From 61274cdf4f0ab52bfa0af713a224a3fc5ba26f4e Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Mon, 29 Jan 2024 02:05:23 +0700 Subject: [PATCH 001/110] Add redis serviceaccount --- .../templates/redis/ServiceAccount.yaml | 18 ++++++++++++ charts/netbox/values.yaml | 29 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 charts/netbox/templates/redis/ServiceAccount.yaml diff --git a/charts/netbox/templates/redis/ServiceAccount.yaml b/charts/netbox/templates/redis/ServiceAccount.yaml new file mode 100644 index 00000000..5bb6e1db --- /dev/null +++ b/charts/netbox/templates/redis/ServiceAccount.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.serviceAccount.create (not .Values.sentinel.enabled) }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ template "redis.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index fd96014c..6910308a 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -909,3 +909,32 @@ worker: # - name: init-myservice # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + + +tls: + ## @param tls.enabled Enable TLS support for radsec traffic + ## + enabled: true + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: true + autoGenerator: + certManager: + enabled: false + issuerKind: ClusterIssuer + issuerName: selfsigned-issuer + ## @param tls.certificatesSecret Name of the secret that contains the certificates + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## + certCAFilename: "" + + secretName: ~ + existingSecret: "" \ No newline at end of file From e450e1b8a183b5573487ee1a5870d9675999bc77 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Mon, 29 Jan 2024 20:02:04 +0700 Subject: [PATCH 002/110] Update many values --- charts/netbox/values.yaml | 589 ++++++++++++++++++++++++++++++++------ 1 file changed, 496 insertions(+), 93 deletions(-) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 6910308a..fe01ee43 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1,14 +1,116 @@ -# Default values for netbox. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" -replicaCount: 1 +## @section Common parameters +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override netbox.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override netbox.fullname +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param hostAliases Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec +## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service +## +enableServiceLinks: true +## @param dnsPolicy DNS Policy for pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsPolicy: ClusterFirst +dnsPolicy: "" +## @param dnsConfig DNS Configuration pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsConfig: +## options: +## - name: ndots +## value: "4" +dnsConfig: {} +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @section Netbox parameters + +## Netbox image version +## ref: https://hub.docker.com/r/netboxcommunity/netbox/tags +## @param image.registry [default: REGISTRY_NAME] Netbox image registry +## @param image.repository [default: REPOSITORY_NAME/netbox] Netbox image repository +## @skip image.tag Netbox image tag (immutable tags are recommended) +## @param image.digest Netbox image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Netbox image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Specify if debug logs should be enabled +## image: + registry: docker.io repository: netboxcommunity/netbox - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. tag: "" + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false # You can also use an existing secret for the superuser password and API token # See `existingSecret` for details @@ -30,8 +132,9 @@ skipStartupScripts: true allowedHosts: - '*' -# Include Pod IP in list of allowed hosts by providing it as the 'POD_IP' envvar -# at runtime, which is then used in the configuration.py. +## @param allowedHostsIncludesPodIP +## Include Pod IP in list of allowed hosts by providing it as the 'POD_IP' envvar +## at runtime, which is then used in the configuration.py. allowedHostsIncludesPodIP: true # Specify one or more name and email address tuples representing NetBox @@ -495,88 +598,239 @@ cachingRedis: existingSecretKey: redis-password imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" +## @section RBAC parameter +## Specifies whether a ServiceAccount should be created +## serviceAccount: - # Specifies whether a service account should be created + ## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods + ## create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template + ## @param serviceAccount.name Name of the created ServiceAccount + ## If not set and create is true, a name is generated using the fullname template + ## name: "" - # Existing secret name to use for container registry authentication - imagePullSecrets: [] - # Set this to true to automatically mount the token in the containers using this service account + ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod + ## automountServiceAccountToken: false + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## @param serviceAccount.extraLabels Additional labels for the ServiceAccount + ## + extraLabels: {} +## Specifies whether RBAC resources should be created +## +rbac: + ## @param rbac.create Whether to create and use RBAC resources or not + ## + create: false + ## @param rbac.rules Custom RBAC rules + ## Example: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] + +## @section Persistence Parameters +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## Storage configuration for media +## persistence: - enabled: true + ## @param persistence.enabled Enable persistence using Persistent Volume Claims ## - ## Existing claim to use - existingClaim: "" - ## Existing claim's subPath to use, e.g. "media" (optional) - subPath: "" - ## - ## Persistent Volume Storage Class + enabled: false + ## @param persistence.storageClass Persistent Volume storage class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. + ## (gp2 on AWS, standard on GKE, AWS & OpenStack) + ## storageClass: "" - ## Persistent Volume Selector - ## if enabled, define any Selectors for choosing existing Persistent Volumes here - # selector: - # matchLabel: - # netbox-storage: media - accessMode: ReadWriteOnce - ## - ## Persistant storage size request + ## @param persistence.existingClaim Use a existing PVC which must be created manually before bound + ## + existingClaim: "" + ## @param persistence.subPath Existing claim's subPath to use, e.g. "media" (optional) + ## + subPath: "" + ## @param persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param persistence.accessModes [array] Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size Persistent Volume size + ## size: 1Gi + ## @param persistence.selector Selector to match an existing Persistent Volume for Ingester's data PVC + ## If set, the PVC can't have a PV dynamically provisioned for it + ## E.g. + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} +## 'volumePermissions' init container parameters +## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values +## based on the podSecurityContext/containerSecurityContext parameters +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` + ## + enabled: false + ## OS Shell + Utility image + ## ref: https://hub.docker.com/r/bitnami/os-shell/tags/ + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] OS Shell + Utility image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] OS Shell + Utility image repository + ## @skip volumePermissions.image.tag OS Shell + Utility image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy OS Shell + Utility image pull policy + ## @param volumePermissions.image.pullSecrets OS Shell + Utility image pull secrets + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 11-debian-11-r95 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param volumePermissions.resources.limits The resources limits for the init container + ## @param volumePermissions.resources.requests The requested resources for the init container + ## + resources: + limits: {} + requests: {} + ## Init container Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param volumePermissions.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param volumePermissions.securityContext.runAsUser Set init container's Security Context runAsUser + ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the + ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) + ## + securityContext: + seLinuxOptions: null + runAsUser: 0 ## Storage configuration for reports +## reportsPersistence: + ## @param reportsPersistence.enabled Enable reportsPersistence using Persistent Volume Claims + ## enabled: false + ## @param reportsPersistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. + ## (gp2 on AWS, standard on GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param reportsPersistence.existingClaim Use a existing PVC which must be created manually before bound ## - ## Existing claim to use existingClaim: "" - ## Existing claim's subPath to use, e.g. "media" (optional) + ## @param reportsPersistence.subPath Existing claim's subPath to use, e.g. "media" (optional) + ## subPath: "" + ## @param reportsPersistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param reportsPersistence.accessModes [array] Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param reportsPersistence.size Persistent Volume size ## - ## Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - storageClass: "" - ## Persistent Volume Selector - ## if enabled, define any Selectors for choosing existing Persistent Volumes here - # selector: - # matchLabel: - # netbox-storage: reports - accessMode: ReadWriteOnce - ## - ## Persistant storage size request size: 1Gi - -commonLabels: {} - -commonAnnotations: {} + ## @param reportsPersistence.selector Selector to match an existing Persistent Volume for Ingester's data PVC + ## If set, the PVC can't have a PV dynamically provisioned for it + ## E.g. + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} podAnnotations: {} podLabels: {} +## @section Netbox deployment parameters + +## @param replicaCount Number of Netbox replicas to deploy +## +replicaCount: 1 +## @param revisionHistoryLimitCount Number of controller revisions to keep +## +revisionHistoryLimitCount: 10 +## @param containerPorts.http Netbox HTTP container port +## @param containerPorts.https Netbox HTTPS container port +## +containerPorts: + http: 8080 + https: 8443 +## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Netbox container +## +extraContainerPorts: [] + +## Netbox pods' SecurityContext +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled Netbox pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set Netbox pod's Security Context fsGroup +## podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1000 runAsNonRoot: true # runAsUser: 1000 # runAsGroup: 1000 - +## Netbox containers' Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: false + seLinuxOptions: null + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" securityContext: capabilities: drop: @@ -585,24 +839,138 @@ securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 +## Netbox resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## @param resources.limits The resources limits for the Netbox containers +## @param resources.requests The requested resources for the Netbox containers +## +resources: + limits: {} + requests: {} +## Configure extra options for Netbox containers' liveness, readiness and startup probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe on Netbox containers +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: false + initialDelaySeconds: 300 + periodSeconds: 1 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 +## @param readinessProbe.enabled Enable readinessProbe on Netbox containers +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe +## @param startupProbe.enabled Enable startupProbe on Netbox containers +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 60 + successThreshold: 1 + +## @section Exposure parameters +## +## Service configuration +## service: - annotations: {} - # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: - # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: http + ## @param service.type Kubernetes service type + ## type: ClusterIP + ## @param service.http.enabled Enable http port on service + ## + http: + enabled: true + ## @param service.ports.http Netbox service HTTP port + ## @param service.ports.https Netbox service HTTPS port + ## + ports: + http: 80 + https: 443 + ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + http: "" + https: "" + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param service.clusterIP Keycloak service clusterIP IP + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.annotations Additional custom annotations for Keycloak service + ## Example: + ## annotations: + ## service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http + ## service.beta.kubernetes.io/aws-load-balancer-ssl-cert: + ## service.beta.kubernetes.io/aws-load-balancer-ssl-ports: http + ## + annotations: {} + ## @param service.extraPorts Extra port to expose on Keycloak service + ## + extraPorts: [] + + port: 80 nodePort: "" - clusterIP: "" clusterIPs: [] externalIPs: [] - externalTrafficPolicy: "" ipFamilyPolicy: "" - loadBalancerIP: "" - loadBalancerSourceRanges: [] - # - 10.0.0.0/8 +## Netbox ingress parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## ingress: enabled: false className: "" @@ -634,18 +1002,6 @@ ingress: # Set this to true to automatically mount the service account token in the main container automountServiceAccountToken: false -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - topologySpreadConstraints: [] # - maxSkew: 1 # topologyKey: topology.kubernetes.io/zone @@ -655,13 +1011,18 @@ topologySpreadConstraints: [] # "app.kubernetes.io/component": netbox # "app.kubernetes.io/name": netbox -readinessProbe: - enabled: true - initialDelaySeconds: 0 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 +## @param initContainers Add additional init containers to the Netbox pods +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: [] init: image: repository: busybox @@ -678,6 +1039,17 @@ init: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 # Keep the same as securityContext.runAsGroup +## @param sidecars Add additional sidecar containers to the Keycloak pods +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: [] test: image: @@ -698,8 +1070,6 @@ nodeSelector: {} tolerations: [] -hostAliases: [] - updateStrategy: {} # type: RollingUpdate @@ -821,8 +1191,9 @@ housekeeping: # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] -# Worker for Netbox -# Only required for Netbox Jobs, e.g. Webhooks +## @param worker Worker for Netbox +## Only required for Netbox Jobs, e.g. Webhooks +## worker: enabled: true @@ -910,11 +1281,12 @@ worker: # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - +## HTTPS settings +## tls: - ## @param tls.enabled Enable TLS support for radsec traffic + ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic. ## - enabled: true + enabled: false ## @param tls.autoGenerated Generate automatically self-signed TLS certificates ## autoGenerated: true @@ -937,4 +1309,35 @@ tls: certCAFilename: "" secretName: ~ - existingSecret: "" \ No newline at end of file + ## @param tls.existingSecret Existing secret containing the TLS certificates per Netbox replica + ## + existingSecret: "" + ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores + ## If "true", the Netbox chart will look for the files netbox.key and netbox.crt inside the secret provided with 'existingSecret'. + ## + usePem: false + +gateway: + enabled: false + dedicated: false + gatewayApi: + create: false + name: "" + namespace: "" + gatewayClassName: istio + ## @param gateway.listeners + ## + listeners: [] + # - name: http + # port: 80 + # protocol: HTTP + # - name: https + # port: 443 + # protocol: HTTPS + existingGateway: ~ + existingVirtualService: ~ + ## @param gateway.extraRoute Array of extra Kubernetes Gateway API Route to deploy with the release + ## + extraRoute: [] + +organization: Startechnica \ No newline at end of file From 7b9b03a175944d838bc95b26db2a58860b7c6c70 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Mon, 29 Jan 2024 20:04:38 +0700 Subject: [PATCH 003/110] Bump version to 5.0.1 --- charts/netbox/Chart.yaml | 4 ++-- charts/netbox/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/netbox/Chart.yaml b/charts/netbox/Chart.yaml index 2640e646..6d32c086 100644 --- a/charts/netbox/Chart.yaml +++ b/charts/netbox/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: netbox -version: 5.0.0 -appVersion: v3.6.4 +version: 5.0.1 +appVersion: v3.7.1 kubeVersion: ">=1.25.0" description: IP address management (IPAM) and data center infrastructure management (DCIM) tool home: https://github.com/bootc/netbox-chart diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index fe01ee43..539eb55d 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -93,7 +93,7 @@ diagnosticMode: image: registry: docker.io repository: netboxcommunity/netbox - tag: "" + tag: "v3.7.1-2.8.0" digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' From 07d007eaef790779e6bd1dc228e4ae39375bfafa Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 10:41:50 +0700 Subject: [PATCH 004/110] Add scriptsPersistence --- charts/netbox/README.md | 7 +- .../media.yaml} | 0 .../reports.yaml} | 0 .../PersistentVolumeClaim/scripts.yaml | 29 ++ .../Deployment.yaml} | 0 .../HorizontalPodAutoscaler.yaml} | 0 charts/netbox/values.yaml | 249 +++++++++++++----- 7 files changed, 213 insertions(+), 72 deletions(-) rename charts/netbox/templates/{pvc-media.yaml => PersistentVolumeClaim/media.yaml} (100%) rename charts/netbox/templates/{pvc-reports.yaml => PersistentVolumeClaim/reports.yaml} (100%) create mode 100644 charts/netbox/templates/PersistentVolumeClaim/scripts.yaml rename charts/netbox/templates/{worker-deployment.yaml => worker/Deployment.yaml} (100%) rename charts/netbox/templates/{worker-hpa.yaml => worker/HorizontalPodAutoscaler.yaml} (100%) diff --git a/charts/netbox/README.md b/charts/netbox/README.md index d4aec5e7..5cd50d3b 100644 --- a/charts/netbox/README.md +++ b/charts/netbox/README.md @@ -5,6 +5,9 @@ data center infrastructure management (DCIM) tool. Forked from [bootc/netbox-chart](https://github.com/bootc/netbox-chart) +**Note:** This repository was forked from [bootc/netbox-chart](https://github.com/bootc/netbox-chart) at versions +v5.0.0 and up are from this fork and will have diverged from any changes in the original fork. A list of changes can be seen in the CHANGELOG. + **This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/startechnica/apps/issues/new/choose)** ## TL;DR @@ -57,7 +60,9 @@ with Sentinel (e.g. using [Aaron Layfield](https://github.com/DandyDeveloper)'s [redis-ha chart](https://github.com/DandyDeveloper/charts/tree/master/charts/redis-ha)). Set `persistence.enabled` to `false` and use the S3 `storageBackend` for object -storage. This works well with Minio or Ceph RGW as well as Amazon S3. See [Using extraConfig for S3 storage configuration](#using-extraconfig-for-s3-storage-configuration) and [Persistent storage pitfalls](#persistent-storage-pitfalls), below. +storage. This works well with Minio or Ceph RGW as well as Amazon S3. See +[Using extraConfig for S3 storage configuration](#using-extraconfig-for-s3-storage-configuration) and +[Persistent storage pitfalls](#persistent-storage-pitfalls), below. Run multiple replicas of the NetBox web front-end to avoid interruptions during upgrades or at other times when the pods need to be restarted. There's no need diff --git a/charts/netbox/templates/pvc-media.yaml b/charts/netbox/templates/PersistentVolumeClaim/media.yaml similarity index 100% rename from charts/netbox/templates/pvc-media.yaml rename to charts/netbox/templates/PersistentVolumeClaim/media.yaml diff --git a/charts/netbox/templates/pvc-reports.yaml b/charts/netbox/templates/PersistentVolumeClaim/reports.yaml similarity index 100% rename from charts/netbox/templates/pvc-reports.yaml rename to charts/netbox/templates/PersistentVolumeClaim/reports.yaml diff --git a/charts/netbox/templates/PersistentVolumeClaim/scripts.yaml b/charts/netbox/templates/PersistentVolumeClaim/scripts.yaml new file mode 100644 index 00000000..518b81ea --- /dev/null +++ b/charts/netbox/templates/PersistentVolumeClaim/scripts.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.scriptsPersistence.enabled (not .Values.scriptsPersistence.existingClaim) -}} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "netbox.fullname" . }}-scripts + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "netbox.