string]
# @schema
# -- Maximum number/percentage of pods that may be made unavailable
maxUnavailable: null
# @schema
# type: [null, string]
# @schema
# -- How are unhealthy, but running, pods counted for eviction
unhealthyPodEvictionPolicy: null
# -- Additional Kubernetes manifests to be deployed. Include the manifest as nested YAML.
extraManifests: []
# - |
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: my-config
# data:
# key: value
# - |
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: my-config-too
# data:
# key: value

5646
kube-prometheus-stack/values.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

1
kubespray-2.30.0 Submodule

Submodule kubespray-2.30.0 added at 341da0e8cb

12
longhorn-1.11.1/longhorn-pvc-delete.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: longhorn-pvc-delete
spec:
accessModes:
#- ReadWriteOnce
- ReadWriteMany
storageClassName: longhorn-storage-delete
resources:
requests:
storage: 2Gi

16
longhorn-1.11.1/longhorn-storageclass-delete.yaml Normal file
View File

@@ -0,0 +1,16 @@
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: longhorn-storage-delete
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: driver.longhorn.io
allowVolumeExpansion: true
reclaimPolicy: Delete
volumeBindingMode: Immediate
parameters:
numberOfReplicas: "2"
staleReplicaTimeout: "2880"
fromBackup: ""
fsType: "ext4"

14
longhorn-1.11.1/longhorn-storageclass-retain.yaml Normal file
View File

@@ -0,0 +1,14 @@
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: longhorn-storage-retain
provisioner: driver.longhorn.io
allowVolumeExpansion: true
reclaimPolicy: Retain
volumeBindingMode: Immediate
parameters:
numberOfReplicas: "2"
staleReplicaTimeout: "2880"
fromBackup: ""
fsType: "ext4"

20
longhorn-1.11.1/test-pod-longhorn-delete.yaml Normal file
View File

@@ -0,0 +1,20 @@
kind: Pod
apiVersion: v1
metadata:
name: pod-longhorn-delete
spec:
volumes:
- name: longhorn-pvc-delete
persistentVolumeClaim:
claimName: longhorn-pvc-delete
containers:
- name: my-container
volumeMounts:
- name: longhorn-pvc-delete # This is the name of the volume we set at the pod level
mountPath: /var/simple # Where to mount this directory in our container
# Now that we have a directory mounted at /var/simple, let's
# write to a file inside it!
image: alpine
command: ["/bin/sh"]
args: ["-c", "while true; do date >> /var/simple/file.txt; sleep 5; done"]

