diff --git a/.github/workflows/infra-ci-workflow.yaml b/.github/workflows/infra-ci-workflow.yaml deleted file mode 100644 index 3f8a6949..00000000 --- a/.github/workflows/infra-ci-workflow.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -name: Infra integration workflow - -on: - pull_request: - types: - - opened - - closed - - synchronize - -jobs: - - markdown-check: - uses: - ai-cfia/github-workflows/.github/workflows/workflow-markdown-check.yml@76-as-a-devops-i-would-like-to-fix-the-markdown-lint-workflow - - yaml-check: - uses: - ai-cfia/github-workflows/.github/workflows/workflow-yaml-check.yml@main - - repo-standard: - uses: - ai-cfia/github-workflows/.github/workflows/workflow-repo-standards-validation.yml@main - secrets: inherit - - terraform-check: - uses: - ai-cfia/github-workflows/.github/workflows/workflow-terraform-check.yml@main - with: - config-file-path: '.tflint.hcl' diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 864e5ba2..bd91776b 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -1,6 +1,6 @@ -name: Ai-cfia repo standard and markdown check +name: Infrastructure integration workflow -on: +on: pull_request: types: - opened @@ -8,11 +8,21 @@ on: - synchronize jobs: + markdown-check: + uses: + ai-cfia/github-workflows/.github/workflows/workflow-markdown-check.yml@76-as-a-devops-i-would-like-to-fix-the-markdown-lint-workflow + + yaml-check: + uses: + ai-cfia/github-workflows/.github/workflows/workflow-yaml-check.yml@main + repo-standard: - uses: ai-cfia/github-workflows/.github/workflows/workflow-repo-standards-validation.yml@main + uses: + ai-cfia/github-workflows/.github/workflows/workflow-repo-standards-validation.yml@main secrets: inherit - markdown-check: - uses: ai-cfia/github-workflows/.github/workflows/workflow-markdown-check.yml@main + terraform-check: + uses: + ai-cfia/github-workflows/.github/workflows/workflow-terraform-check.yml@main with: - config-file-path: '.mlc_config.json' + config-file-path: '.tflint.hcl' diff --git a/kubernetes/system/cert-manager/cert-manager.yml b/kubernetes/system/cert-manager/cert-manager.yml index 66a2ad0e..50852d2d 100644 --- a/kubernetes/system/cert-manager/cert-manager.yml +++ b/kubernetes/system/cert-manager/cert-manager.yml @@ -3,17 +3,16 @@ # Declare variables to be passed into your templates. global: # Reference to one or more secrets to be used when pulling images - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] # - name: "image-pull-secret" # Labels to apply to all resources - # Please note that this does not add labels to the resources created dynamically by the controllers. - # For these resources, you have to add the labels in the template in the cert-manager custom resource: + # Please note that this does not add labels to the resources created dynamically + # by the controllers. + # For these resources, you have to add the labels in the template in the + # cert-manager custom resource: # eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress - # ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress # eg. secretTemplate in CertificateSpec - # ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec commonLabels: {} # team_name: dev @@ -21,14 +20,14 @@ global: priorityClassName: "" rbac: create: true - # Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles aggregateClusterRoles: true podSecurityPolicy: enabled: false useAppArmor: true - # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. + # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most + # verbose. logLevel: 2 leaderElection: @@ -65,7 +64,8 @@ podDisruptionBudget: # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` + # if neither minAvailable or maxUnavailable is set, we default to + # `minAvailable: 1` # minAvailable: 1 # maxUnavailable: 1 @@ -87,12 +87,14 @@ image: # tag: canary # Setting a digest will override any tag - # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + # digest: + # sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 pullPolicy: IfNotPresent -# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer -# resources. By default, the same namespace as cert-manager is deployed within is -# used. This namespace will not be automatically created by the Helm chart. +# Override the namespace used to store DNS provider credentials +# etc. for ClusterIssuer +# resources. By default, the same namespace as cert-manager is deployed within +# is used. This namespace will not be automatically created by the Helm chart. clusterResourceNamespace: "" # This namespace allows you to define where the services will be installed into @@ -104,7 +106,8 @@ serviceAccount: # Specifies whether a service account should be created create: true # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template + # If not set and create is true, a name is generated using the fullname + # template # name: "" # Optional additional annotations to add to the controller's ServiceAccount # annotations: {} @@ -116,7 +119,8 @@ serviceAccount: # Automounting API credentials for a particular pod # automountServiceAccountToken: true -# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted +# When this flag is enabled, secrets will be automatically removed when the +# certificate resource is deleted enableCertificateOwnerRef: false # Used to configure options for the controller pod. @@ -143,19 +147,22 @@ config: # useCertificateRequestBasicConstraints: true # Setting Nameservers for