Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: diode helm chart #184

Merged
merged 32 commits into from
Oct 15, 2024
Merged

feat: diode helm chart #184

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
a04c2f6
feat: diode helm chart
mfiedorowicz Oct 15, 2024
1d528ba
gha: add diode chart labeler
mfiedorowicz Oct 15, 2024
217a781
gha: add helm lint workflow
mfiedorowicz Oct 15, 2024
d5ddcac
gha(helm-lint): build dependencies
mfiedorowicz Oct 15, 2024
691cf34
gha(helm-lint): fix job name and update deps step
mfiedorowicz Oct 15, 2024
45e986b
update diode chart readme
mfiedorowicz Oct 15, 2024
803a776
gha: add helm release workflow
mfiedorowicz Oct 15, 2024
e1f46b9
update diode chart readme
mfiedorowicz Oct 15, 2024
259fdac
update diode chart readme
mfiedorowicz Oct 15, 2024
c5eabd4
tidy up diode chart readme
mfiedorowicz Oct 15, 2024
10b0599
gha(helm-release): remove pr permission
mfiedorowicz Oct 15, 2024
4818668
gha(helm-release): test release
mfiedorowicz Oct 15, 2024
6a68e78
pin diode service versions
mfiedorowicz Oct 15, 2024
571cdaa
test chart version bump
mfiedorowicz Oct 15, 2024
8fac2b0
gha(helm-release): skip existing checks
mfiedorowicz Oct 15, 2024
6f805f3
gha(helm-release): try charts_dir
mfiedorowicz Oct 15, 2024
7c659f2
gha(helm-release): try fetch-depth
mfiedorowicz Oct 15, 2024
918a30c
gha(helm-release): build dependencies
mfiedorowicz Oct 15, 2024
290f557
gha(helm-release): add dependency repos
mfiedorowicz Oct 15, 2024
5d8c362
gha(helm-release): test git config
mfiedorowicz Oct 15, 2024
555a4f1
gha(helm-release): use github-actions user
mfiedorowicz Oct 15, 2024
c9baac8
trigger test release
mfiedorowicz Oct 15, 2024
9bd8dee
gha(helm-release): use GITHUB_ACTOR user
mfiedorowicz Oct 15, 2024
3583da6
gha(helm-release): customise release name template
mfiedorowicz Oct 15, 2024
328eff5
update readme
mfiedorowicz Oct 15, 2024
3e2d75a
gha(helm-release): customise index path
mfiedorowicz Oct 15, 2024
4745f01
gha(helm-release): customise index path
mfiedorowicz Oct 15, 2024
17e9c39
gha(helm-release): remove pages index path
mfiedorowicz Oct 15, 2024
2dbc25c
gha(helm-release): index path, another attempt
mfiedorowicz Oct 15, 2024
d07acf8
test bump chart version
mfiedorowicz Oct 15, 2024
6928b6e
de-bump chart version
mfiedorowicz Oct 15, 2024
0f67c58
tidy up helm-release
mfiedorowicz Oct 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions charts/diode/.helmignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
12 changes: 12 additions & 0 deletions charts/diode/Chart.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
dependencies:
- name: ingress-nginx
repository: https://kubernetes.github.io/ingress-nginx
version: 4.11.2
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.16.1
- name: redis
repository: oci://registry-1.docker.io/bitnamicharts
version: 20.1.4
digest: sha256:f89ee5fc93ebfc48d7566073c20cbe8ab7b632e73f2fbd860b84d1b7a01ecf48
generated: "2024-10-14T19:29:43.398885+01:00"
26 changes: 26 additions & 0 deletions charts/diode/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
apiVersion: v2
name: diode
description: A Helm chart for Diode
type: application
version: 0.1.0
appVersion: "0.6.0"
home: https://github.com/netboxlabs/diode
sources:
- https://github.com/netboxlabs/diode
maintainers:
- name: NetBox Labs
email: [email protected]
url: https://github.com/netboxlabs
dependencies:
- name: ingress-nginx
version: 4.11.2
repository: https://kubernetes.github.io/ingress-nginx
condition: ingress-nginx.enabled
- name: cert-manager
version: 1.16.1
repository: https://charts.jetstack.io
condition: cert-manager.enabled
- name: redis
version: 20.1.4
repository: oci://registry-1.docker.io/bitnamicharts
condition: redis.enabled
118 changes: 118 additions & 0 deletions charts/diode/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
# diode