662
longhorn-1.11.1/values.yaml Normal file
View File

@@ -0,0 +1,662 @@
# Default values for longhorn.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
# -- Global override for container image registry.
imageRegistry: "docker.io"
# -- Global override for image pull secrets for container registry.
imagePullSecrets: []
# -- Set container timezone (TZ env) for all Longhorn workloads. Leave empty to use container default.
timezone: ""
# -- Toleration for nodes allowed to run user-deployed components such as Longhorn Manager, Longhorn UI, and Longhorn Driver Deployer.
tolerations: []
# -- Node selector for nodes allowed to run user-deployed components such as Longhorn Manager, Longhorn UI, and Longhorn Driver Deployer.
nodeSelector: {}
cattle:
# -- Default system registry.
systemDefaultRegistry: ""
windowsCluster:
# -- Setting that allows Longhorn to run on a Rancher Windows cluster.
enabled: false
# -- Toleration for Linux nodes that can run user-deployed Longhorn components.
tolerations:
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
# -- Node selector for Linux nodes that can run user-deployed Longhorn components.
nodeSelector:
kubernetes.io/os: "linux"
defaultSetting:
# -- Toleration for system-managed Longhorn components.
taintToleration: cattle.io/os=linux:NoSchedule
# -- Node selector for system-managed Longhorn components.
systemManagedComponentsNodeSelector: kubernetes.io/os:linux
networkPolicies:
# -- Setting that allows you to enable network policies that control access to Longhorn pods.
enabled: false
# -- Distribution that determines the policy for allowing access for an ingress. (Options: "k3s", "rke2", "rke1")
type: "k3s"
image:
longhorn:
engine:
# -- Registry for the Longhorn Engine image.
registry: ""
# -- Repository for the Longhorn Engine image.
repository: longhornio/longhorn-engine
# -- Tag for the Longhorn Engine image.
tag: v1.11.1
manager:
# -- Registry for the Longhorn Manager image.
registry: ""
# -- Repository for the Longhorn Manager image.
repository: longhornio/longhorn-manager
# -- Tag for the Longhorn Manager image.
tag: v1.11.1
ui:
# -- Registry for the Longhorn UI image.
registry: ""
# -- Repository for the Longhorn UI image.
repository: longhornio/longhorn-ui
# -- Tag for the Longhorn UI image.
tag: v1.11.1
instanceManager:
# -- Registry for the Longhorn Instance Manager image.
registry: ""
# -- Repository for the Longhorn Instance Manager image.
repository: longhornio/longhorn-instance-manager
# -- Tag for the Longhorn Instance Manager image.
tag: v1.11.1
shareManager:
# -- Registry for the Longhorn Share Manager image.
registry: ""
# -- Repository for the Longhorn Share Manager image.
repository: longhornio/longhorn-share-manager
# -- Tag for the Longhorn Share Manager image.
tag: v1.11.1
backingImageManager:
# -- Registry for the Backing Image Manager image. When unspecified, Longhorn uses the default value.
registry: ""
# -- Repository for the Backing Image Manager image. When unspecified, Longhorn uses the default value.
repository: longhornio/backing-image-manager
# -- Tag for the Backing Image Manager image. When unspecified, Longhorn uses the default value.
tag: v1.11.1
supportBundleKit:
# -- Registry for the Longhorn Support Bundle Manager image.
registry: ""
# -- Repository for the Longhorn Support Bundle Manager image.
repository: longhornio/support-bundle-kit
# -- Tag for the Longhorn Support Bundle Manager image.
tag: v0.0.81
csi:
attacher:
# -- Registry for the CSI attacher image. When unspecified, Longhorn uses the default value.
registry: ""
# -- Repository for the CSI attacher image. When unspecified, Longhorn uses the default value.
repository: longhornio/csi-attacher
# -- Tag for the CSI attacher image. When unspecified, Longhorn uses the default value.
tag: v4.11.0
provisioner:
# -- Registry for the CSI Provisioner image. When unspecified, Longhorn uses the default value.
registry: ""
# -- Repository for the CSI Provisioner image. When unspecified, Longhorn uses the default value.
repository: longhornio/csi-provisioner
# -- Tag for the CSI Provisioner image. When unspecified, Longhorn uses the default value.
tag: v5.3.0-20260225
nodeDriverRegistrar:
# -- Registry for the CSI Node Driver Registrar image. When unspecified, Longhorn uses the default value.
registry: ""
# -- Repository for the CSI Node Driver Registrar image. When unspecified, Longhorn uses the default value.
repository: longhornio/csi-node-driver-registrar
# -- Tag for the CSI Node Driver Registrar image. When unspecified, Longhorn uses the default value.
tag: v2.16.0
resizer:
# -- Registry for the CSI Resizer image. When unspecified, Longhorn uses the default value.
registry: ""
# -- Repository for the CSI Resizer image. When unspecified, Longhorn uses the default value.
repository: longhornio/csi-resizer
# -- Tag for the CSI Resizer image. When unspecified, Longhorn uses the default value.
tag: v2.1.0
snapshotter:
# -- Registry for the CSI Snapshotter image. When unspecified, Longhorn uses the default value.
registry: ""
# -- Repository for the CSI Snapshotter image. When unspecified, Longhorn uses the default value.
repository: longhornio/csi-snapshotter
# -- Tag for the CSI Snapshotter image. When unspecified, Longhorn uses the default value.
tag: v8.5.0
livenessProbe:
# -- Registry for the CSI liveness probe image. When unspecified, Longhorn uses the default value.
registry: ""
# -- Repository for the CSI liveness probe image. When unspecified, Longhorn uses the default value.
repository: longhornio/livenessprobe
# -- Tag for the CSI liveness probe image. When unspecified, Longhorn uses the default value.
tag: v2.18.0
openshift:
oauthProxy:
# -- Registry for the OAuth Proxy image. Specify the upstream image (for example, "quay.io/openshift/origin-oauth-proxy"). This setting applies only to OpenShift users.
registry: ""
# -- Repository for the OAuth Proxy image. Specify the upstream image (for example, "quay.io/openshift/origin-oauth-proxy"). This setting applies only to OpenShift users.
repository: ""
# -- Tag for the OAuth Proxy image. Specify OCP/OKD version 4.1 or later (including version 4.18, which is available at quay.io/openshift/origin-oauth-proxy:4.18). This setting applies only to OpenShift users.
tag: ""
# -- Image pull policy that applies to all user-deployed Longhorn components, such as Longhorn Manager, Longhorn driver, and Longhorn UI.
pullPolicy: IfNotPresent
service:
ui:
# -- Service type for Longhorn UI. (Options: "ClusterIP", "NodePort", "LoadBalancer", "Rancher-Proxy")
type: NodePort
# -- NodePort port number for Longhorn UI. When unspecified, Longhorn selects a free port between 30000 and 32767.
nodePort: 30051
# -- Class of a load balancer implementation
loadBalancerClass: ""
# -- Annotation for the Longhorn UI service.
annotations: {}
## If you want to set annotations for the Longhorn UI service, delete the `{}` in the line above
## and uncomment this example block
# annotation-key1: "annotation-value1"
# annotation-key2: "annotation-value2"
labels: {}
