sa_8001/dsk-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
havelight-ee
2023-05-30 14:44:26 +09:00
parent 9a3174deef
commit 4c32a7239d
2598 changed files with 164595 additions and 487 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
kubespray/roles/network_plugin/cilium/templates/hubble/config.yml.j2 Normal file
View File

@@ -0,0 +1,87 @@
---
# Source: cilium/templates/hubble-relay-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: hubble-relay-config
namespace: kube-system
data:
config.yaml: |
peer-service: unix:///var/run/cilium/hubble.sock
listen-address: :4245
dial-timeout:
retry-timeout:
sort-buffer-len-max:
sort-buffer-drain-timeout:
tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt
tls-client-key-file: /var/lib/hubble-relay/tls/client.key
tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt
disable-server-tls: {% if cilium_hubble_tls_generate %}false{% else %}true{% endif %}
disable-client-tls: {% if cilium_hubble_tls_generate %}false{% else %}true{% endif %}
---
# Source: cilium/templates/hubble-ui-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: hubble-ui-envoy
namespace: kube-system
data:
envoy.yaml: |
static_resources:
listeners:
- name: listener_hubble_ui
address:
socket_address:
address: 0.0.0.0
port_value: 8081
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
config:
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ['*']
routes:
- match:
prefix: '/api/'
route:
cluster: backend
max_grpc_timeout: 0s
prefix_rewrite: '/'
- match:
prefix: '/'
route:
cluster: frontend
cors:
allow_origin_string_match:
- prefix: '*'
allow_methods: GET, PUT, DELETE, POST, OPTIONS
allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
max_age: '1728000'
expose_headers: grpc-status,grpc-message
http_filters:
- name: envoy.filters.http.grpc_web
- name: envoy.filters.http.cors
- name: envoy.filters.http.router
clusters:
- name: frontend
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 127.0.0.1
port_value: 8080
- name: backend
connect_timeout: 0.25s
type: logical_dns
lb_policy: round_robin
http2_protocol_options: {}
hosts:
- socket_address:
address: 127.0.0.1
port_value: 8090

106
kubespray/roles/network_plugin/cilium/templates/hubble/cr.yml.j2 Normal file
View File

@@ -0,0 +1,106 @@
{% if cilium_hubble_tls_generate %}
---
# Source: cilium/templates/hubble-generate-certs-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: hubble-generate-certs
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- hubble-server-certs
- hubble-relay-client-certs
- hubble-relay-server-certs
verbs:
- update
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- hubble-ca-cert
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- hubble-ca-secret
verbs:
- get
{% endif %}
---
# Source: cilium/templates/hubble-relay-clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-relay
rules:
- apiGroups:
- ""
resources:
- componentstatuses
- endpoints
- namespaces
- nodes
- pods
- services
verbs:
- get
- list
- watch
---
# Source: cilium/templates/hubble-ui-clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-ui
rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- componentstatuses
- endpoints
- namespaces
- nodes
- pods
- services
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- "*"
verbs:
- get
- list
- watch

44
kubespray/roles/network_plugin/cilium/templates/hubble/crb.yml.j2 Normal file
View File

@@ -0,0 +1,44 @@
{% if cilium_hubble_tls_generate %}
---
# Source: cilium/templates/hubble-generate-certs-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: hubble-generate-certs
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hubble-generate-certs
subjects:
- kind: ServiceAccount
name: hubble-generate-certs
namespace: kube-system
{% endif %}
---
# Source: cilium/templates/hubble-relay-clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-relay
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hubble-relay
subjects:
- kind: ServiceAccount
namespace: kube-system
name: hubble-relay
---
# Source: cilium/templates/hubble-ui-clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-ui
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hubble-ui
subjects:
- kind: ServiceAccount
namespace: kube-system
name: hubble-ui

49
kubespray/roles/network_plugin/cilium/templates/hubble/cronjob.yml.j2 Normal file
View File