A Helm chart for Diode

![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.0](https://img.shields.io/badge/AppVersion-0.6.0-informational?style=flat-square)

## Installing the Chart

Install custom resource definitions for cert-manager (if enabled):
```console
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
```

Create namespaces for ingress-nginx and cert-manager:
```console
kubectl create namespace diode-ingress
kubectl create namespace diode-cert-manager
```

Install the chart with the release name `my-release`:

```console
$ helm repo add diode https://netboxlabs.github.io/diode
$ helm install my-release diode/diode --namespace my-namespace --create-namespace
```

# Create namespaces

kubectl create namespace diode-ingress
kubectl create namespace diode-cert-manager

## Requirements

| Repository | Name | Version |
|------------|------|---------|
| https://charts.jetstack.io | cert-manager | 1.16.1 |
| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.11.2 |
| oci://registry-1.docker.io/bitnamicharts | redis | 20.1.4 |

## Values

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| cert-manager | object | `{"enabled":false,"namespace":"diode-cert-manager"}` | ref: https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml |
| cert-manager.enabled | bool | `false` | cert-manager enabled |
| cert-manager.namespace | string | `"diode-cert-manager"` | cert-manager namespace |
| certIssuer.email | string | `""` | email address for ACME registration |
| certIssuer.enabled | bool | `false` | enable certificate issuer creation |
| certIssuer.kind | string | `"Issuer"` | issuer kind (Issuer or ClusterIssuer) ref: https://cert-manager.io/docs/configuration/acme/ |
| certIssuer.name | string | `""` | issuer name |
| certIssuer.prod | bool | `false` | determines whether to use Let's Encrypt production or staging environment |
| certIssuer.solvers | list | `[{"http01":{"ingress":{"ingressClassName":"nginx"}}}]` | solvers for the issuer |
| diodeIngester.affinity | object | `{}` | custom affinity rules for the pod |
| diodeIngester.config.reconcilerGrpcHost | string | `"diode-reconciler"` | diode-reconciler gRPC host |
| diodeIngester.config.reconcilerGrpcPort | int | `8081` | diode-reconciler gRPC port |
| diodeIngester.config.sentryDsn | string | `""` | sentry DSN |
| diodeIngester.containerPort | int | `8081` | port to listen on |
| diodeIngester.existingSecret | string | `""` | existing secret for diode-ingester |
| diodeIngester.image.pullPolicy | string | `"IfNotPresent"` | image pull policy |
| diodeIngester.image.repository | string | `"netboxlabs/diode-ingester"` | image repository |
| diodeIngester.image.securityContext | object | `{}` | security context for the container |
| diodeIngester.image.tag | string | `"latest"` | image tag |
| diodeIngester.nodeSelector | object | `{}` | node selector for the pod |
| diodeIngester.podAnnotations | object | `{}` | additional pod annotations |
| diodeIngester.podLabels | object | `{}` | additional pod labels |
| diodeIngester.podSecurityContext | object | `{}` | additional pod security context |
| diodeIngester.replicas | int | `1` | number of replicas |
| diodeIngester.resources | object | `{}` | resources to allocate for the container |
| diodeIngester.secrets.ingesterToReconcilerAPIKey | string | `""` | API key for authentication between diode-ingester and diode-reconciler |
| diodeIngester.secrets.redisPassword | string | `""` | redis password, must match the password in the redis chart or external redis |
| diodeIngester.serviceAccount.create | bool | `true` | create service account |
| diodeIngester.serviceAccount.name | string | `"diode-ingester"` | service account name |
| diodeIngester.serviceName | string | `"diode-ingester"` | service name |
| diodeIngester.tolerations | list | `[]` | tolerations to use with node taints |
| diodeReconciler.affinity | object | `{}` | custom affinity rules for the pod |
| diodeReconciler.config.loggingLevel | string | `"DEBUG"` | logging level |
| diodeReconciler.config.migrationEnabled | bool | `true` | migration enabled |
| diodeReconciler.config.netboxDiodePluginAPIBaseURL | string | `"https://<NETBOX_BASE_URL>/api/plugins/diode"` | NetBox plugin API base URL |