## If you want to set additional labels for the Longhorn UI service, delete the `{}` in the line above
## and uncomment this example block
# label-key1: "label-value1"
# label-key2: "label-value2"
manager:
# -- Service type for Longhorn Manager.
type: ClusterIP
# -- NodePort port number for Longhorn Manager. When unspecified, Longhorn selects a free port between 30000 and 32767.
nodePort: ""
persistence:
# -- Setting that allows you to specify the default Longhorn StorageClass.
defaultClass: true
# -- Filesystem type of the default Longhorn StorageClass.
defaultFsType: ext4
# -- mkfs parameters of the default Longhorn StorageClass.
defaultMkfsParams: ""
# -- Replica count of the default Longhorn StorageClass.
defaultClassReplicaCount: 3
# -- Data locality of the default Longhorn StorageClass. (Options: "disabled", "best-effort")
defaultDataLocality: disabled
# -- Reclaim policy that provides instructions for handling of a volume after its claim is released. (Options: "Retain", "Delete")
reclaimPolicy: Delete
# -- VolumeBindingMode controls when volume binding and dynamic provisioning should occur. (Options: "Immediate", "WaitForFirstConsumer") (Defaults to "Immediate")
volumeBindingMode: "Immediate"
# -- Setting that allows you to enable live migration of a Longhorn volume from one node to another.
migratable: false
# -- Setting that disables the revision counter and thereby prevents Longhorn from tracking all write operations to a volume. When salvaging a volume, Longhorn uses properties of the volume-head-xxx.img file (the last file size and the last time the file was modified) to select the replica to be used for volume recovery.
disableRevisionCounter: "true"
# -- Set NFS mount options for Longhorn StorageClass for RWX volumes
nfsOptions: ""
recurringJobSelector:
# -- Setting that allows you to enable the recurring job selector for a Longhorn StorageClass.
enable: false
# -- Recurring job selector for a Longhorn StorageClass. Ensure that quotes are used correctly when specifying job parameters. (Example: `[{"name":"backup", "isGroup":true}]`)
jobList: []
backingImage:
# -- Setting that allows you to use a backing image in a Longhorn StorageClass.
enable: false
# -- Backing image to be used for creating and restoring volumes in a Longhorn StorageClass. When no backing images are available, specify the data source type and parameters that Longhorn can use to create a backing image.
name: ~
# -- Data source type of a backing image used in a Longhorn StorageClass.
# If the backing image exists in the cluster, Longhorn uses this setting to verify the image.
# If the backing image does not exist, Longhorn creates one using the specified data source type.
dataSourceType: ~
# -- Data source parameters of a backing image used in a Longhorn StorageClass.
# You can specify a JSON string of a map. (Example: `'{\"url\":\"https://backing-image-example.s3-region.amazonaws.com/test-backing-image\"}'`)
dataSourceParameters: ~
# -- Expected SHA-512 checksum of a backing image used in a Longhorn StorageClass.
expectedChecksum: ~
defaultDiskSelector:
# -- Setting that allows you to enable the disk selector for the default Longhorn StorageClass.
enable: false
# -- Disk selector for the default Longhorn StorageClass. Longhorn uses only disks with the specified tags for storing volume data. (Examples: "nvme,sata")
selector: ""
defaultNodeSelector:
# -- Setting that allows you to enable the node selector for the default Longhorn StorageClass.
enable: false
# -- Node selector for the default Longhorn StorageClass. Longhorn uses only nodes with the specified tags for storing volume data. (Examples: "storage,fast")
selector: ""
# -- Setting that allows you to enable automatic snapshot removal during filesystem trim for a Longhorn StorageClass. (Options: "ignored", "enabled", "disabled")
unmapMarkSnapChainRemoved: ignored
# -- Setting that allows you to specify the data engine version for the default Longhorn StorageClass. (Options: "v1", "v2")
dataEngine: v1
# -- Setting that allows you to specify the backup target for the default Longhorn StorageClass.
backupTargetName: default
preUpgradeChecker:
# -- Setting that allows Longhorn to perform pre-upgrade checks. Disable this setting when installing Longhorn using Argo CD or other GitOps solutions.
jobEnabled: true
# -- Setting that allows Longhorn to perform upgrade version checks after starting the Longhorn Manager DaemonSet Pods. Disabling this setting also disables `preUpgradeChecker.jobEnabled`. Longhorn recommends keeping this setting enabled.
upgradeVersionCheck: true
csi:
# -- kubelet root directory. When unspecified, Longhorn uses the default value.
kubeletRootDir: ~
# -- Configures Pod anti-affinity to prevent multiple instances on the same node. Use soft (tries to separate) or hard (must separate). When unspecified, Longhorn uses the default value ("soft").
podAntiAffinityPreset: ~
# -- Replica count of the CSI Attacher. When unspecified, Longhorn uses the default value ("3").
attacherReplicaCount: ~
# -- Replica count of the CSI Provisioner. When unspecified, Longhorn uses the default value ("3").
provisionerReplicaCount: ~
# -- Replica count of the CSI Resizer. When unspecified, Longhorn uses the default value ("3").
resizerReplicaCount: ~
# -- Replica count of the CSI Snapshotter. When unspecified, Longhorn uses the default value ("3").
snapshotterReplicaCount: ~
defaultSettings:
# -- Setting that allows Longhorn to automatically attach a volume and create snapshots or backups when recurring jobs are run.
allowRecurringJobWhileVolumeDetached: ~
# -- Setting that allows Longhorn to automatically create a default disk only on nodes with the label "node.longhorn.io/create-default-disk=true" (if no other disks exist). When this setting is disabled, Longhorn creates a default disk on each node that is added to the cluster.
createDefaultDiskLabeledNodes: ~
# -- Default path to use for storing data on a host. An absolute directory path indicates a filesystem-type disk used by the V1 Data Engine, while a path to a block device indicates a block-type disk used by the V2 Data Engine. The default value is "/var/lib/longhorn/".
defaultDataPath: /data/longhorn-storage/
# -- Default data locality. A Longhorn volume has data locality if a local replica of the volume exists on the same node as the pod that is using the volume.
defaultDataLocality: ~
# -- Setting that allows scheduling on nodes with healthy replicas of the same volume. This setting is disabled by default.
replicaSoftAntiAffinity: true
# -- Setting that automatically rebalances replicas when an available node is discovered.
replicaAutoBalance: ~
# -- Percentage of storage that can be allocated relative to hard drive capacity. The default value is "100".
storageOverProvisioningPercentage: ~