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.scriptsPersistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.scriptsPersistence.size | quote }} + {{- if .Values.scriptsPersistence.storageClass }} + {{- if (eq "-" .Values.scriptsPersistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: {{ .Values.scriptsPersistence.storageClass | quote }} + {{- end }} + {{- end }} + {{- with .Values.scriptsPersistence.selector }} + selector: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/netbox/templates/worker-deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml similarity index 100% rename from charts/netbox/templates/worker-deployment.yaml rename to charts/netbox/templates/worker/Deployment.yaml diff --git a/charts/netbox/templates/worker-hpa.yaml b/charts/netbox/templates/worker/HorizontalPodAutoscaler.yaml similarity index 100% rename from charts/netbox/templates/worker-hpa.yaml rename to charts/netbox/templates/worker/HorizontalPodAutoscaler.yaml diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 539eb55d..ec95dbe4 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -526,76 +526,7 @@ overrideUnitConfig: {} # # access_log: /dev/stdout -postgresql: - ## Deploy PostgreSQL using bundled chart - # To use an external database, set this to false and configure the settings - # under externalDatabase - enabled: true - - auth: - username: netbox - database: netbox -## External database settings -# These are used if postgresql.enabled is false, and are ignored otherwise -externalDatabase: - host: localhost - port: 5432 - database: netbox - username: netbox - password: "" - existingSecretName: "" - existingSecretKey: postgresql-password - - # The following settings also apply when using the bundled PostgreSQL chart: - sslMode: prefer - connMaxAge: 300 - disableServerSideCursors: false - targetSessionAttrs: read-write - -redis: - ## Deploy Redis using bundled chart - # To use an external Redis instance, set this to false and configure the - # settings under *both* tasksRedis *and* cachingRedis - enabled: true - -tasksRedis: - database: 0 - ssl: false - insecureSkipTlsVerify: false - caCertPath: "" - - # Used only when redis.enabled is false. host and port are not used if - # sentinels are given. - host: netbox-redis - port: 6379 - sentinels: [] - # - mysentinel:26379 - sentinelService: netbox-redis - sentinelTimeout: 300 - username: "" - password: "" - existingSecretName: "" - existingSecretKey: redis-password - -cachingRedis: - database: 1 - ssl: false - insecureSkipTlsVerify: false - caCertPath: "" - - # Used only when redis.enabled is false. host and port are not used if - # sentinels are given. - host: netbox-redis - port: 6379 - sentinels: [] - # - mysentinel:26379 - sentinelService: netbox-redis - sentinelTimeout: 300 - username: "" - password: "" - existingSecretName: "" - existingSecretKey: redis-password imagePullSecrets: [] @@ -767,6 +698,44 @@ reportsPersistence: ## selector: {} +## Storage configuration for scripts +## +scriptsPersistence: + ## @param scriptsPersistence.enabled Enable scriptsPersistence using Persistent Volume Claims + ## + enabled: false + ## @param scriptsPersistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. + ## (gp2 on AWS, standard on GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param scriptsPersistence.existingClaim Use a existing PVC which must be created manually before bound + ## + existingClaim: "" + ## @param scriptsPersistence.subPath Existing claim's subPath to use, e.g. "media" (optional) + ## + subPath: "" + ## @param scriptsPersistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param scriptsPersistence.accessModes [array] Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param scriptsPersistence.size Persistent Volume size + ## + size: 1Gi + ## @param scriptsPersistence.selector Selector to match an existing Persistent Volume for Ingester's data PVC + ## If set, the PVC can't have a PV dynamically provisioned for it + ## E.g. + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + podAnnotations: {} podLabels: {} @@ -1191,12 +1160,46 @@ housekeeping: # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] -## @param worker Worker for Netbox +## @section Netbox worker parameters + ## Only required for Netbox Jobs, e.g. Webhooks ## worker: + ## @param worker.enabled Whether to enable Netbox worker job + ## enabled: true - + ## Netbox worker image version + ## ref: https://hub.docker.com/r/netboxcommunity/netbox/tags + ## @param image.registry [default: REGISTRY_NAME] Netbox worker image registry + ## @param image.repository [default: REPOSITORY_NAME/netbox] Netbox worker image repository + ## @skip image.tag Netbox worker image tag (immutable tags are recommended) + ## @param image.digest Netbox worker image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param image.pullPolicy Netbox worker image pull policy + ## @param image.pullSecrets Specify docker-registry secret names as an array + ## @param image.debug Specify if debug logs should be enabled + ## + image: + registry: docker.io + repository: netboxcommunity/netbox + tag: "v3.7.1-2.8.0" + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false + replicaCount: 1 podAnnotations: {} @@ -1317,6 +1320,110 @@ tls: ## usePem: false +## @section Database parameters + +## PostgreSQL chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml +## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart +## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided +## @param postgresql.auth.username Name for a custom user to create +## @param postgresql.auth.password Password for the custom user to create +## @param postgresql.auth.database Name for a custom database to create +## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials +## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) +## +postgresql: + enabled: true + auth: + postgresPassword: "" + username: netbox + password: "" + database: netbox + existingSecret: "" + architecture: standalone + +## External PostgreSQL configuration +## All of these values are only used when postgresql.enabled is set to false +## @param externalDatabase.host Database host +## @param externalDatabase.port Database port number +## @param externalDatabase.user Non-root username for Keycloak +## @param externalDatabase.password Password for the non-root username for Keycloak +## @param externalDatabase.database Keycloak database name +## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials +## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name +## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port +## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user +## @param externalDatabase.existingSecretDatabaseKey Name of an existing secret key containing the database name +## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials +## @param externalDatabase.annotations Additional custom annotations for external database secret object +## +externalDatabase: + host: localhost + port: 5432 + database: netbox + username: netbox + password: "" + existingSecretName: "" + existingSecretKey: postgresql-password + + # The following settings also apply when using the bundled PostgreSQL chart: + sslMode: prefer + connMaxAge: 300 + disableServerSideCursors: false + targetSessionAttrs: read-write + + existingSecret: "" + existingSecretHostKey: "" + existingSecretPortKey: "" + existingSecretUserKey: "" + existingSecretDatabaseKey: "" + existingSecretPasswordKey: "" + annotations: {} + +redis: + ## Deploy Redis using bundled chart + # To use an external Redis instance, set this to false and configure the + # settings under *both* tasksRedis *and* cachingRedis + enabled: true + +tasksRedis: + database: 0 + ssl: false + insecureSkipTlsVerify: false + caCertPath: "" + + # Used only when redis.enabled is false. host and port are not used if + # sentinels are given. + host: netbox-redis + port: 6379 + sentinels: [] + # - mysentinel:26379 + sentinelService: netbox-redis + sentinelTimeout: 300 + username: "" + password: "" + existingSecretName: "" + existingSecretKey: redis-password + +cachingRedis: + database: 1 + ssl: false + insecureSkipTlsVerify: false + caCertPath: "" + + # Used only when redis.enabled is false. host and port are not used if + # sentinels are given. + host: netbox-redis + port: 6379 + sentinels: [] + # - mysentinel:26379 + sentinelService: netbox-redis + sentinelTimeout: 300 + username: "" + password: "" + existingSecretName: "" + existingSecretKey: redis-password + gateway: enabled: false dedicated: false From b9c8422a476201abe77a03bb87b0383e62ad497e Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 13:42:10 +0700 Subject: [PATCH 005/110] Add pdb and autoscaling --- charts/netbox/Chart.yaml | 2 +- charts/netbox/README.md | 8 ++ charts/netbox/templates/PrometheusRule.yaml | 17 +++ charts/netbox/templates/Role.yaml | 23 ++++ charts/netbox/templates/RoleBinding.yaml | 20 +++ charts/netbox/templates/_helpers.tpl | 32 ++++- charts/netbox/templates/deployment.yaml | 35 +++-- charts/netbox/templates/servicemonitor.yaml | 2 +- .../netbox/templates/worker/Deployment.yaml | 47 ++++--- .../worker/HorizontalPodAutoscaler.yaml | 2 +- .../templates/worker/PodDisruptionBudget.yaml | 25 ++++ charts/netbox/templates/worker/Service.yaml | 66 +++++++++ .../templates/worker/ServiceMonitor.yaml | 49 +++++++ charts/netbox/values.yaml | 130 ++++++++++++++++-- 14 files changed, 414 insertions(+), 44 deletions(-) create mode 100644 charts/netbox/templates/PrometheusRule.yaml create mode 100644 charts/netbox/templates/Role.yaml create mode 100644 charts/netbox/templates/RoleBinding.yaml create mode 100644 charts/netbox/templates/worker/PodDisruptionBudget.yaml create mode 100644 charts/netbox/templates/worker/Service.yaml create mode 100644 charts/netbox/templates/worker/ServiceMonitor.yaml diff --git a/charts/netbox/Chart.yaml b/charts/netbox/Chart.yaml index 6d32c086..c2301141 100644 --- a/charts/netbox/Chart.yaml +++ b/charts/netbox/Chart.yaml @@ -30,5 +30,5 @@ dependencies: alias: bitnami-common - name: st-common repository: https://startechnica.github.io/apps - version: "*" + version: 1.x.x alias: startechnica-common \ No newline at end of file diff --git a/charts/netbox/README.md b/charts/netbox/README.md index 5cd50d3b..70f71d1d 100644 --- a/charts/netbox/README.md +++ b/charts/netbox/README.md @@ -92,6 +92,14 @@ $ helm delete netbox --namespace netbox The command removes all the Kubernetes components associated with the chart and deletes the release. +## Breaking Changes + + * The `worker.autoscaling.targetCPUUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetCPU`. + * The `worker.autoscaling.targetMemoryUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetMemory`. + * The `serviceMonitor` setting has been renamed to `metrics.serviceMonitor`. + * The `metricsEnabled` setting has been renamed to `metrics.enabled`. + * The `serviceMonitor` setting has been renamed to `metrics.serviceMonitor`. + ## Upgrading ### Bundled PostgreSQL diff --git a/charts/netbox/templates/PrometheusRule.yaml b/charts/netbox/templates/PrometheusRule.yaml new file mode 100644 index 00000000..18935ed1 --- /dev/null +++ b/charts/netbox/templates/PrometheusRule.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled .Values.metrics.prometheusRule.groups}} +{{- if not (eq (include "common.capabilities.coreosMonitoring.apiVersion" .) "false") }} +apiVersion: {{ include "common.capabilities.coreosMonitoring.apiVersion" . }} +kind: PrometheusRule +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.prometheusRule.namespace }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.prometheusRule.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: netbox + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.groups "context" .) | nindent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/Role.yaml b/charts/netbox/templates/Role.yaml new file mode 100644 index 00000000..98caaa47 --- /dev/null +++ b/charts/netbox/templates/Role.