| diodeReconciler.config.netboxDiodePluginSkipTLSVerify | bool | `false` | NetBox plugin skip TLS verify |
| diodeReconciler.config.sentryDsn | string | `""` | sentry DSN |
| diodeReconciler.containerPort | int | `8081` | port to listen on |
| diodeReconciler.existingSecret | string | `""` | existing secret for diode-ingester |
| diodeReconciler.image.pullPolicy | string | `"IfNotPresent"` | image pull policy |
| diodeReconciler.image.repository | string | `"netboxlabs/diode-reconciler"` | image repository |
| diodeReconciler.image.securityContext | object | `{}` | security context for the container |
| diodeReconciler.image.tag | string | `"latest"` | image tag |
| diodeReconciler.nodeSelector | object | `{}` | node selector for the pod |
| diodeReconciler.podAnnotations | object | `{}` | additional pod annotations |
| diodeReconciler.podLabels | object | `{}` | additional pod labels |
| diodeReconciler.podSecurityContext | object | `{}` | additional pod security context |
| diodeReconciler.replicas | int | `1` | number of replicas |
| diodeReconciler.resources | object | `{}` | |
| diodeReconciler.secrets.diodeAPIKey | string | `""` | API key for authentication of diode ingestion requests |
| diodeReconciler.secrets.diodeToNetboxAPIKey | string | `""` | API key for authentication between diode and NetBox API |
| diodeReconciler.secrets.ingesterToReconcilerAPIKey | string | `""` | API key for authentication between diode-ingester and diode-reconciler |
| diodeReconciler.secrets.netboxToDiodeAPIKey | string | `""` | API key for authentication between NetBox API and diode |
| diodeReconciler.secrets.redisPassword | string | `""` | redis password, must match the password in the redis chart or external redis |
| diodeReconciler.serviceAccount.create | bool | `true` | create service account |
| diodeReconciler.serviceAccount.name | string | `"diode-reconciler"` | service account name |
| diodeReconciler.serviceName | string | `"diode-reconciler"` | service name |
| diodeReconciler.tolerations | list | `[]` | tolerations to use with node taints |
| externalRedis.host | string | `""` | external redis host |
| externalRedis.port | int | `6379` | external redis port |
| ingress-nginx | object | `{"controller":{"allowSnippetAnnotations":true},"enabled":true,"hostname":"","ingressClass":"nginx","namespaceOverride":"diode-ingress"}` | ref: https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml |
| ingress-nginx.controller.allowSnippetAnnotations | bool | `true` | allow snippet annotations |
| ingress-nginx.enabled | bool | `true` | ingress-nginx enabled |
| ingress-nginx.hostname | string | `""` | hostname |
| ingress-nginx.ingressClass | string | `"nginx"` | ingress class |
| ingress-nginx.namespaceOverride | string | `"diode-ingress"` | override ingress-nginx namespace |
| redis | object | `{"auth":{"existingSecret":"diode-ingester-secret","existingSecretPasswordKey":"REDIS_PASSWORD"},"commonConfiguration":"appendonly yes\nsave 60 1\nloadmodule /opt/redis-stack/lib/rejson.so\nloadmodule /opt/redis-stack/lib/redisearch.so","enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis/redis-stack-server","tag":"latest"},"replica":{"replicaCount":1}}` | ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml |
| redis.auth.existingSecret | string | `"diode-ingester-secret"` | existing secret for redis password, either diodeIngester.existingSecret, diode-ingester-secret (created from diodeIngester.secrets) or your custom secret |
| redis.auth.existingSecretPasswordKey | string | `"REDIS_PASSWORD"` | existing secret key for redis password |
| redis.commonConfiguration | string | `"appendonly yes\nsave 60 1\nloadmodule /opt/redis-stack/lib/rejson.so\nloadmodule /opt/redis-stack/lib/redisearch.so"` | redis configuration |
| redis.enabled | bool | `true` | redis enabled |
| redis.image.pullPolicy | string | `"IfNotPresent"` | redis image pull policy |
| redis.image.repository | string | `"redis/redis-stack-server"` | redis image repository |
| redis.image.tag | string | `"latest"` | redis image tag |
| redis.replica.replicaCount | int | `1` | number of redis replicas |
41 changes: 41 additions & 0 deletions charts/diode/README.md.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{{ template "chart.header" . }}
{{ template "chart.description" . }}