# -- Percentage of minimum available disk capacity. When the minimum available capacity exceeds the total available capacity, the disk becomes unschedulable until more space is made available for use. The default value is "25".
storageMinimalAvailablePercentage: 15
# -- Percentage of disk space that is not allocated to the default disk on each new Longhorn node.
storageReservedPercentageForDefaultDisk: ~
# -- Upgrade Checker that periodically checks for new Longhorn versions. When a new version is available, a notification appears on the Longhorn UI. This setting is enabled by default
upgradeChecker: false
# -- The Upgrade Responder sends a notification whenever a new Longhorn version that you can upgrade to becomes available. The default value is https://longhorn-upgrade-responder.rancher.io/v1/checkupgrade.
upgradeResponderURL: ~
# -- The external URL used to access the Longhorn Manager API. When set, this URL is returned in API responses (the actions and links fields) instead of the internal pod IP. This is useful when accessing the API through Ingress or Gateway API HTTPRoute. Format: scheme://host[:port] (for example, https://longhorn.example.com or https://longhorn.example.com:8443). Leave it empty to use the default behavior.
managerUrl: ~
# -- Default number of replicas for volumes created using the Longhorn UI. For Kubernetes configuration, modify the `numberOfReplicas` field in the StorageClass. The default value is "{"v1":"3","v2":"3"}".
defaultReplicaCount: 2
# -- Default name of Longhorn static StorageClass. "storageClassName" is assigned to PVs and PVCs that are created for an existing Longhorn volume. "storageClassName" can also be used as a label, so it is possible to use a Longhorn StorageClass to bind a workload to an existing PV without creating a Kubernetes StorageClass object. "storageClassName" needs to be an existing StorageClass. The default value is "longhorn-static".
defaultLonghornStaticStorageClass: ~
# -- Number of minutes that Longhorn keeps a failed backup resource. When the value is "0", automatic deletion is disabled.
failedBackupTTL: ~
# -- Number of minutes that Longhorn allows for the backup execution. The default value is "1".
backupExecutionTimeout: ~
# -- Setting that restores recurring jobs from a backup volume on a backup target and creates recurring jobs if none exist during backup restoration.
restoreVolumeRecurringJobs: ~
# -- Maximum number of successful recurring backup and snapshot jobs to be retained. When the value is "0", a history of successful recurring jobs is not retained.
recurringSuccessfulJobsHistoryLimit: ~
# -- Maximum number of failed recurring backup and snapshot jobs to be retained. When the value is "0", a history of failed recurring jobs is not retained.
recurringFailedJobsHistoryLimit: ~
# -- Maximum number of snapshots or backups to be retained.
recurringJobMaxRetention: ~
# -- Maximum number of failed support bundles that can exist in the cluster. When the value is "0", Longhorn automatically purges all failed support bundles.
supportBundleFailedHistoryLimit: ~
# -- Taint or toleration for system-managed Longhorn components.
# Specify values using a semicolon-separated list in `kubectl taint` syntax (Example: key1=value1:effect; key2=value2:effect).
taintToleration: ~
# -- Node selector for system-managed Longhorn components.
systemManagedComponentsNodeSelector: ~
# -- Resource limits for system-managed CSI components.
# This setting allows you to configure CPU and memory requests/limits for CSI attacher, provisioner, resizer, snapshotter, and plugin components.
# Supported components: csi-attacher, csi-provisioner, csi-resizer, csi-snapshotter, longhorn-csi-plugin, node-driver-registrar, longhorn-liveness-probe.
# Notice that changing resource limits will cause CSI components to restart, which may temporarily affect volume provisioning and attach/detach operations until the components are ready. The value should be a JSON object with component names as keys and ResourceRequirements as values.
systemManagedCSIComponentsResourceLimits: ~
# -- PriorityClass for system-managed Longhorn components.
# This setting can help prevent Longhorn components from being evicted under Node Pressure.
# Notice that this will be applied to Longhorn user-deployed components by default if there are no priority class values set yet, such as `longhornManager.priorityClass`.
priorityClass: &defaultPriorityClassNameRef "longhorn-critical"
# -- Setting that allows Longhorn to automatically salvage volumes when all replicas become faulty (for example, when the network connection is interrupted). Longhorn determines which replicas are usable and then uses these replicas for the volume. This setting is enabled by default.
autoSalvage: ~
# -- Setting that allows Longhorn to automatically delete a workload pod that is managed by a controller (for example, daemonset) whenever a Longhorn volume is detached unexpectedly (for example, during Kubernetes upgrades). After deletion, the controller restarts the pod and then Kubernetes handles volume reattachment and remounting.
autoDeletePodWhenVolumeDetachedUnexpectedly: ~
# -- Blacklist of controller api/kind values for the setting Automatically Delete Workload Pod when the Volume Is Detached Unexpectedly. If a workload pod is managed by a controller whose api/kind is listed in this blacklist, Longhorn will not automatically delete the pod when its volume is unexpectedly detached. Multiple controller api/kind entries can be specified, separated by semicolons. For example: `apps/StatefulSet;apps/DaemonSet`. Note that the controller api/kind is case sensitive and must exactly match the api/kind in the workload pod's owner reference.
blacklistForAutoDeletePodWhenVolumeDetachedUnexpectedly: ~
# -- Setting that prevents Longhorn Manager from scheduling replicas on a cordoned Kubernetes node. This setting is enabled by default.
disableSchedulingOnCordonedNode: ~
# -- Setting that allows Longhorn to schedule new replicas of a volume to nodes in the same zone as existing healthy replicas. Nodes that do not belong to any zone are treated as existing in the zone that contains healthy replicas. When identifying zones, Longhorn relies on the label "topology.kubernetes.io/zone=<Zone name of the node>" in the Kubernetes node object.
replicaZoneSoftAntiAffinity: ~
# -- Setting that allows scheduling on disks with existing healthy replicas of the same volume. This setting is enabled by default.
replicaDiskSoftAntiAffinity: ~
# -- Policy that defines the action Longhorn takes when a volume is stuck with a StatefulSet or Deployment pod on a node that failed.
nodeDownPodDeletionPolicy: do-nothing
# -- Policy that defines the action Longhorn takes when a node with the last healthy replica of a volume is drained.
nodeDrainPolicy: ~
# -- Setting that allows automatic detaching of manually-attached volumes when a node is cordoned.
detachManuallyAttachedVolumesWhenCordoned: ~
# -- Number of seconds that Longhorn waits before reusing existing data on a failed replica instead of creating a new replica of a degraded volume.
replicaReplenishmentWaitInterval: ~