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: netbox + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + {{- if .Values.rbac.rules }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} + {{- end }} + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +{{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/RoleBinding.yaml b/charts/netbox/templates/RoleBinding.yaml new file mode 100644 index 00000000..4737928f --- /dev/null +++ b/charts/netbox/templates/RoleBinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: netbox + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "common.names.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "netbox.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index a6a28a58..6e83f09b 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -6,6 +6,20 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} +{{/* +Return the proper Netbox worker fullname +*/}} +{{- define "netbox.worker.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "worker" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper Netbox housekeeping fullname +*/}} +{{- define "netbox.housekeeping.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "housekeeping" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -24,6 +38,20 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- end }} +{{/* +Return the proper Netbox image name +*/}} +{{- define "netbox.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Netbox worker image name +*/}} +{{- define "netbox.worker.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.worker.image "global" .Values.global) }} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -57,9 +85,9 @@ Create the name of the service account to use */}} {{- define "netbox.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} -{{- default (include "netbox.fullname" .) .Values.serviceAccount.name }} + {{- default (include "netbox.fullname" .) .Values.serviceAccount.name }} {{- else }} -{{- default "default" .Values.serviceAccount.name }} + {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 8c8a8f3d..f5ffdbe5 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -1,4 +1,4 @@ -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "netbox.fullname" . }} @@ -6,17 +6,20 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} - labels: - {{- include "netbox.labels" . | nindent 4 }} - app.kubernetes.io/component: netbox + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox spec: {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} selector: - matchLabels: - {{- include "netbox.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: netbox + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox {{ if .Values.updateStrategy -}} strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} @@ -31,9 +34,9 @@ spec: {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} - labels: - {{- include "netbox.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: netbox + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox {{- with .Values.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} @@ -67,7 +70,7 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: {{ template "netbox.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: SUPERUSER_NAME @@ -141,6 +144,11 @@ spec: mountPath: /opt/netbox/netbox/reports subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + mountPath: /opt/netbox/netbox/scripts + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- end }} - name: optunit mountPath: /opt/unit - name: secrets @@ -219,6 +227,11 @@ spec: persistentVolumeClaim: claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + persistentVolumeClaim: + claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} diff --git a/charts/netbox/templates/servicemonitor.yaml b/charts/netbox/templates/servicemonitor.yaml index 2ef598e0..f25f93e3 100644 --- a/charts/netbox/templates/servicemonitor.yaml +++ b/charts/netbox/templates/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.metricsEnabled .Values.serviceMonitor.enabled -}} +{{- if and (or .Values.metrics.enabled .Values.metricsEnabled) (or .Values.metrics.serviceMonitor.enabled .Values.serviceMonitor.enabled) }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 2aaee981..88341084 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -1,23 +1,25 @@ {{- if .Values.worker.enabled }} -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: - name: {{ include "netbox.fullname" . }}-worker - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "netbox.labels" . | nindent 4 }} + name: {{ template "netbox.worker.fullname" . }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.worker.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: worker + app.kubernetes.io/part-of: netbox + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: - {{- if not .Values.worker.autoscaling.enabled }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.worker.replicaCount }} {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.worker.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} selector: - matchLabels: - {{- include "netbox.selectorLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: worker + app.kubernetes.io/part-of: netbox {{ if .Values.worker.updateStrategy -}} strategy: {{- toYaml .Values.worker.updateStrategy | nindent 4 }} @@ -29,15 +31,12 @@ spec: {{- if (not .Values.existingSecret) }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- end }} - {{- with .Values.worker.podAnnotations }} - {{- toYaml . | nindent 8 }} + {{- if .Values.worker.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.worker.podAnnotations "context" $) | nindent 8 }} {{- end }} - labels: - {{- include "netbox.selectorLabels" . | nindent 8 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} app.kubernetes.io/component: worker - {{- with .Values.worker.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} + app.kubernetes.io/part-of: netbox spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -52,7 +51,7 @@ spec: {{- toYaml . | nindent 6 }} {{- end }} containers: - - name: {{ .Chart.Name }}-worker + - name: {{ template "netbox.worker.image" . }} securityContext: {{- toYaml .Values.worker.securityContext | nindent 10 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -93,6 +92,11 @@ spec: mountPath: /opt/netbox/netbox/reports subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + mountPath: /opt/netbox/netbox/scripts + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- end }} {{- with .Values.worker.extraVolumeMounts }} {{- toYaml . | nindent 8 }} {{- end }} @@ -153,6 +157,11 @@ spec: persistentVolumeClaim: claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + persistentVolumeClaim: + claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + {{- end }} {{- with .Values.worker.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} diff --git a/charts/netbox/templates/worker/HorizontalPodAutoscaler.yaml b/charts/netbox/templates/worker/HorizontalPodAutoscaler.yaml index 665ebcee..d9977a7a 100644 --- a/charts/netbox/templates/worker/HorizontalPodAutoscaler.yaml +++ b/charts/netbox/templates/worker/HorizontalPodAutoscaler.yaml @@ -2,7 +2,7 @@ apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: {{ include "netbox.fullname" . }}-worker + name: {{ template "netbox.worker.fullname" . }} {{- with .Values.commonAnnotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/netbox/templates/worker/PodDisruptionBudget.yaml b/charts/netbox/templates/worker/PodDisruptionBudget.yaml new file mode 100644 index 00000000..fe4e2f74 --- /dev/null +++ b/charts/netbox/templates/worker/PodDisruptionBudget.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.worker.enabled .Values.worker.podDisruptionBudget.enabled }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "netbox.worker.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: worker + app.kubernetes.io/part-of: netbox + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.worker.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.worker.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.worker.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.worker.podDisruptionBudget.maxUnavailable }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.worker.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: worker + app.kubernetes.io/part-of: netbox +{{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/worker/Service.yaml b/charts/netbox/templates/worker/Service.yaml new file mode 100644 index 00000000..01ac2283 --- /dev/null +++ b/charts/netbox/templates/worker/Service.yaml @@ -0,0 +1,66 @@ +{{- if .Values.worker.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "netbox.worker.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.worker.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: worker + app.kubernetes.io/part-of: netbox + {{- if or .Values.worker.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.worker.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.worker.service.type }} + {{- if and .Values.worker.service.clusterIP (eq .Values.worker.service.type "ClusterIP") }} + clusterIP: {{ .Values.worker.service.clusterIP }} + {{- end }} + {{- if or (eq .Values.worker.service.type "LoadBalancer") (eq .Values.worker.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.worker.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.worker.service.type "LoadBalancer") (not (empty .Values.worker.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.worker.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.worker.service.type "LoadBalancer") (not (empty .Values.worker.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.worker.service.loadBalancerIP }} + {{- end }} + {{- if .Values.worker.service.sessionAffinity }} + sessionAffinity: {{ .Values.worker.service.sessionAffinity }} + {{- end }} + {{- if .Values.worker.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.worker.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + {{- if .Values.worker.service.http.enabled }} + - name: http + port: {{ coalesce .Values.worker.service.ports.http .Values.worker.service.port }} + protocol: TCP + targetPort: http + {{- if (and (or (eq .Values.worker.service.type "NodePort") (eq .Values.worker.service.type "LoadBalancer")) (not (empty .Values.worker.service.nodePorts.http))) }} + nodePort: {{ .Values.worker.service.nodePorts.http }} + {{- else if eq .Values.worker.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: https + port: {{ coalesce .Values.worker.service.ports.https .Values.worker.service.httpsPort }} + protocol: TCP + targetPort: https + {{- if (and (or (eq .Values.worker.service.type "NodePort") (eq .Values.worker.service.type "LoadBalancer")) (not (empty .Values.worker.service.nodePorts.https))) }} + nodePort: {{ .Values.worker.service.nodePorts.https }} + {{- else if eq .Values.worker.