{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}

## Installing the Chart

{{- define "cert-manager-version" }}
{{- range .Dependencies }}
{{- if eq .Name "cert-manager" }}
{{- .Version }}
{{- end }}
{{- end }}
{{- end }}

Install custom resource definitions for cert-manager (if enabled):
```console
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v{{ template "cert-manager-version" . }}/cert-manager.crds.yaml
```

Create namespaces for ingress-nginx and cert-manager:
```console
kubectl create namespace diode-ingress
kubectl create namespace diode-cert-manager
```

Install the chart with the release name `my-release`:

```console
$ helm repo add diode https://netboxlabs.github.io/{{ template "chart.name" . }}
$ helm install my-release diode/{{ template "chart.name" . }} --namespace my-namespace --create-namespace
```

# Create namespaces

kubectl create namespace diode-ingress
kubectl create namespace diode-cert-manager

{{ template "chart.requirementsSection" . }}

{{ template "chart.valuesSection" . }}
4 changes: 4 additions & 0 deletions charts/diode/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
DESCRIPTION: {{ .Chart.Description }}
43 changes: 43 additions & 0 deletions charts/diode/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{{/*
Define redis host
*/}}
{{- define "diode.redis.host" -}}
{{- if .Values.redis.enabled -}}
{{- printf "%s-redis-master.%s.svc.cluster.local" .Release.Name .Release.Namespace -}}
{{- else -}}
{{- .Values.externalRedis.host -}}
{{- end -}}
{{- end -}}

{{/*
Define redis port
*/}}
{{- define "diode.redis.port" -}}
{{- if .Values.redis.enabled -}}
{{- .Values.redis.master.containerPorts.redis -}}
{{- else -}}
{{- .Values.externalRedis.port -}}
{{- end -}}
{{- end -}}

{{/*
Define diode-ingester-secret
*/}}
{{- define "diode-ingester.secret" -}}
{{- if .Values.diodeIngester.existingSecret -}}
{{- .Values.diodeIngester.existingSecret -}}
{{- else -}}
{{- printf "%s-secret" .Values.diodeIngester.serviceName -}}
{{- end -}}
{{- end -}}