DNS01 Self Check -# See: https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check -# Comma separated string with host and port of the recursive nameservers cert-manager should query +# Comma separated string with host and port of the recursive nameservers +# cert-manager should query dns01RecursiveNameservers: "" # Forces cert-manager to only use the recursive nameservers for verification. -# Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers +# Enabling this option could cause the DNS01 self check to take longer due +# to caching performed by the recursive nameservers dns01RecursiveNameserversOnly: false # Additional command line flags to pass to cert-manager controller binary. -# To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help +# To see all available flags run docker run +# quay.io/jetstack/cert-manager-controller: --help extraArgs: [] - # Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver + # Use this flag to enable or disable arbitrary controllers, + # for example, disable the CertificiateRequests approver # - --controllers=*,-certificaterequests-approver extraEnv: [] @@ -167,15 +174,11 @@ resources: {} # cpu: 10m # memory: 32Mi -# Pod Security Context -# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault -# Container Security Context to be set on the controller component container -# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: allowPrivilegeEscalation: false capabilities: @@ -241,7 +244,7 @@ prometheus: # https_proxy: "https://proxy:8080" # no_proxy: 127.0.0.1,localhost -# A Kubernetes Affinty, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core +# A Kubernetes Affinty, if required; # for example: # affinity: # nodeAffinity: @@ -254,7 +257,7 @@ prometheus: # - master affinity: {} -# A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core +# A list of Kubernetes Tolerations, if required; # for example: # tolerations: # - key: foo.bar.com/role @@ -263,7 +266,7 @@ affinity: {} # effect: NoSchedule tolerations: [] -# A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core +# A list of Kubernetes TopologySpreadConstraints, if required; # for example: # topologySpreadConstraints: # - maxSkew: 2 @@ -280,9 +283,9 @@ topologySpreadConstraints: [] # Disabled by default, because the controller has a leader election mechanism # which should cause it to exit if it is unable to renew its leader election # record. -# LivenessProbe durations and thresholds are based on those used for the Kubernetes +# LivenessProbe durations and thresholds are based on those used for the +# Kubernetes # controller-manager. See: -# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 livenessProbe: enabled: false initialDelaySeconds: 10 @@ -311,9 +314,11 @@ webhook: # The port that the webhook should listen on for requests. # In GKE private clusters, by default kubernetes apiservers are allowed to # talk to the cluster nodes only on 443 and 10250. so configuring - # securePort: 10250, will work out of the box without needing to add firewall - # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000. - # This should be uncommented and set as a default by the chart once we graduate + # securePort: 10250, will work out of the box without needing + # to add firewall rules or requiring NET_BIND_SERVICE capabilities + # to bind port numbers <1000. + # This should be uncommented and set as a default by the chart once we + # graduate # the apiVersion of WebhookConfiguration past v1alpha1. # securePort: 10250 @@ -324,7 +329,6 @@ webhook: # maxUnavailable: 1 # Pod Security Context to be set on the webhook component Pod - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: runAsNonRoot: true seccompProfile: @@ -335,12 +339,12 @@ webhook: # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` + # if neither minAvailable or maxUnavailable is set, we default to + # `minAvailable: 1` # minAvailable: 1 # maxUnavailable: 1 # Container Security Context to be set on the webhook component container - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: allowPrivilegeEscalation: false capabilities: @@ -358,16 +362,20 @@ webhook: # Optional additional annotations to add to the webhook Service # serviceAnnotations: {} - # Optional additional annotations to add to the webhook MutatingWebhookConfiguration + # Optional additional annotations to add to the webhook + # MutatingWebhookConfiguration # mutatingWebhookConfigurationAnnotations: {} - # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + # Optional additional annotations to add to the webhook + # ValidatingWebhookConfiguration # validatingWebhookConfigurationAnnotations: {} # Additional command line flags to pass to cert-manager webhook binary. - # To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help + # To see all available flags run docker run + # quay.io/jetstack/cert-manager-webhook: --help extraArgs: [] - # Path to a file containing a WebhookConfiguration object used to configure the webhook + # Path to a file containing a WebhookConfiguration object + # used to configure the webhook # - --config= # Comma separated list of feature gates that should be enabled on the @@ -380,8 +388,6 @@ webhook: # memory: 32Mi ## Liveness and readiness probe values - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## livenessProbe: failureThreshold: 3 initialDelaySeconds: 60 @@ -421,7 +427,6 @@ webhook: # tag: canary # Setting a digest will override any tag - # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 pullPolicy: IfNotPresent @@ -429,7 +434,8 @@ webhook: # Specifies whether a service account should be created create: true # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template + # If not set and create is true, a name is generated using the fullname + # template # name: "" # Optional additional annotations to add to the controller's ServiceAccount # annotations: {} @@ -450,23 +456,23 @@ webhook: # Specifies if the webhook should be started in hostNetwork mode. # - # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom - # CNI (such as calico), because control-plane managed by AWS cannot communicate - # with pods' IP CIDR and admission webhooks are not working + # Required for use in some managed kubernetes clusters (such as AWS EKS) + # CNI (such as calico), because control-plane managed by AWS cannot + # communicate with pods' IP CIDR and admission webhooks are not working # # Since the default port for the webhook conflicts with kubelet on the host # network, `webhook.securePort` should be changed to an available port if # running in hostNetwork mode. hostNetwork: false - # Specifies how the service should be handled. Useful if you want to expose the - # webhook to outside of the cluster. In some cases, the control plane cannot - # reach internal services. + # Specifies how the service should be handled. Useful if you want to expose + # the webhook to outside of the cluster. In some cases, + # reach internal services the control plane cannot serviceType: ClusterIP # loadBalancerIP: - # Overrides the mutating webhook and validating webhook so they reach the webhook - # service using the `url` field instead of a service. + # Overrides the mutating webhook and validating webhook so they reach + # the webhook service using the `url` field instead of a service. url: {} # host: @@ -514,7 +520,6 @@ cainjector: # maxUnavailable: 1 # Pod Security Context to be set on the cainjector component Pod - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: runAsNonRoot: true seccompProfile: @@ -525,12 +530,12 @@ cainjector: # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` + # if neither minAvailable or maxUnavailable is set, + # we default to `minAvailable: 1` # minAvailable: 1 # maxUnavailable: 1 # Container Security Context to be set on the cainjector component container - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: allowPrivilegeEscalation: false capabilities: @@ -547,7 +552,6 @@ cainjector: # podAnnotations: {} # Additional command line flags to pass to cert-manager cainjector binary. - # To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help extraArgs: [] # Enable profiling for cainjector # - --enable-profiling=true @@ -580,7 +584,6 @@ cainjector: # tag: canary # Setting a digest will override any tag - # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 pullPolicy: IfNotPresent @@ -588,7 +591,8 @@ cainjector: # Specifies whether a service account should be created create: true # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template + # If not set and create is true, a name is generated using the + # fullname template # name: "" # Optional additional annotations to add to the controller's ServiceAccount # annotations: {} @@ -620,7 +624,6 @@ acmesolver: # tag: canary # Setting a digest will override any tag - # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 # This startupapicheck is a Helm post-install hook that waits for the webhook # endpoints to become available. @@ -633,14 +636,12 @@ startupapicheck: enabled: true # Pod Security Context to be set on the startupapicheck component Pod - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault # Container Security Context to be set on the controller component container - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: allowPrivilegeEscalation: false capabilities: @@ -665,7 +666,6 @@ startupapicheck: # podAnnotations: {} # Additional command line flags to pass to startupapicheck binary. - # To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: --help extraArgs: [] resources: {} @@ -693,8 +693,6 @@ startupapicheck: # If no value is set, the chart's appVersion will be used. # tag: canary - # Setting a digest will override any tag - # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 pullPolicy: IfNotPresent @@ -713,8 +711,8 @@ startupapicheck: create: true # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - # name: "" + # If not set and create is true, a name is generated using the + # fullname template name: "" # Optional additional annotations to add to the Job's ServiceAccount annotations: @@ -735,4 +733,3 @@ startupapicheck: # injected into pod's environment variables, matching the syntax of Docker # links. enableServiceLinks: false - diff --git a/kubernetes/system/ingress-nginx/ingress-nginx.yml b/kubernetes/system/ingress-nginx/ingress-nginx.yml index 25db1f01..18e5a661 100644 --- a/kubernetes/system/ingress-nginx/ingress-nginx.yml +++ b/kubernetes/system/ingress-nginx/ingress-nginx.yml @@ -1,5 +1,4 @@ ## nginx configuration -## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md ## ## Overrides for generated resource names @@ -18,8 +17,6 @@ controller: image: registry: k8s.gcr.io image: ingress-nginx/controller - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: tag: "v1.1.1" digest: sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de @@ -39,16 +36,13 @@ controller: http: 80 https: 443 - # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ config: {} # -- Annotations to be added to the controller config configuration configmap. configAnnotations: {} - # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers proxySetHeaders: {} - # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers addHeaders: {} # -- Optionally customize the pod dnsConfig. @@ -57,31 +51,18 @@ controller: # -- Optionally customize the pod hostname. hostname: {} - # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. - # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller - # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. dnsPolicy: ClusterFirst - # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network - # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply reportNodeInternalIp: false - # -- Process Ingress objects without ingressClass annotation/ingressClassName field - # Overrides value for --watch-ingress-without-class flag of the controller binary # Defaults to false watchIngressWithoutClass: false # -- Process IngressClass per name (additionally as per spec.controller). ingressClassByName: false - # -- This configuration defines if Ingress Controller should allow users to set - # their own *-snippet annotations, otherwise this is forbidden / dropped - # when users add those annotations. - # Global snippets in ConfigMap are still respected allowSnippetAnnotations: true - # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), - # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 # is merged hostNetwork: false @@ -100,7 +81,6 @@ controller: electionID: ingress-controller-leader ## This section refers to the creation of the IngressClass resource - ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 ingressClassResource: # -- Name of the ingressClass name: nginx @@ -116,8 +96,6 @@ controller: # does not require extra parameters. parameters: {} - # -- For backwards compatibility with ingress.class annotation, use ingressClass. - # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation ingressClass: nginx # -- Labels to add to the pod container metadata @@ -127,7 +105,6 @@ controller: # -- Security Context policies for controller pods podSecurityContext: {} - # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls sysctls: {} # sysctls: # "net.core.somaxconn": "8192" @@ -149,27 +126,18 @@ controller: enabled: false # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE) namespace: "" - # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels - # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. namespaceSelector: "" - # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) configMapNamespace: "" tcp: - # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) configMapNamespace: "" - # -- Annotations to be added to the tcp config configmap annotations: {} udp: - # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) configMapNamespace: "" - # -- Annotations to be added to the udp config configmap annotations: {} - # -- Maxmind license key to download GeoLite2 Databases. - ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases maxmindLicenseKey: "" # -- Additional command line arguments to pass to nginx-ingress-controller @@ -195,8 +163,6 @@ controller: annotations: {} # keel.sh/pollSchedule: "@every 60m" - # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels - ## labels: {} # keel.sh/policy: patch # keel.sh/trigger: poll @@ -223,9 +189,6 @@ controller: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # -- Affinity and anti-affinity rules for server scheduling to nodes - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## affinity: {} # # An example of preferred pod anti-affinity, weight is in the range 1-100 # podAntiAffinity: @@ -267,9 +230,6 @@ controller: # - controller # topologyKey: "kubernetes.io/hostname" - # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## topologySpreadConstraints: [] # - maxSkew: 1 # topologyKey: failure-domain.beta.kubernetes.io/zone @@ -290,7 +250,6 @@ controller: kubernetes.io/os: linux ## Liveness and readiness probe values - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## ## startupProbe: ## httpGet: @@ -327,7 +286,6 @@ controller: failureThreshold: 3 - # -- Path of the health check endpoint. All requests received on the port defined by # the healthz-port parameter are forwarded internally to this path. healthCheckPath: "/healthz" @@ -344,10 +302,6 @@ controller: minAvailable: 1 - ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes - ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 - ## Ideally, there should be no limits. - ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ resources: ## limits: ## cpu: 100m @@ -379,7 +333,6 @@ controller: autoscalingTemplate: [] # Custom or additional autoscaling metrics - # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics # - type: Pods # pods: # metric: @@ -440,12 +393,6 @@ controller: service: enabled: true - # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were - # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # It allows choosing the protocol for each backend specified in the Kubernetes service. - # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 - # Will be ignored for Kubernetes versions older than 1.20 - ## appProtocol: true annotations: {} @@ -463,28 +410,8 @@ controller: enableHttp: true enableHttps: true - ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" - - ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". - ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - # sessionAffinity: "" - - ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, - ## the service controller allocates a port from your cluster’s NodePort range. - ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - # healthCheckNodePort: 0 - - # -- Represents the dual-stack-ness requested or required by this Service. Possible values are - # SingleStack, PreferDualStack or RequireDualStack. - # The ipFamilies and clusterIPs fields depend on the value of this field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ ipFamilyPolicy: "SingleStack" - # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically - # based on cluster configuration and the ipFamilyPolicy field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ ipFamilies: - IPv4 @@ -514,9 +441,7 @@ controller: enabled: true internal: - # -- Enables an additional internal load balancer (besides the external one). enabled: false - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. annotations: {} # loadBalancerIP: "" @@ -526,11 +451,8 @@ controller: ## Set external traffic policy to: "Local" to preserve source IP on ## providers supporting it - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" # -- Additional containers to be added to the controller pod. - # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. extraContainers: [] # - name: my-sidecar # image: nginx:latest @@ -567,7 +489,6 @@ controller: extraInitContainers: [] # - name: init-myservice # image: busybox - # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] extraModules: [] ## Modules, which are mounted into the core nginx image @@ -580,7 +501,6 @@ controller: admissionWebhooks: annotations: {} - # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". ## Additional annotations to the admission webhooks. ## These annotations will be added to the ValidatingWebhookConfiguration and @@ -625,9 +545,6 @@ controller: image: registry: k8s.gcr.io image: ingress-nginx/kube-webhook-certgen - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: tag: v1.1.1 digest: sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 pullPolicy: IfNotPresent @@ -688,47 +605,8 @@ controller: additionalLabels: {} # namespace: "" rules: [] - # # These are just examples rules, please adapt them to your needs - # - alert: NGINXConfigFailed - # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: bad ingress config - nginx config test failed - # summary: uninstall the latest ingress changes to allow config reloads to resume - # - alert: NGINXCertificateExpiry - # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: ssl certificate(s) will expire in less then a week - # summary: renew expiring certificates to avoid downtime - # - alert: NGINXTooMany500s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 5XXs - # summary: More than 5% of all requests returned 5XX, this requires your attention - # - alert: NGINXTooMany400s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 4XXs - # summary: More than 5% of all requests returned 4XX, this requires your attention - - # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook: - # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds - # to 300, allowing the draining of connections up to five minutes. - # If the active connections end before that, the pod will terminate gracefully at that time. - # To effectively take advantage of this feature, the Configmap feature - # worker-shutdown-timeout new value is 240s instead of 10s. - ## + + lifecycle: preStop: exec: @@ -751,9 +629,6 @@ defaultBackend: image: registry: k8s.gcr.io image: defaultbackend-amd64 - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: tag: "1.5" pullPolicy: IfNotPresent # nobody user -> uid 65534 @@ -776,9 +651,6 @@ defaultBackend: port: 8080 - ## Readiness and liveness probes for default backend - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## livenessProbe: failureThreshold: 3 initialDelaySeconds: 30 @@ -878,7 +750,6 @@ defaultBackend: # -- Labels to be added to the default backend resources labels: {} -## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266 rbac: create: true scope: false @@ -895,25 +766,13 @@ serviceAccount: # -- Annotations for the controller service account annotations: {} -# -- Optional array of imagePullSecrets containing private registry credentials -## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] # - name: secretName -# -- TCP service key:value pairs -## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md -## tcp: {} # 8080: "default/example-tcp-svc:9000" -# -- UDP service key:value pairs -## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md -## udp: {} # 53: "kube-system/kube-dns:53" -# -- (string) A base64-encoded Diffie-Hellman parameter. -# This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` -## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param dhParam: - diff --git a/kubernetes/system/kube-prometheus-stack/kube-prometheus-stack.yml b/kubernetes/system/kube-prometheus-stack/kube-prometheus-stack.yml index 3499e792..314285a6 100644 --- a/kubernetes/system/kube-prometheus-stack/kube-prometheus-stack.yml +++ b/kubernetes/system/kube-prometheus-stack/kube-prometheus-stack.yml @@ -1251,4 +1251,3 @@ prometheus-pushgateway: # Optional service annotations serviceAnnotations: prometheus.io/probe: pushgateway -