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- end }} + {{- if .Values.worker.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.worker.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: worker + app.kubernetes.io/part-of: netbox +{{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/worker/ServiceMonitor.yaml b/charts/netbox/templates/worker/ServiceMonitor.yaml new file mode 100644 index 00000000..4b823b5b --- /dev/null +++ b/charts/netbox/templates/worker/ServiceMonitor.yaml @@ -0,0 +1,49 @@ +{{- if and (or .Values.metrics.enabled .Values.metricsEnabled) .Values.metrics.serviceMonitor.enabled }} +{{- if not (eq (include "common.capabilities.coreosMonitoring.apiVersion" .) "false") }} +apiVersion: {{ include "common.capabilities.coreosMonitoring.apiVersion" . }} +kind: ServiceMonitor +metadata: + name: {{ template "netbox.worker.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.worker.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: worker + app.kubernetes.io/part-of: netbox + {{- if or .Values.commonAnnotations .Values.metrics.serviceMonitor.annotations }} + {{- $annotations := merge.Values.metrics.serviceMonitor.annotations .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + app.kubernetes.io/component: worker + app.kubernetes.io/part-of: netbox + endpoints: + - port: http + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index ec95dbe4..c008bb6d 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -328,8 +328,7 @@ storageConfig: {} # AWS_S3_ENDPOINT_URL: 'endpoint URL of S3 provider' # AWS_S3_REGION_NAME: 'eu-west-1' -# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics' -metricsEnabled: false + # Determine how many objects to display per page within a list. (Default: 50) paginateCount: 50 @@ -1074,11 +1073,7 @@ extraInitContainers: [] # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] -serviceMonitor: - enabled: false - additionalLabels: {} - interval: 1m - scrapeTimeout: 10s + # Configuration of Cron settings housekeeping: @@ -1199,7 +1194,9 @@ worker: ## Set to true if you would like to see extra information on logs ## debug: false - + + + replicaCount: 1 podAnnotations: {} @@ -1236,10 +1233,34 @@ worker: # memory: 128Mi resources: {} + ## Keycloak Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + podDisruptionBudget: + ## @param podDisruptionBudget.create Enable/disable a Pod Disruption Budget creation + ## + create: false + ## @param podDisruptionBudget.minAvailable Minimum number/percentage of pods that should remain scheduled + ## + minAvailable: 1 + ## @param podDisruptionBudget.maxUnavailable Maximum number/percentage of pods that may be made unavailable + ## + maxUnavailable: "" + ## Netbox worker Autoscaling configuration + ## @param autoscaling.enabled Enable autoscaling for Netbox worker + ## @param autoscaling.minReplicas Minimum number of Netbox worker replicas + ## @param autoscaling.maxReplicas Maximum number of Netbox worker replicas + ## @param autoscaling.targetCPU Target CPU utilization percentage + ## @param autoscaling.targetMemory Target Memory utilization percentage + ## @param autoscaling.targetCPUUtilizationPercentage (DEPRECATED) Target CPU utilization percentage + ## @param autoscaling.targetMemoryUtilizationPercentage (DEPRECATED) Target Memory utilization percentage + ## autoscaling: enabled: false minReplicas: 1 - maxReplicas: 100 + maxReplicas: 11 + targetCPU: "" + targetMemory: "" targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 @@ -1284,6 +1305,14 @@ worker: # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + ## Netbox worker Service configuration + ## + service: + enabled: false + ## @param worker.service.type Kubernetes service type + ## + type: ClusterIP + ## HTTPS settings ## tls: @@ -1320,6 +1349,89 @@ tls: ## usePem: false +## @section Metrics Parameters + +## Prometheus Exporter / Metrics +## +## @param metricsEnabled (DEPRECATED) Enable metrics +## +metricsEnabled: false +metrics: + ## @param metrics.enabled Enable metrics + ## + enabled: false + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Prometheus Operator alert rules configuration + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + labels: {} + ## @param metrics.prometheusRule.groups Groups, containing the alert rules. + ## Example: + ## groups: + ## - name: Netbox + ## rules: + ## - alert: NetboxInstanceNotAvailable + ## annotations: + ## message: "Netbox instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes." + ## expr: | + ## absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0 + ## for: 5m + ## labels: + ## severity: critical + groups: [] +## @param serviceMonitor (DEPRECATED) Prometheus Operator ServiceMonitor configuration +## +serviceMonitor: + ## @param serviceMonitor.enabled (DEPRECATED) Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + additionalLabels: {} + interval: 1m + scrapeTimeout: 10s + ## @section Database parameters ## PostgreSQL chart configuration From 32fecec6319091a21240dea5b68b60958a44d6a7 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 14:51:29 +0700 Subject: [PATCH 006/110] Code cleanup --- .../netbox/templates/Secret/external-db.yaml | 14 ++++ .../{secret.yaml => Secret/netbox.yaml} | 0 charts/netbox/templates/_helpers.tpl | 7 ++ charts/netbox/templates/configmap.yaml | 2 +- charts/netbox/templates/cronjob.yaml | 16 ++++- charts/netbox/templates/istio/Gateway.yaml | 2 +- .../templates/istio/VirtualService.yaml | 4 +- .../netbox/templates/worker/Deployment.yaml | 4 +- .../worker/HorizontalPodAutoscaler.yaml | 60 +++++++++------- charts/netbox/values.yaml | 71 +++++++++++++++---- 10 files changed, 132 insertions(+), 48 deletions(-) create mode 100644 charts/netbox/templates/Secret/external-db.yaml rename charts/netbox/templates/{secret.yaml => Secret/netbox.yaml} (100%) diff --git a/charts/netbox/templates/Secret/external-db.yaml b/charts/netbox/templates/Secret/external-db.yaml new file mode 100644 index 00000000..5d976e85 --- /dev/null +++ b/charts/netbox/templates/Secret/external-db.yaml @@ -0,0 +1,14 @@ +{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) (not .Values.postgresql.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-externaldb" .Release.Name }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }} + {{- if or .Values.externalDatabase.annotations .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.externalDatabase.annotations .Values.commonAnnotations) "context" $) | nindent 4 }} + {{- end }} +type: Opaque +data: + db-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-externaldb" .Release.Name) "key" "db-password" "length" 10 "providedValues" (list "externalDatabase.password") "context" $) }} +{{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/secret.yaml b/charts/netbox/templates/Secret/netbox.yaml similarity index 100% rename from charts/netbox/templates/secret.yaml rename to charts/netbox/templates/Secret/netbox.yaml diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 6e83f09b..8cc932a6 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -52,6 +52,13 @@ Return the proper Netbox worker image name {{ include "common.images.image" (dict "imageRoot" .Values.worker.image "global" .Values.global) }} {{- end -}} +{{/* +Return the proper Netbox housekeeping image name +*/}} +{{- define "netbox.housekeeping.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.housekeeping.image "global" .Values.global) }} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} diff --git a/charts/netbox/templates/configmap.yaml b/charts/netbox/templates/configmap.yaml index 87e506b6..acafa62d 100644 --- a/charts/netbox/templates/configmap.yaml +++ b/charts/netbox/templates/configmap.yaml @@ -144,7 +144,7 @@ data: STORAGE_BACKEND: {{ .Values.storageBackend | quote }} STORAGE_CONFIG: {{ toJson .Values.storageConfig }} {{- end }} - METRICS_ENABLED: {{ toJson .Values.metricsEnabled }} + METRICS_ENABLED: {{ toJson .Values.metrics.enabled }} PAGINATE_COUNT: {{ int .Values.paginateCount }} PLUGINS: {{ toJson .Values.plugins }} PLUGINS_CONFIG: {{ toJson .Values.pluginsConfig }} diff --git a/charts/netbox/templates/cronjob.yaml b/charts/netbox/templates/cronjob.yaml index 7c548f7d..98f7e15e 100644 --- a/charts/netbox/templates/cronjob.yaml +++ b/charts/netbox/templates/cronjob.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: CronJob metadata: - name: {{ include "netbox.fullname" . }}-housekeeping + name: {{ template "netbox.housekeeping.fullname" . }} {{- with .Values.commonAnnotations }} annotations: {{- toYaml . | nindent 4 }} @@ -47,10 +47,10 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} containers: - - name: {{ .Chart.Name }}-housekeeping + - name: {{ template "netbox.housekeeping.fullname" . }} securityContext: {{- toYaml .Values.housekeeping.securityContext | nindent 14 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: {{ template "netbox.housekeeping.image" . }} command: - /opt/netbox/venv/bin/python - /opt/netbox/netbox/manage.py @@ -88,6 +88,11 @@ spec: mountPath: /opt/netbox/netbox/reports subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + mountPath: /opt/netbox/netbox/scripts + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- end }} {{- with .Values.housekeeping.extraVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} @@ -148,6 +153,11 @@ spec: persistentVolumeClaim: claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + persistentVolumeClaim: + claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + {{- end }} {{- with .Values.housekeeping.extraVolumes }} {{- toYaml . | nindent 10 }} {{- end }} diff --git a/charts/netbox/templates/istio/Gateway.yaml b/charts/netbox/templates/istio/Gateway.yaml index 2cd19743..5163a586 100644 --- a/charts/netbox/templates/istio/Gateway.yaml +++ b/charts/netbox/templates/istio/Gateway.yaml @@ -3,7 +3,7 @@ apiVersion: {{ include "common.capabilities.istioNetworking.apiVersion" . }} kind: Gateway metadata: - name: {{ include "common.names.fullname" . }} + name: {{ include "netbox.fullname" . }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} diff --git a/charts/netbox/templates/istio/VirtualService.yaml b/charts/netbox/templates/istio/VirtualService.yaml index d2ed1177..3880722e 100644 --- a/charts/netbox/templates/istio/VirtualService.yaml +++ b/charts/netbox/templates/istio/VirtualService.yaml @@ -3,7 +3,7 @@ apiVersion: {{ include "common.capabilities.istioNetworking.apiVersion" . }} kind: VirtualService metadata: - name: {{ include "common.names.fullname" . }} + name: {{ include "netbox.fullname" . }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} @@ -14,7 +14,7 @@ metadata: {{- end }} spec: gateways: - - {{ printf "%s/%s" (include "common.names.namespace" .) (include "common.names.fullname" .) }} + - {{ printf "%s/%s" (include "common.names.namespace" .) (include "netbox.fullname" .) }} {{- if .Values.netbox.ingress.hosts }} hosts: {{- range .Values.netbox.ingress.hosts }} diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 88341084..0ded941a 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -51,10 +51,10 @@ spec: {{- toYaml . | nindent 6 }} {{- end }} containers: - - name: {{ template "netbox.worker.image" . }} + - name: {{ template "netbox.worker.fullname" . }} securityContext: {{- toYaml .Values.worker.securityContext | nindent 10 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: {{ template "netbox.worker.image" . }} command: - /opt/netbox/venv/bin/python - /opt/netbox/netbox/manage.py diff --git a/charts/netbox/templates/worker/HorizontalPodAutoscaler.yaml b/charts/netbox/templates/worker/HorizontalPodAutoscaler.yaml index d9977a7a..e57f2f93 100644 --- a/charts/netbox/templates/worker/HorizontalPodAutoscaler.yaml +++ b/charts/netbox/templates/worker/HorizontalPodAutoscaler.yaml @@ -1,37 +1,45 @@ {{- if and .Values.worker.enabled .Values.worker.autoscaling.enabled }} -apiVersion: autoscaling/v2 +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} kind: HorizontalPodAutoscaler metadata: name: {{ template "netbox.worker.fullname" . }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "netbox.labels" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: worker + app.kubernetes.io/part-of: netbox + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: scaleTargetRef: - apiVersion: apps/v1 + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment - name: {{ include "netbox.fullname" . }}-worker + name: {{ template "netbox.worker.fullname" . }} minReplicas: {{ .Values.worker.autoscaling.minReplicas }} maxReplicas: {{ .Values.worker.autoscaling.maxReplicas }} metrics: - {{- if .Values.worker.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.worker.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.worker.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.worker.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} + {{- if or .Values.worker.autoscaling.targetCPU .Values.worker.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ coalesce .Values.worker.autoscaling.targetCPU .Values.worker.autoscaling.targetCPUUtilizationPercentage }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ coalesce .Values.worker.autoscaling.targetCPU .Values.worker.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- end }} + {{- if or .Values.worker.autoscaling.targetMemory .Values.worker.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ coalesce .Values.worker.autoscaling.targetMemory .Values.worker.autoscaling.targetMemoryUtilizationPercentage }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ coalesce .Values.worker.autoscaling.targetMemory .Values.worker.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index c008bb6d..7ded5665 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -363,8 +363,13 @@ preferIPv4: false rackElevationDefaultUnitHeight: 22 rackElevationDefaultUnitWidth: 220 -# Remote authentication support +## @section Authentication parameters + +## +## remoteAuth: + ## @param remoteAuth.enabled Enable remote authentication support + ## enabled: false backends: - netbox.authentication.RemoteUserBackend @@ -383,6 +388,10 @@ remoteAuth: staffGroups: [] staffUsers: [] groupSeparator: '|' + ## @param remoteAuth.existingSecret Existing secret containing remote authentication parameters + ## + existingSecret: "" + # The following options are specific for backend "netbox.authentication.LDAPBackend" # you can use an existing netbox secret with "ldap_bind_password" instead of "bindPassword" @@ -442,10 +451,11 @@ shortTimeFormat: 'H:i:s' dateTimeFormat: 'N j, Y g:i a' shortDateTimeFormat: 'Y-m-d H:i' -## Extra configuration settings -# You can pass additional YAML files to be loaded into NetBox's configuration. -# These can be passed as arbitrary configuration values set in the chart, or -# you can load arbitrary *.yaml keys from ConfigMaps and Secrets. +## @param extraConfig Extra configuration settings +## You can pass additional YAML files to be loaded into NetBox's configuration. +## These can be passed as arbitrary configuration values set in the chart, or +## you can load arbitrary *.yaml keys from ConfigMaps and Secrets. +## extraConfig: [] # - values: # EXTRA_SETTING_ONE: example @@ -459,10 +469,11 @@ extraConfig: [] # items: [] # optional: false -# If provided, this should be a 50+ character string of random characters. It -# will be randomly generated if left blank. -# You can also use an existing secret with "secret_key" instead of "secretKey" -# See `existingSecret` for details +## @param secretKey If provided, this should be a 50+ character string of random characters. It +## will be randomly generated if left blank. +## You can also use an existing secret with "secret_key" instead of "secretKey" +## See `existingSecret` for details +## secretKey: "" ## Provide passwords using existing secret @@ -1074,10 +1085,46 @@ extraInitContainers: [] # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] +## @section Netbox housekeeping parameters -# Configuration of Cron settings +## Configuration of Cron settings +## housekeeping: + ## @param housekeeping.enabled Whether to enable Netbox housekeeping cron job + ## enabled: true + ## Netbox housekeeping image version + ## ref: https://hub.docker.com/r/netboxcommunity/netbox/tags + ## @param image.registry [default: REGISTRY_NAME] Netbox housekeeping image registry + ## @param image.repository [default: REPOSITORY_NAME/netbox] Netbox housekeeping image repository + ## @skip image.tag Netbox housekeeping image tag (immutable tags are recommended) + ## @param image.digest Netbox housekeeping image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param image.pullPolicy Netbox housekeeping image pull policy + ## @param image.pullSecrets Specify docker-registry secret names as an array + ## @param image.debug Specify if debug logs should be enabled + ## + image: + registry: docker.io + repository: netboxcommunity/netbox + tag: "v3.7.1-2.8.0" + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false + concurrencyPolicy: Forbid failedJobsHistoryLimit: 5 restartPolicy: OnFailure @@ -1195,8 +1242,6 @@ worker: ## debug: false - - replicaCount: 1 podAnnotations: {} @@ -1259,7 +1304,7 @@ worker: enabled: false minReplicas: 1 maxReplicas: 11 - targetCPU: "" + targetCPU: 80 targetMemory: "" targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 From 74b342f0b9a018b0c7313728f7d577fc925b59f0 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 14:54:48 +0700 Subject: [PATCH 007/110] Fix dependecies st-common version --- charts/netbox/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/Chart.yaml b/charts/netbox/Chart.yaml index c2301141..2fe502ca 100644 --- a/charts/netbox/Chart.yaml +++ b/charts/netbox/Chart.yaml @@ -30,5 +30,5 @@ dependencies: alias: bitnami-common - name: st-common repository: https://startechnica.github.io/apps - version: 1.x.x + version: 0.x.x alias: startechnica-common \ No newline at end of file From 8bc712beaaaf6e223c8584806fc9e802aefb4b01 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 14:57:50 +0700 Subject: [PATCH 008/110] Fix ConfigMap and Secret path --- .../templates/{configmap.yaml => ConfigMap/netbox.yaml} | 0 charts/netbox/templates/deployment.yaml | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename charts/netbox/templates/{configmap.yaml => ConfigMap/netbox.yaml} (100%) diff --git a/charts/netbox/templates/configmap.yaml b/charts/netbox/templates/ConfigMap/netbox.yaml similarity index 100% rename from charts/netbox/templates/configmap.yaml rename to charts/netbox/templates/ConfigMap/netbox.yaml diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index f5ffdbe5..38a8c35c 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -27,9 +27,9 @@ spec: template: metadata: annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/ConfigMap/netbox.yaml") . | sha256sum }} {{- if (not .Values.existingSecret) }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} From 8cac7dcdb40cdbb424adda2ff450fad1891d8cff Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 15:00:05 +0700 Subject: [PATCH 009/110] Fix worker deployment ConfigMap and Secret template path --- charts/netbox/templates/worker/Deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 0ded941a..94db358a 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -27,9 +27,9 @@ spec: template: metadata: annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/ConfigMap/netbox.yaml") . | sha256sum }} {{- if (not .Values.existingSecret) }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} {{- end }} {{- if .Values.worker.podAnnotations }} {{- include "common.tplvalues.render" (dict "value" .Values.worker.podAnnotations "context" $) | nindent 8 }} From 62275c8326327c7fcb139ef9b590adf812db5cb9 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 15:03:51 +0700 Subject: [PATCH 010/110] Fix redis ServiceAccount --- charts/netbox/templates/redis/ServiceAccount.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/netbox/templates/redis/ServiceAccount.yaml b/charts/netbox/templates/redis/ServiceAccount.yaml index 5bb6e1db..6d1d080c 100644 --- a/charts/netbox/templates/redis/ServiceAccount.yaml +++ b/charts/netbox/templates/redis/ServiceAccount.yaml @@ -3,16 +3,16 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.serviceAccount.create (not .Values.sentinel.enabled) }} +{{- if and .Values.redis.serviceAccount.create (not .Values.redis.sentinel.enabled) }} apiVersion: v1 kind: ServiceAccount -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +automountServiceAccountToken: {{ .Values.redis.serviceAccount.automountServiceAccountToken }} metadata: name: {{ template "redis.serviceAccountName" . }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + {{- if or .Values.commonAnnotations .Values.redis.serviceAccount.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.redis.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} {{- end }} \ No newline at end of file From 575edca0a2479eace2c0d2a2201642e91b98ad51 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 15:56:18 +0700 Subject: [PATCH 011/110] Change redis architecture to standalone --- charts/netbox/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 7ded5665..95ffac00 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1542,6 +1542,9 @@ redis: # To use an external Redis instance, set this to false and configure the # settings under *both* tasksRedis *and* cachingRedis enabled: true + ## @param architecture Redis® architecture. Allowed values: `standalone` or `replication` + ## + architecture: standalone tasksRedis: database: 0 From e51a2ab958465de0a464e9f40008efce32ba661e Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 16:38:26 +0700 Subject: [PATCH 012/110] Change Deployment securityContext logic --- charts/netbox/templates/deployment.yaml | 5 +++-- charts/netbox/templates/worker/Deployment.yaml | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 38a8c35c..aaaabc8c 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -47,8 +47,9 @@ spec: {{- end }} serviceAccountName: {{ include "netbox.