# -- Maximum number of replicas that can be concurrently rebuilt on each node.
concurrentReplicaRebuildPerNodeLimit: ~
# -- Maximum number of file synchronization operations that can run concurrently during a single replica rebuild. Right now, it's for v1 data engine only.
rebuildConcurrentSyncLimit: ~
# -- Maximum number of volumes that can be concurrently restored on each node using a backup. When the value is "0", restoration of volumes using a backup is disabled.
concurrentVolumeBackupRestorePerNodeLimit: ~
# -- Setting that disables the revision counter and thereby prevents Longhorn from tracking all write operations to a volume. When salvaging a volume, Longhorn uses properties of the "volume-head-xxx.img" file (the last file size and the last time the file was modified) to select the replica to be used for volume recovery. This setting applies only to volumes created using the Longhorn UI.
disableRevisionCounter: '{"v1":"true"}'
# -- Image pull policy for system-managed pods, such as Instance Manager, engine images, and CSI Driver. Changes to the image pull policy are applied only after the system-managed pods restart.
systemManagedPodsImagePullPolicy: ~
# -- Setting that allows you to create and attach a volume without having all replicas scheduled at the time of creation.
allowVolumeCreationWithDegradedAvailability: ~
# -- Setting that allows Longhorn to automatically clean up the system-generated snapshot after replica rebuilding is completed.
autoCleanupSystemGeneratedSnapshot: ~
# -- Setting that allows Longhorn to automatically clean up the snapshot generated by a recurring backup job.
autoCleanupRecurringJobBackupSnapshot: ~
# -- Maximum number of engines that are allowed to concurrently upgrade on each node after Longhorn Manager is upgraded. When the value is "0", Longhorn does not automatically upgrade volume engines to the new default engine image version.
concurrentAutomaticEngineUpgradePerNodeLimit: ~
# -- Number of minutes that Longhorn waits before cleaning up the backing image file when no replicas in the disk are using it.
backingImageCleanupWaitInterval: ~
# -- Number of seconds that Longhorn waits before downloading a backing image file again when the status of all image disk files changes to "failed" or "unknown".
backingImageRecoveryWaitInterval: ~
# -- Percentage of the total allocatable CPU resources on each node to be reserved for each instance manager pod. The default value is {"v1":"12","v2":"12"}.
guaranteedInstanceManagerCPU: ~
# -- Setting that notifies Longhorn that the cluster is using the Kubernetes Cluster Autoscaler.
kubernetesClusterAutoscalerEnabled: ~
# -- Enables Longhorn to automatically delete orphaned resources and their associated data or processes (e.g., stale replicas). Orphaned resources on failed or unknown nodes are not automatically cleaned up.
# You need to specify the resource types to be deleted using a semicolon-separated list (e.g., `replica-data;instance`). Available items are: `replica-data`, `instance`.
orphanResourceAutoDeletion: ~
# -- Specifies the wait time, in seconds, before Longhorn automatically deletes an orphaned Custom Resource (CR) and its associated resources.
# Note that if a user manually deletes an orphaned CR, the deletion occurs immediately and does not respect this grace period.
orphanResourceAutoDeletionGracePeriod: ~
# -- Storage network for in-cluster traffic. When unspecified, Longhorn uses the Kubernetes cluster network.
storageNetwork: ~
# -- Specifies a dedicated network for mounting RWX (ReadWriteMany) volumes. Leave this blank to use the default Kubernetes cluster network. **Caution**: This setting should change after all RWX volumes are detached because some Longhorn component pods must be recreated to apply the setting. You cannot modify this setting while RWX volumes are still attached.
endpointNetworkForRWXVolume: ~
# -- Flag that prevents accidental uninstallation of Longhorn.
deletingConfirmationFlag: ~
# -- Timeout between the Longhorn Engine and replicas. Specify a value between "8" and "30" seconds. The default value is "8".
engineReplicaTimeout: ~
# -- Setting that allows you to enable and disable snapshot hashing and data integrity checks.
snapshotDataIntegrity: ~
# -- Setting that allows disabling of snapshot hashing after snapshot creation to minimize impact on system performance.
snapshotDataIntegrityImmediateCheckAfterSnapshotCreation: ~
# -- Setting that defines when Longhorn checks the integrity of data in snapshot disk files. You must use the Unix cron expression format.
snapshotDataIntegrityCronjob: ~
# -- Setting that controls how many snapshot heavy task operations (such as purge and clone) can run concurrently per node. This is a best-effort mechanism: due to the distributed nature of the system, temporary oversubscription may occur. The limiter reduces worst-case overload but does not guarantee perfect enforcement.
snapshotHeavyTaskConcurrentLimit: ~
# -- Setting that allows Longhorn to automatically mark the latest snapshot and its parent files as removed during a filesystem trim. Longhorn does not remove snapshots containing multiple child files.
removeSnapshotsDuringFilesystemTrim: ~
# -- Setting that allows fast rebuilding of replicas using the checksum of snapshot disk files. Before enabling this setting, you must set the snapshot-data-integrity value to "enable" or "fast-check".
fastReplicaRebuildEnabled: ~
# -- Number of seconds that an HTTP client waits for a response from a File Sync server before considering the connection to have failed.
replicaFileSyncHttpClientTimeout: ~
# -- Number of seconds that Longhorn allows for the completion of replica rebuilding and snapshot cloning operations.
longGRPCTimeOut: ~
# -- Log levels that indicate the type and severity of logs in Longhorn Manager. The default value is "Info". (Options: "Panic", "Fatal", "Error", "Warn", "Info", "Debug", "Trace")
logLevel: ~
# -- Specifies the directory on the host where Longhorn stores log files for the instance manager pod. Currently, it is only used for instance manager pods in the v2 data engine.
logPath: ~
# -- Setting that allows you to specify a backup compression method.
backupCompressionMethod: ~
# -- Maximum number of worker threads that can concurrently run for each backup.
backupConcurrentLimit: ~
# -- Specifies the default backup block size, in MiB, used when creating a new volume. Supported values are 2 or 16.
defaultBackupBlockSize: ~
# -- Maximum number of worker threads that can concurrently run for each restore operation.
restoreConcurrentLimit: ~
# -- Setting that allows you to enable the V1 Data Engine.
v1DataEngine: ~
# -- Setting that allows you to enable the V2 Data Engine, which is based on the Storage Performance Development Kit (SPDK). The V2 Data Engine is an experimental feature and should not be used in production environments.
v2DataEngine: ~