@@ -0,0 +1,49 @@
---
# Source: cilium/templates/hubble-generate-certs-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
k8s-app: hubble-generate-certs
spec:
schedule: "0 0 1 */4 *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
labels:
k8s-app: hubble-generate-certs
spec:
serviceAccount: hubble-generate-certs
serviceAccountName: hubble-generate-certs
containers:
- name: certgen
image: "{{ cilium_hubble_certgen_image_repo }}:{{ cilium_hubble_certgen_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
command:
- "/usr/bin/cilium-certgen"
# Because this is executed as a job, we pass the values as command
# line args instead of via config map. This allows users to inspect
# the values used in past runs by inspecting the completed pod.
args:
- "--cilium-namespace=kube-system"
- "--hubble-ca-reuse-secret=true"
- "--hubble-ca-secret-name=hubble-ca-secret"
- "--hubble-ca-generate=true"
- "--hubble-ca-validity-duration=94608000s"
- "--hubble-ca-config-map-create=true"
- "--hubble-ca-config-map-name=hubble-ca-cert"
- "--hubble-server-cert-generate=true"
- "--hubble-server-cert-common-name=*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io"
- "--hubble-server-cert-validity-duration=94608000s"
- "--hubble-server-cert-secret-name=hubble-server-certs"
- "--hubble-relay-client-cert-generate=true"
- "--hubble-relay-client-cert-validity-duration=94608000s"
- "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
- "--hubble-relay-server-cert-generate=false"
hostNetwork: true
restartPolicy: OnFailure
ttlSecondsAfterFinished: 1800

161
kubespray/roles/network_plugin/cilium/templates/hubble/deploy.yml.j2 Normal file
View File

@@ -0,0 +1,161 @@
---
# Source: cilium/templates/hubble-relay-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hubble-relay
labels:
k8s-app: hubble-relay
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: hubble-relay
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
labels:
k8s-app: hubble-relay
spec:
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: "k8s-app"
operator: In
values:
- cilium
topologyKey: "kubernetes.io/hostname"
containers:
- name: hubble-relay
image: "{{ cilium_hubble_relay_image_repo }}:{{ cilium_hubble_relay_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
command:
- hubble-relay
args:
- serve
ports:
- name: grpc
containerPort: 4245
readinessProbe:
tcpSocket:
port: grpc
livenessProbe:
tcpSocket:
port: grpc
volumeMounts:
- mountPath: /var/run/cilium
name: hubble-sock-dir
readOnly: true
- mountPath: /etc/hubble-relay
name: config
readOnly: true
- mountPath: /var/lib/hubble-relay/tls
name: tls
readOnly: true
restartPolicy: Always
serviceAccount: hubble-relay
serviceAccountName: hubble-relay
terminationGracePeriodSeconds: 0
volumes:
- configMap:
name: hubble-relay-config
items:
- key: config.yaml
path: config.yaml
name: config
- hostPath:
path: /var/run/cilium
type: Directory
name: hubble-sock-dir
- projected:
sources:
- secret:
name: hubble-relay-client-certs
items:
- key: tls.crt
path: client.crt
- key: tls.key
path: client.key
- configMap:
name: hubble-ca-cert
items:
- key: ca.crt
path: hubble-server-ca.crt
name: tls
---
# Source: cilium/templates/hubble-ui-deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: kube-system
labels:
k8s-app: hubble-ui
name: hubble-ui
spec:
replicas: 1
selector:
matchLabels:
k8s-app: hubble-ui
template:
metadata:
annotations:
labels:
k8s-app: hubble-ui
spec:
securityContext:
runAsUser: 1001
serviceAccount: hubble-ui
serviceAccountName: hubble-ui
containers:
- name: frontend
image: "{{ cilium_hubble_ui_image_repo }}:{{ cilium_hubble_ui_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
ports:
- containerPort: 8080
name: http
resources:
{}
- name: backend
image: "{{ cilium_hubble_ui_backend_image_repo }}:{{ cilium_hubble_ui_backend_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
env:
- name: EVENTS_SERVER_PORT
value: "8090"
- name: FLOWS_API_ADDR
value: "hubble-relay:80"
ports:
- containerPort: 8090
name: grpc
resources:
{}
- name: proxy
image: "{{ cilium_hubble_envoy_image_repo }}:{{ cilium_hubble_envoy_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
ports:
- containerPort: 8081
name: http
resources:
{}
command: ["envoy"]
args:
[
"-c",
"/etc/envoy.yaml",
"-l",
"info"
]
volumeMounts:
- name: hubble-ui-envoy-yaml
mountPath: /etc/envoy.yaml
subPath: envoy.yaml
volumes:
- name: hubble-ui-envoy-yaml
configMap:
name: hubble-ui-envoy