{{/*
Define diode-reconciler-secret
*/}}
{{- define "diode-reconciler.secret" -}}
{{- if .Values.diodeReconciler.existingSecret -}}
{{- .Values.diodeReconciler.existingSecret -}}
{{- else -}}
{{- printf "%s-secret" .Values.diodeReconciler.serviceName -}}
{{- end -}}
{{- end -}}
11 changes: 11 additions & 0 deletions charts/diode/templates/diode-ingester-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Values.diodeIngester.serviceName }}-config
namespace: {{ .Release.Namespace }}
data:
RECONCILER_GRPC_HOST: {{ .Values.diodeIngester.config.reconcilerGrpcHost | quote }}
RECONCILER_GRPC_PORT: {{ .Values.diodeIngester.config.reconcilerGrpcPort | quote }}
REDIS_HOST: {{ include "diode.redis.host" . | quote }}
REDIS_PORT: {{ include "diode.redis.port" . | quote }}
SENTRY_DSN: {{ .Values.diodeIngester.config.sentryDsn | quote }}
85 changes: 85 additions & 0 deletions charts/diode/templates/diode-ingester-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.diodeIngester.serviceName }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.diodeIngester.serviceName }}
spec:
replicas: {{ .Values.diodeIngester.replicas }}
selector:
matchLabels:
app: {{ .Values.diodeIngester.serviceName }}
template:
metadata:
annotations:
checksum/config-ingester: {{ include (printf "%s/%s-configmap.yaml" $.Template.BasePath .Values.diodeIngester.serviceName) . | sha256sum }}
checksum/config-reconciler: {{ include (printf "%s/%s-configmap.yaml" $.Template.BasePath .Values.diodeReconciler.serviceName) . | sha256sum }}
{{- if not .Values.diodeIngester.existingSecret }}
checksum/secret-ingester: {{ include (printf "%s/%s-secret.yaml" $.Template.BasePath .Values.diodeIngester.serviceName ) . | sha256sum }}
{{- end }}
{{- if not .Values.diodeReconciler.existingSecret }}
checksum/secret-reconciler: {{ include (printf "%s/%s-secret.yaml" $.Template.BasePath .Values.diodeReconciler.serviceName ) . | sha256sum }}
{{- end }}
{{- with .Values.diodeIngester.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app: {{ .Values.diodeIngester.serviceName }}
{{- with .Values.diodeIngester.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ .Values.diodeIngester.serviceAccount.name }}
{{- with .Values.diodeIngester.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.diodeIngester.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.diodeIngester.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.diodeIngester.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: {{ include "diode-ingester.secret" . }}
secret:
secretName: {{ include "diode-ingester.secret" . }}
initContainers:
{{- if .Values.redis.enabled }}
- name: wait-for-redis
image: busybox:latest
command: [ 'sh', '-c', 'until nc -z {{ include "diode.redis.host" . }} {{ include "diode.redis.port" . }}; do echo "Waiting for Redis"; sleep 3; done; echo "Redis is up and running";' ]
{{- end }}
- name: wait-for-diode-reconciler
image: busybox:latest
command: [ 'sh', '-c', 'until nc -z {{ .Values.diodeReconciler.serviceName }} {{ .Values.diodeReconciler.containerPort | default 8081 }}; do echo "Waiting for Diode Reconciler"; sleep 3; done; echo "Diode Reconciler is up and running";' ]
containers:
- name: diode-ingester
image: "{{ .Values.diodeIngester.image.repository }}:{{ .Values.diodeIngester.image.tag }}"
imagePullPolicy: {{ .Values.diodeIngester.image.pullPolicy }}
ports:
- containerPort: {{ .Values.diodeIngester.containerPort | default 8081 }}
{{- with .Values.diodeIngester.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.diodeIngester.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /{{ include "diode-ingester.secret" . }}
name: {{ include "diode-ingester.secret" . }}
readOnly: true
envFrom:
- configMapRef:
name: {{ .Values.diodeIngester.serviceName }}-config
- secretRef:
name: {{ include "diode-ingester.secret" . }}
10 changes: 10 additions & 0 deletions charts/diode/templates/diode-ingester-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{{ if not .Values.diodeIngester.existingSecret -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.diodeIngester.serviceName }}-secret
namespace: {{ .Release.Namespace }}
stringData:
INGESTER_TO_RECONCILER_API_KEY: {{ .Values.diodeIngester.secrets.ingesterToReconcilerAPIKey | quote }}
REDIS_PASSWORD: {{ .Values.diodeIngester.secrets.redisPassword | quote }}
{{- end -}}
Loading