# -- Applies only to the V2 Data Engine. Enables hugepages for the Storage Performance Development Kit (SPDK) target daemon. If disabled, legacy memory is used. Allocation size is set via the Data Engine Memory Size setting.
dataEngineHugepageEnabled: ~
# -- Applies only to the V2 Data Engine. Specifies the hugepage size, in MiB, for the Storage Performance Development Kit (SPDK) target daemon. The default value is "{"v2":"2048"}"
dataEngineMemorySize: ~
# -- Applies only to the V2 Data Engine. Specifies the CPU cores on which the Storage Performance Development Kit (SPDK) target daemon runs. The daemon is deployed in each Instance Manager pod. Ensure that the number of assigned cores does not exceed the guaranteed Instance Manager CPUs for the V2 Data Engine. The default value is "{"v2":"0x1"}".
dataEngineCPUMask: ~
# -- This setting specifies the default write bandwidth limit (in megabytes per second) for volume replica rebuilding when using the v2 data engine (SPDK). If this value is set to 0, there will be no write bandwidth limitation. Individual volumes can override this setting by specifying their own rebuilding bandwidth limit.
replicaRebuildingBandwidthLimit: ~
# -- This setting specifies the default depth of each queue for Ublk frontend. This setting applies to volumes using the V2 Data Engine with Ublk front end. Individual volumes can override this setting by specifying their own Ublk queue depth.
defaultUblkQueueDepth: ~
# -- This setting specifies the default the number of queues for ublk frontend. This setting applies to volumes using the V2 Data Engine with Ublk front end. Individual volumes can override this setting by specifying their own number of queues for ublk.
defaultUblkNumberOfQueue: ~
# -- In seconds. The setting specifies the timeout for the instance manager pod liveness probe. The default value is 10 seconds.
instanceManagerPodLivenessProbeTimeout: ~
# -- Setting that allows scheduling of empty node selector volumes to any node.
allowEmptyNodeSelectorVolume: ~
# -- Setting that allows scheduling of empty disk selector volumes to any disk.
allowEmptyDiskSelectorVolume: ~
# -- Setting that allows Longhorn to periodically collect anonymous usage data for product improvement purposes. Longhorn sends collected data to the [Upgrade Responder](https://github.com/longhorn/upgrade-responder) server, which is the data source of the Longhorn Public Metrics Dashboard (https://metrics.longhorn.io). The Upgrade Responder server does not store data that can be used to identify clients, including IP addresses.
allowCollectingLonghornUsageMetrics: ~
# -- Setting that temporarily prevents all attempts to purge volume snapshots.
disableSnapshotPurge: ~
# -- Maximum snapshot count for a volume. The value should be between 2 to 250
snapshotMaxCount: ~
# -- Applies only to the V2 Data Engine. Specifies the log level for the Storage Performance Development Kit (SPDK) target daemon. Supported values are: Error, Warning, Notice, Info, and Debug. The default is Notice.
dataEngineLogLevel: ~
# -- Applies only to the V2 Data Engine. Specifies the log flags for the Storage Performance Development Kit (SPDK) target daemon.
dataEngineLogFlags: ~
# -- Setting that freezes the filesystem on the root partition before a snapshot is created.
freezeFilesystemForSnapshot: ~
# -- Setting that automatically cleans up the snapshot when the backup is deleted.
autoCleanupSnapshotWhenDeleteBackup: ~
# -- Setting that automatically cleans up the snapshot after the on-demand backup is completed.
autoCleanupSnapshotAfterOnDemandBackupCompleted: ~
# -- Setting that allows Longhorn to detect node failure and immediately migrate affected RWX volumes.
rwxVolumeFastFailover: ~
# -- Enables automatic rebuilding of degraded replicas while the volume is detached. This setting only takes effect if the individual volume setting is set to `ignored` or `enabled`.
offlineReplicaRebuilding: ~
# -- Controls whether Longhorn monitors and records health information for node disks. When disabled, disk health checks and status updates are skipped.
nodeDiskHealthMonitoring: ~
# -- Comma-separated list of topology keys that the Longhorn CSI driver is allowed to pass through. When empty (default), no topology keys are passed through, and PVs will have no nodeAffinity. When configured (e.g., "topology.kubernetes.io/zone,topology.kubernetes.io/region"), only the specified keys are kept in topology segments. All other keys are filtered out from both CreateVolumeResponse.AccessibleTopology and NodeGetInfo topology.
csiAllowedTopologyKeys: ~
# -- Setting that allows you to update the default backupstore.
defaultBackupStore:
# -- Endpoint used to access the default backupstore. (Options: "NFS", "CIFS", "AWS", "GCP", "AZURE")
backupTarget: ~
# -- Name of the Kubernetes secret associated with the default backup target.
backupTargetCredentialSecret: ~
# -- Number of seconds that Longhorn waits before checking the default backupstore for new backups. The default value is "300". When the value is "0", polling is disabled.
pollInterval: ~
privateRegistry:
# -- Set to `true` to automatically create a new private registry secret.
createSecret: ~
# -- URL of a private registry. When unspecified, Longhorn uses the default system registry.
registryUrl: ~
# -- User account used for authenticating with a private registry.
registryUser: ~
# -- Password for authenticating with a private registry.
registryPasswd: ~
# -- If create a new private registry secret is true, create a Kubernetes secret with this name; else use the existing secret of this name. Use it to pull images from your private registry.
registrySecret: ~
longhornManager:
log:
# -- Format of Longhorn Manager logs. (Options: "plain", "json")
format: plain
# -- PriorityClass for Longhorn Manager.
priorityClass: *defaultPriorityClassNameRef
# -- Toleration for Longhorn Manager on nodes allowed to run Longhorn components.
tolerations: []
## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above
## and uncomment this example block
# - key: "key"
# operator: "Equal"
# value: "value"
# effect: "NoSchedule"
# -- Resource requests and limits for Longhorn Manager pods.
resources: ~
# -- Node selector for Longhorn Manager. Specify the nodes allowed to run Longhorn Manager.
nodeSelector: {}
## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above
## and uncomment this example block
# label-key1: "label-value1"
# label-key2: "label-value2"
# -- Annotation for the Longhorn Manager service.
serviceAnnotations: {}
## If you want to set annotations for the Longhorn Manager service, delete the `{}` in the line above
## and uncomment this example block
# annotation-key1: "annotation-value1"
# annotation-key2: "annotation-value2"
serviceLabels: {}
## If you want to set labels for the Longhorn Manager service, delete the `{}` in the line above
## and uncomment this example block
# label-key1: "label-value1"
# label-key2: "label-value2"
## DaemonSet update strategy. Default "100% unavailable" matches the upgrade
## flow (old managers removed before new start); override for rolling updates
## if you prefer that behavior.
updateStrategy:
rollingUpdate:
maxUnavailable: "100%"
longhornDriver:
log:
# -- Format of longhorn-driver logs. (Options: "plain", "json")
format: plain
# -- PriorityClass for Longhorn Driver.
priorityClass: *defaultPriorityClassNameRef
# -- Toleration for Longhorn Driver on nodes allowed to run Longhorn components.
tolerations: []
## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above
## and uncomment this example block
# - key: "key"
# operator: "Equal"
# value: "value"
# effect: "NoSchedule"
# -- Node selector for Longhorn Driver. Specify the nodes allowed to run Longhorn Driver.
nodeSelector: {}
## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above
## and uncomment this example block
# label-key1: "label-value1"
# label-key2: "label-value2"
longhornUI:
# -- Replica count for Longhorn UI.
replicas: 2
# -- PriorityClass for Longhorn UI.
priorityClass: *defaultPriorityClassNameRef
# -- Affinity for Longhorn UI pods. Specify the affinity you want to use for Longhorn UI.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- longhorn-ui
topologyKey: kubernetes.io/hostname
# -- Toleration for Longhorn UI on nodes allowed to run Longhorn components.
tolerations: []
## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above
## and uncomment this example block
# - key: "key"
# operator: "Equal"
# value: "value"
# effect: "NoSchedule"
# -- Node selector for Longhorn UI. Specify the nodes allowed to run Longhorn UI.
nodeSelector: {}
## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above
## and uncomment this example block
# label-key1: "label-value1"
# label-key2: "label-value2"
ingress:
# -- Setting that allows Longhorn to generate ingress records for the Longhorn UI service.
enabled: true
# -- IngressClass resource that contains ingress configuration, including the name of the Ingress controller.
# ingressClassName can replace the kubernetes.io/ingress.class annotation used in earlier Kubernetes releases.
ingressClassName: ~
# -- Hostname of the Layer 7 load balancer.
host: longhorn-ui.fireflylab.local
# -- Extra hostnames for TLS (Subject Alternative Names - SAN). Used when you need multiple FQDNs for the same ingress.
# Example:
# extraHosts:
# - longhorn.example.com
# - longhorn-ui.internal.local
extraHosts: []
# -- Setting that allows you to enable TLS on ingress records.
tls: false
# -- Setting that allows you to enable secure connections to the Longhorn UI service via port 443.
secureBackends: false
# -- TLS secret that contains the private key and certificate to be used for TLS. This setting applies only when TLS is enabled on ingress records.
tlsSecret: longhorn.local-tls
# -- Default ingress path. You can access the Longhorn UI by following the full ingress path {{host}}+{{path}}.
path: /
# -- Ingress path type. To maintain backward compatibility, the default value is "ImplementationSpecific".
pathType: ImplementationSpecific
## If you're using kube-lego, you will want to add:
## kubernetes.io/tls-acme: true
##
## For a full list of possible ingress annotations, please see
## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md
##
## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set
# -- Ingress annotations in the form of key-value pairs.
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: true
# -- Secret that contains a TLS private key and certificate. Use secrets if you want to use your own certificates to secure ingresses.
secrets:
## If you're providing your own certificates, please use this to add the certificates as secrets
## key and certificate should start with -----BEGIN CERTIFICATE----- or
## -----BEGIN RSA PRIVATE KEY-----
##
## name should line up with a tlsSecret set further up
## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set
##
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
# - name: longhorn.local-tls
# key:
# certificate:
httproute:
# -- Setting that allows Longhorn to generate HTTPRoute records for the Longhorn UI service using Gateway API.
enabled: false
# -- Gateway references for HTTPRoute. Specify which Gateway(s) should handle this route.
parentRefs: []
## Example:
# - name: gateway-name
# namespace: gateway-namespace
# # Optional fields with defaults:
# # group: gateway.networking.k8s.io # default
# # kind: Gateway # default
# # sectionName: https # optional, targets a specific listener
# -- List of hostnames for the HTTPRoute. Multiple hostnames are supported.
hostnames: []
## Example:
# - longhorn.example.com
# - longhorn.example.org
# -- Default path for HTTPRoute. You can access the Longhorn UI by following the full path.
path: /
# -- Path match type for HTTPRoute. (Options: "Exact", "PathPrefix")
pathType: PathPrefix
# -- Annotations for the HTTPRoute resource in the form of key-value pairs.
annotations: {}
## Example:
# annotation-key1: "annotation-value1"
# -- Setting that allows you to enable pod security policies (PSPs) that allow privileged Longhorn pods to start. This setting applies only to clusters running Kubernetes 1.25 and earlier, and with the built-in Pod Security admission controller enabled.
enablePSP: false
# -- Specify override namespace, specifically this is useful for using longhorn as sub-chart and its release namespace is not the `longhorn-system`.
namespaceOverride: ""
# -- Annotation for the Longhorn Manager DaemonSet pods. This setting is optional.
annotations: {}
serviceAccount:
# -- Annotations to add to the service account
annotations: {}
metrics:
serviceMonitor:
# -- Setting that allows the creation of a Prometheus ServiceMonitor resource for Longhorn Manager components.
enabled: false
# -- Additional labels for the Prometheus ServiceMonitor resource.
additionalLabels: {}
# -- Annotations for the Prometheus ServiceMonitor resource.
annotations: {}
# -- Interval at which Prometheus scrapes the metrics from the target.
interval: ""
# -- Timeout after which Prometheus considers the scrape to be failed.
scrapeTimeout: ""
# -- Configures the relabeling rules to apply the targets metadata labels. See the [Prometheus Operator
# documentation](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.Endpoint) for
# formatting details.
relabelings: []
# -- Configures the relabeling rules to apply to the samples before ingestion. See the [Prometheus Operator
# documentation](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.Endpoint) for
# formatting details.
metricRelabelings: []
## openshift settings
openshift:
# -- Setting that allows Longhorn to integrate with OpenShift.
enabled: false
ui:
# -- Route for connections between Longhorn and the OpenShift web console.
route: "longhorn-ui"
# -- Port for accessing the OpenShift web console.
port: 443
# -- Port for proxy that provides access to the OpenShift web console.
proxy: 8443
# -- Setting that allows Longhorn to generate code coverage profiles.
enableGoCoverDir: false
# -- Add extra objects manifests
extraObjects: []