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} initContainers: - name: init-dirs image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 94db358a..e87edba1 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -52,8 +52,9 @@ spec: {{- end }} containers: - name: {{ template "netbox.worker.fullname" . }} - securityContext: - {{- toYaml .Values.worker.securityContext | nindent 10 }} + {{- if .Values.worker.podSecurityContext.enabled }} + securityContext: {{- omit .Values.worker.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} image: {{ template "netbox.worker.image" . }} command: - /opt/netbox/venv/bin/python From 20947183cd02b6261e43874404d4fd836acfb797 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 16:56:29 +0700 Subject: [PATCH 013/110] Fix service manifest --- charts/netbox/templates/service.yaml | 92 ++++++++++++++++------------ 1 file changed, 52 insertions(+), 40 deletions(-) diff --git a/charts/netbox/templates/service.yaml b/charts/netbox/templates/service.yaml index ca01c920..c6ba647c 100644 --- a/charts/netbox/templates/service.yaml +++ b/charts/netbox/templates/service.yaml @@ -1,52 +1,64 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "netbox.fullname" . }} - labels: - {{- include "netbox.labels" . | nindent 4 }} - {{- if or .Values.commonAnnotations .Values.service.annotations }} - annotations: - {{- with .Values.service.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} + name: {{ template "netbox.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox + {{- if or .Values.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} spec: type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - {{- if .Values.service.nodePort }} - nodePort: {{ .Values.service.nodePort }} - {{- end }} - selector: - {{- include "netbox.selectorLabels" . | nindent 4 }} - app.kubernetes.io/component: netbox - {{- if .Values.service.clusterIP }} - clusterIP: {{ .Values.service.clusterIP | quote }} - {{- end }} - {{- with .Values.service.clusterIPs }} - clusterIPs: - {{- toYaml . | nindent 2 }} - {{- end }} - {{- with .Values.service.externalIPs }} - externalIPs: - {{- toYaml . | nindent 2 }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} {{- end }} - {{- if .Values.service.externalTrafficPolicy }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} {{- end }} - {{- if .Values.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy | quote }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }} {{- end }} - {{- if .Values.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.service.loadBalancerIP | quote }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} {{- end }} - {{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- toYaml . | nindent 2 }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + {{- if .Values.service.http.enabled }} + - name: http + port: {{ coalesce .Values.service.ports.http .Values.service.port }} + protocol: TCP + targetPort: http + {{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http))) }} + nodePort: {{ .Values.service.nodePorts.http }} + {{- else if eq .Values.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: https + port: {{ coalesce .Values.service.ports.https .Values.service.httpsPort }} + protocol: TCP + targetPort: https + {{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.https))) }} + nodePort: {{ .Values.service.nodePorts.https }} + {{- else if eq .Values.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- end }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox \ No newline at end of file From 0a481a8393fbbbab67c7f3fb34b3492fde17edb9 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 17:02:47 +0700 Subject: [PATCH 014/110] Disable redis auth --- charts/netbox/values.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 95ffac00..a3238588 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1537,6 +1537,9 @@ externalDatabase: existingSecretPasswordKey: "" annotations: {} +## @section Redis common configuration parameters +## https://github.com/bitnami/containers/tree/main/bitnami/redis#configuration +## redis: ## Deploy Redis using bundled chart # To use an external Redis instance, set this to false and configure the @@ -1545,6 +1548,13 @@ redis: ## @param architecture Redis® architecture. Allowed values: `standalone` or `replication` ## architecture: standalone + ## Redis® Authentication parameters + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/redis#setting-the-server-password-on-first-run + ## + auth: + ## @param auth.enabled Enable password authentication + ## + enabled: false tasksRedis: database: 0 From 28762deab5be356ad1478e08d87ae714f0910e5c Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 17:25:41 +0700 Subject: [PATCH 015/110] Rearrange worker Deployment manifest --- charts/netbox/templates/_helpers.tpl | 7 ++ charts/netbox/templates/deployment.yaml | 5 +- charts/netbox/templates/serviceaccount.yaml | 12 +--- .../netbox/templates/worker/Deployment.yaml | 67 +++++++++++-------- charts/netbox/values.yaml | 13 ++-- 5 files changed, 54 insertions(+), 50 deletions(-) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 8cc932a6..3bf4afa3 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -59,6 +59,13 @@ Return the proper Netbox housekeeping image name {{ include "common.images.image" (dict "imageRoot" .Values.housekeeping.image "global" .Values.global) }} {{- end -}} +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "netbox.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.worker.image .Values.housekeeping.image .Values.init.image .Values.volumePermissions.image) "context" $) -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index aaaabc8c..196c967f 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -41,10 +41,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 6 }} - {{- end }} + {{- include "netbox.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "netbox.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.podSecurityContext.enabled }} diff --git a/charts/netbox/templates/serviceaccount.yaml b/charts/netbox/templates/serviceaccount.yaml index 0272bcfe..69e9cc77 100644 --- a/charts/netbox/templates/serviceaccount.yaml +++ b/charts/netbox/templates/serviceaccount.yaml @@ -4,16 +4,10 @@ kind: ServiceAccount automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} metadata: name: {{ include "netbox.serviceAccountName" . }} - labels: - {{- include "netbox.labels" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} - annotations: - {{- with .Values.serviceAccount.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} {{- with .Values.serviceAccount.imagePullSecrets }} imagePullSecrets: diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index e87edba1..5cf1821d 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -38,29 +38,54 @@ spec: app.kubernetes.io/component: worker app.kubernetes.io/part-of: netbox spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 6 }} + {{- include "netbox.imagePullSecrets" . | nindent 6 }} + {{- if .Values.worker.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.worker.hostAliases "context" $) | nindent 8 }} {{- end }} - serviceAccountName: {{ include "netbox.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.worker.automountServiceAccountToken }} - securityContext: - {{- toYaml .Values.worker.podSecurityContext | nindent 8 }} + {{- if .Values.worker.priorityClassName }} + priorityClassName: {{ .Values.worker.priorityClassName | quote }} + {{- end }} + {{- if .Values.worker.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.worker.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.worker.podAffinityPreset "component" "worker" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.worker.podAntiAffinityPreset "component" "worker" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.worker.nodeAffinityPreset.type "key" .Values.worker.nodeAffinityPreset.key "values" .Values.worker.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.worker.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.worker.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.worker.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.worker.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.worker.podSecurityContext.enabled }} + securityContext: {{- omit .Values.worker.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "netbox.serviceAccountName" . }} {{- with .Values.worker.extraInitContainers }} initContainers: {{- toYaml . | nindent 6 }} {{- end }} + terminationGracePeriodSeconds: {{ .Values.worker.terminationGracePeriodSeconds }} containers: - name: {{ template "netbox.worker.fullname" . }} - {{- if .Values.worker.podSecurityContext.enabled }} - securityContext: {{- omit .Values.worker.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} image: {{ template "netbox.worker.image" . }} + imagePullPolicy: {{ .Values.worker.image.pullPolicy | quote }} + {{- if .Values.worker.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.worker.containerSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.worker.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.worker.command "context" $) | nindent 12 }} + {{- else }} command: - - /opt/netbox/venv/bin/python - - /opt/netbox/netbox/manage.py - - rqworker - imagePullPolicy: {{ .Values.image.pullPolicy }} + - /opt/netbox/venv/bin/python + - /opt/netbox/netbox/manage.py + - rqworker + {{- end }} {{- with .Values.worker.extraEnvs }} env: {{- toYaml . | nindent 8 }} @@ -166,20 +191,4 @@ spec: {{- with .Values.worker.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} - {{- with .Values.worker.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.worker.