45
kubespray/roles/network_plugin/cilium/templates/hubble/job.yml.j2 Normal file
View File

@@ -0,0 +1,45 @@
---
# Source: cilium/templates/hubble-generate-certs-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
k8s-app: hubble-generate-certs
spec:
template:
metadata:
labels:
k8s-app: hubble-generate-certs
spec:
serviceAccount: hubble-generate-certs
serviceAccountName: hubble-generate-certs
containers:
- name: certgen
image: "{{ cilium_hubble_certgen_image_repo }}:{{ cilium_hubble_certgen_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
command:
- "/usr/bin/cilium-certgen"
# Because this is executed as a job, we pass the values as command
# line args instead of via config map. This allows users to inspect
# the values used in past runs by inspecting the completed pod.
args:
- "--cilium-namespace=kube-system"
- "--hubble-ca-reuse-secret=true"
- "--hubble-ca-secret-name=hubble-ca-secret"
- "--hubble-ca-generate=true"
- "--hubble-ca-validity-duration=94608000s"
- "--hubble-ca-config-map-create=true"
- "--hubble-ca-config-map-name=hubble-ca-cert"
- "--hubble-server-cert-generate=true"
- "--hubble-server-cert-common-name=*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io"
- "--hubble-server-cert-validity-duration=94608000s"
- "--hubble-server-cert-secret-name=hubble-server-certs"
- "--hubble-relay-client-cert-generate=true"
- "--hubble-relay-client-cert-validity-duration=94608000s"
- "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
- "--hubble-relay-server-cert-generate=false"
hostNetwork: true
restartPolicy: OnFailure
ttlSecondsAfterFinished: 1800

23
kubespray/roles/network_plugin/cilium/templates/hubble/sa.yml.j2 Normal file
View File

@@ -0,0 +1,23 @@
{% if cilium_hubble_tls_generate %}
---
# Source: cilium/templates/hubble-generate-certs-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: hubble-generate-certs
namespace: kube-system
{% endif %}
---
# Source: cilium/templates/hubble-relay-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: hubble-relay
namespace: kube-system
---
# Source: cilium/templates/hubble-ui-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: hubble-ui
namespace: kube-system

58
kubespray/roles/network_plugin/cilium/templates/hubble/service.yml.j2 Normal file
View File

@@ -0,0 +1,58 @@
{% if cilium_enable_prometheus or cilium_enable_hubble_metrics %}
---
# Source: cilium/templates/cilium-agent-service.yaml
kind: Service
apiVersion: v1
metadata:
name: hubble-metrics
namespace: kube-system
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: "9091"
labels:
k8s-app: hubble
spec:
clusterIP: None
type: ClusterIP
ports:
- name: hubble-metrics
port: 9091
protocol: TCP
targetPort: hubble-metrics
selector:
k8s-app: cilium
{% endif %}
---
# Source: cilium/templates/hubble-relay-service.yaml
kind: Service
apiVersion: v1
metadata:
name: hubble-relay
namespace: kube-system
labels:
k8s-app: hubble-relay
spec:
type: ClusterIP
selector:
k8s-app: hubble-relay
ports:
- protocol: TCP
port: 80
targetPort: 4245
---
# Source: cilium/templates/hubble-ui-service.yaml
kind: Service
apiVersion: v1
metadata:
name: hubble-ui
labels:
k8s-app: hubble-ui
namespace: kube-system
spec:
selector:
k8s-app: hubble-ui
ports:
- name: http
port: 80
targetPort: 8081
type: ClusterIP