9
metallb/ipaddresspool.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: expensive
namespace: metallb
spec:
addresses:
- 192.168.1.30/32
autoAssign: true

388
metallb/values.yaml Normal file
View File

@@ -0,0 +1,388 @@
# Default values for metallb.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
loadBalancerClass: ""
# To configure MetalLB, you must specify ONE of the following two
# options.
rbac:
# create specifies whether to install and use RBAC rules.
create: true
prometheus:
# scrape annotations specifies whether to add Prometheus metric
# auto-collection annotations to pods. See
# https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml
# for a corresponding Prometheus configuration. Alternatively, you
# may want to use the Prometheus Operator
# (https://github.com/coreos/prometheus-operator) for more powerful
# monitoring configuration. If you use the Prometheus operator, this
# can be left at false.
scrapeAnnotations: false
# port both controller and speaker will listen on for metrics
metricsPort: 7472
# if set, enables rbac proxy on the controller and speaker to expose
# the metrics via tls.
# secureMetricsPort: 9120
# the name of the secret to be mounted in the speaker pod
# to expose the metrics securely. If not present, a self signed
# certificate to be used.
speakerMetricsTLSSecret: ""
# the name of the secret to be mounted in the controller pod
# to expose the metrics securely. If not present, a self signed
# certificate to be used.
controllerMetricsTLSSecret: ""
# prometheus doesn't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
rbacPrometheus: true
# the service account used by prometheus
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
serviceAccount: ""
# the namespace where prometheus is deployed
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
namespace: ""
# the image to be used for the kuberbacproxy container
rbacProxy:
repository: gcr.io/kubebuilder/kube-rbac-proxy
tag: v0.12.0
pullPolicy:
# Prometheus Operator PodMonitors
podMonitor:
# enable support for Prometheus Operator
enabled: false
# optional additional labels for podMonitors
additionalLabels: {}
# optional annotations for podMonitors
annotations: {}
# Job label for scrape target
jobLabel: "app.kubernetes.io/name"
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval:
# metric relabel configs to apply to samples before ingestion.
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# relabel configs to apply to samples before ingestion.
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# target_label: nodename
# replacement: $1
# action: replace
# Prometheus Operator ServiceMonitors. To be used as an alternative
# to podMonitor, supports secure metrics.
serviceMonitor:
# enable support for Prometheus Operator
enabled: false
speaker:
# optional additional labels for the speaker serviceMonitor
additionalLabels: {}
# optional additional annotations for the speaker serviceMonitor
annotations: {}
# optional tls configuration for the speaker serviceMonitor, in case
# secure metrics are enabled.
tlsConfig:
insecureSkipVerify: true
controller:
# optional additional labels for the controller serviceMonitor
additionalLabels: {}
# optional additional annotations for the controller serviceMonitor
annotations: {}
# optional tls configuration for the controller serviceMonitor, in case
# secure metrics are enabled.
tlsConfig:
insecureSkipVerify: true
# Job label for scrape target
jobLabel: "app.kubernetes.io/name"
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval:
# metric relabel configs to apply to samples before ingestion.
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# relabel configs to apply to samples before ingestion.
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# target_label: nodename
# replacement: $1
# action: replace
# Prometheus Operator alertmanager alerts
prometheusRule:
# enable alertmanager alerts
enabled: false
# optional additional labels for prometheusRules
additionalLabels: {}
# optional annotations for prometheusRules
annotations: {}
# MetalLBStaleConfig
staleConfig:
enabled: true
labels:
severity: warning
# MetalLBConfigNotLoaded
configNotLoaded:
enabled: true
labels:
severity: warning
# MetalLBAddressPoolExhausted
addressPoolExhausted:
enabled: true
labels:
severity: critical
# Exclude the pools matching the regular expression from triggering the alert.
excludePools: ""
addressPoolUsage:
enabled: true
thresholds:
- percent: 75
labels:
severity: warning
- percent: 85
labels:
severity: warning
- percent: 95
labels:
severity: critical
# Exclude the pools matching the regular expression from triggering the alert.
excludePools: ""
# MetalLBBGPSessionDown
bgpSessionDown:
enabled: true
labels:
severity: critical
extraAlerts: []
# controller contains configuration specific to the MetalLB cluster
# controller.
controller:
enabled: true
# -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
logLevel: info
# command: /controller
webhookMode: enabled
image:
repository: quay.io/metallb/controller
tag:
pullPolicy:
## @param controller.updateStrategy.type Metallb controller deployment strategy type.
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
## e.g:
## strategy:
## type: RollingUpdate
## rollingUpdate:
## maxSurge: 25%
## maxUnavailable: 25%
##
strategy:
type: RollingUpdate
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use. If not set and create is
# true, a name is generated using the fullname template
name: ""
annotations: {}
securityContext:
runAsNonRoot: true
# nobody
runAsUser: 65534
fsGroup: 65534
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
nodeSelector: {}
tolerations: []
priorityClassName: ""
runtimeClassName: ""
affinity: {}
podAnnotations: {}
labels: {}
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
tlsMinVersion: "VersionTLS12"
tlsCipherSuites: ""
extraContainers: []
# speaker contains configuration specific to the MetalLB speaker
# daemonset.
speaker:
enabled: true
# command: /speaker
# -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
logLevel: info
tolerateMaster: true
memberlist:
# -- When enabled: false, the speaker pods must run on all nodes
enabled: true
mlBindPort: 7946
mlBindAddrOverride: ""
mlSecretKeyPath: "/etc/ml_secret_key"
excludeInterfaces:
enabled: true
# ignore the exclude-from-external-loadbalancer label
ignoreExcludeLB: false
image:
repository: quay.io/metallb/speaker
tag:
pullPolicy:
## @param speaker.updateStrategy.type Speaker daemonset strategy type
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
##
updateStrategy:
## StrategyType
## Can be set to RollingUpdate or OnDelete
##
type: RollingUpdate
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use. If not set and create is
# true, a name is generated using the fullname template
name: ""
annotations: {}
securityContext: {}
## Defines a secret name for the controller to generate a memberlist encryption secret
## By default secretName: {{ "metallb.fullname" }}-memberlist
##
# secretName:
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
nodeSelector: {}
tolerations: []
priorityClassName: ""
affinity: {}
## Selects which runtime class will be used by the pod.
runtimeClassName: ""
podAnnotations: {}
labels: {}
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
startupProbe:
enabled: true
failureThreshold: 30
periodSeconds: 5
# frr contains configuration specific to the MetalLB FRR container,
# for speaker running alongside FRR.
frr:
enabled: true
image:
repository: quay.io/frrouting/frr
tag: 10.4.1
pullPolicy:
metricsPort: 7473
resources: {}
# if set, enables a rbac proxy sidecar container on the speaker to
# expose the frr metrics via tls.
# secureMetricsPort: 9121
reloader:
resources: {}
frrMetrics:
resources: {}
initContainers:
cpFrrFiles:
resources: {}
cpReloader:
resources: {}
cpMetrics:
resources: {}
extraContainers: []
crds:
enabled: true
validationFailurePolicy: Fail
# frrk8s contains the configuration related to using an frrk8s instance
# (github.com/metallb/frr-k8s) as the backend for the BGP implementation.
# This allows configuring additional frr parameters in combination to those
# applied by MetalLB.
frrk8s:
# if set, enables frrk8s as a backend. This is mutually exclusive to frr
# mode.
enabled: false
external: false
namespace: ""
# networkpolicies
networkpolicies:
# if set, networkpolicies for metallb components will be installed in the metallb namespace
enabled: false
# if set, a default deny network policy will be installed in the metallb namespace
defaultDeny: false
# to override internal k8s api targetPort
apiPort: 6443

35
vault/httproute.yaml Normal file
View File

@@ -0,0 +1,35 @@
# HTTPRoute for HashiCorp Vault behind Envoy Gateway (Gateway API).
# Matches the intent of server.httpRoute in values.yaml (chart may not render it yet).
#
# Before applying:
# kubectl get svc -n vault
# If the Vault Service is not named "vault" (e.g. release "foo" -> Service "foo-vault"),
# change spec.rules[].backendRefs[].name below.
#
# Ensure your Gateway allows routes from namespace "vault" (listener allowedRoutes / infrastructure).
#
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vault-httproute
namespace: vault
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: envoy-gateway
namespace: envoy-gateway-system
sectionName: http
hostnames:
- vault.fireflylab.local
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ""
kind: Service
name: vault
port: 8200
weight: 1

1451
vault/values.yaml Normal file
View File

File diff suppressed because it is too large Load Diff