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.worker.tolerations }} - tolerations: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- with .Values.worker.hostAliases }} - hostAliases: - {{- toYaml . | nindent 6 }} - {{- end }} {{- end }} diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index a3238588..4f619a0d 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -328,8 +328,6 @@ storageConfig: {} # AWS_S3_ENDPOINT_URL: 'endpoint URL of S3 provider' # AWS_S3_REGION_NAME: 'eu-west-1' - - # Determine how many objects to display per page within a list. (Default: 50) paginateCount: 50 @@ -392,7 +390,6 @@ remoteAuth: ## existingSecret: "" - # The following options are specific for backend "netbox.authentication.LDAPBackend" # you can use an existing netbox secret with "ldap_bind_password" instead of "bindPassword" # see https://django-auth-ldap.readthedocs.io @@ -439,11 +436,13 @@ sessionCookieName: sessionid # Localization enableLocalization: false -# Time zone (default: UTC) +## @param timeZone Time zone (default: UTC) +## timeZone: UTC -# Date/time formatting. See the following link for supported formats: -# https://docs.djangoproject.com/en/dev/ref/templates/builtins/#date +## Date/time formatting. See the following link for supported formats: +## https://docs.djangoproject.com/en/dev/ref/templates/builtins/#date +## dateFormat: 'N j, Y' shortDateFormat: 'Y-m-d' timeFormat: 'g:i a' @@ -536,8 +535,6 @@ overrideUnitConfig: {} # # access_log: /dev/stdout - - imagePullSecrets: [] ## @section RBAC parameter From b694d3be0fef94b2865d911a3fb688e0c2053230 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 17:59:15 +0700 Subject: [PATCH 016/110] Fix volumeMounts --- charts/netbox/templates/deployment.yaml | 210 +++++------ .../netbox/templates/worker/Deployment.yaml | 137 ++++---- charts/netbox/values.yaml | 331 ++++++++++++++---- 3 files changed, 452 insertions(+), 226 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 196c967f..c07007c2 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -65,107 +65,115 @@ spec: {{- toYaml . | nindent 6 }} {{- end }} containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "netbox.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: SUPERUSER_NAME - value: {{ .Values.superuser.name | quote }} - - name: SUPERUSER_EMAIL - value: {{ .Values.superuser.email | quote }} - - name: SKIP_STARTUP_SCRIPTS - value: {{ .Values.skipStartupScripts | quote }} - {{- if .Values.dbWaitDebug }} - - name: DB_WAIT_DEBUG - value: "1" - {{- end }} - {{- if .Values.overrideUnitConfig }} - - name: UNIT_CONFIG - value: /run/config/netbox/nginx-unit.json - {{- end }} - {{- with .Values.extraEnvs }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.allowedHostsIncludesPodIp }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - {{- end }} - ports: - - name: http - containerPort: 8080 - protocol: TCP - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: /{{ .Values.basePath }}login/ - port: http - {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} - httpHeaders: - - name: Host - value: {{ (index .Values.allowedHosts 0) | quote }} - {{- end }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - {{- end }} - volumeMounts: - - name: config - mountPath: /etc/netbox/config/configuration.py - subPath: configuration.py - readOnly: true - {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - - name: config - mountPath: /etc/netbox/config/ldap/ldap_config.py - subPath: ldap_config.py - readOnly: true - {{ end -}} - - name: config - mountPath: /run/config/netbox - readOnly: true - - name: secrets - mountPath: /run/secrets/netbox - readOnly: true - {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} - - name: netbox-tmp - mountPath: /tmp - - name: media - mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - mountPath: /opt/netbox/netbox/reports - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - mountPath: /opt/netbox/netbox/scripts - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - {{- end }} - - name: optunit - mountPath: /opt/unit - - name: secrets - mountPath: /run/secrets/superuser_password - subPath: superuser_password - readOnly: true - - name: secrets - mountPath: /run/secrets/superuser_api_token - subPath: superuser_api_token - readOnly: true - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.resources }} - resources: - {{- toYaml .Values.resources | nindent 10 }} - {{- end }} - {{- with .Values.extraContainers }} - {{- toYaml . | nindent 6 }} + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + image: {{ template "netbox.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: SUPERUSER_NAME + value: {{ .Values.superuser.name | quote }} + - name: SUPERUSER_EMAIL + value: {{ .Values.superuser.email | quote }} + - name: SKIP_STARTUP_SCRIPTS + value: {{ .Values.skipStartupScripts | quote }} + {{- if .Values.dbWaitDebug }} + - name: DB_WAIT_DEBUG + value: "1" + {{- end }} + {{- if .Values.overrideUnitConfig }} + - name: UNIT_CONFIG + value: /run/config/netbox/nginx-unit.json + {{- end }} + {{- with .Values.extraEnvs }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.allowedHostsIncludesPodIp }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + {{- end }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /{{ .Values.basePath }}login/ + port: http + {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} + httpHeaders: + - name: Host + value: {{ (index .Values.allowedHosts 0) | quote }} + {{- end }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + {{- end }} + {{- if .Values.worker.resources }} + resources: {{- toYaml .Values.worker.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/netbox/config/configuration.py + subPath: configuration.py + readOnly: true + {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} + - name: config + mountPath: /etc/netbox/config/ldap/ldap_config.py + subPath: ldap_config.py + readOnly: true + {{ end -}} + - name: config + mountPath: /run/config/netbox + readOnly: true + - name: secrets + mountPath: /run/secrets/netbox + readOnly: true + {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} + - name: netbox-tmp + mountPath: /tmp + - name: media + mountPath: /opt/netbox/netbox/media + subPath: {{ .Values.persistence.subPath | default "" | quote }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + mountPath: /opt/netbox/netbox/reports + subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + mountPath: /opt/netbox/netbox/scripts + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- end }} + - name: optunit + mountPath: /opt/unit + - name: secrets + mountPath: /run/secrets/superuser_password + subPath: superuser_password + readOnly: true + - name: secrets + mountPath: /run/secrets/superuser_api_token + subPath: superuser_api_token + readOnly: true + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} + {{- if or .Values.initContainers $needsVolumePermissions }} + initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} {{- end }} volumes: - name: config diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 5cf1821d..3e25c1ab 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -64,74 +64,81 @@ spec: securityContext: {{- omit .Values.worker.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} serviceAccountName: {{ template "netbox.serviceAccountName" . }} - {{- with .Values.worker.extraInitContainers }} - initContainers: - {{- toYaml . | nindent 6 }} - {{- end }} terminationGracePeriodSeconds: {{ .Values.worker.terminationGracePeriodSeconds }} containers: - - name: {{ template "netbox.worker.fullname" . }} - image: {{ template "netbox.worker.image" . }} - imagePullPolicy: {{ .Values.worker.image.pullPolicy | quote }} - {{- if .Values.worker.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.worker.containerSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.worker.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.worker.command "context" $) | nindent 12 }} - {{- else }} - command: - - /opt/netbox/venv/bin/python - - /opt/netbox/netbox/manage.py - - rqworker - {{- end }} - {{- with .Values.worker.extraEnvs }} - env: - {{- toYaml . | nindent 8 }} - {{- end }} - volumeMounts: - - name: config - mountPath: /etc/netbox/config/configuration.py - subPath: configuration.py - readOnly: true - {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - - name: config - mountPath: /etc/netbox/config/ldap/ldap_config.py - subPath: ldap_config.py - readOnly: true - {{ end -}} - - name: config - mountPath: /run/config/netbox - readOnly: true - - name: secrets - mountPath: /run/secrets/netbox - readOnly: true - {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} - - name: netbox-tmp - mountPath: /tmp - - name: media - mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - mountPath: /opt/netbox/netbox/reports - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + - name: {{ template "netbox.worker.fullname" . }} + image: {{ template "netbox.worker.image" . }} + imagePullPolicy: {{ .Values.worker.image.pullPolicy | quote }} + {{- if .Values.worker.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.worker.containerSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.worker.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.worker.command "context" $) | nindent 12 }} + {{- else }} + command: + - /opt/netbox/venv/bin/python + - /opt/netbox/netbox/manage.py + - rqworker + {{- end }} + {{- with .Values.worker.extraEnvs }} + env: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.worker.resources }} + resources: {{- toYaml .Values.worker.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/netbox/config/configuration.py + subPath: configuration.py + readOnly: true + {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} + - name: config + mountPath: /etc/netbox/config/ldap/ldap_config.py + subPath: ldap_config.py + readOnly: true + {{ end -}} + - name: config + mountPath: /run/config/netbox + readOnly: true + - name: secrets + mountPath: /run/secrets/netbox + readOnly: true + {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} + - name: netbox-tmp + mountPath: /tmp + - name: media + mountPath: /opt/netbox/netbox/media + subPath: {{ .Values.persistence.subPath | default "" | quote }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + mountPath: /opt/netbox/netbox/reports + subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + mountPath: /opt/netbox/netbox/scripts + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- end }} + {{- if .Values.worker.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.worker.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.worker.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.worker.sidecars "context" $) | nindent 8 }} {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - mountPath: /opt/netbox/netbox/scripts - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - {{- end }} - {{- with .Values.worker.extraVolumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.worker.resources }} - resources: - {{- toYaml .Values.worker.resources | nindent 10 }} - {{- end }} - {{- with .Values.worker.extraContainers }} - {{- toYaml . | nindent 6 }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.worker.podSecurityContext.enabled .Values.worker.containerSecurityContext.enabled }} + {{- if or .Values.worker.initContainers $needsVolumePermissions }} + initContainers: + {{- if .Values.worker.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.worker.initContainers "context" $) | nindent 8 }} + {{- end }} {{- end }} volumes: - name: config diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 4f619a0d..dbde9c13 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -123,7 +123,7 @@ superuser: # Skip the netbox-docker startup scripts which can pre-populate objects into a # fresh NetBox installation. By default these do nothing, but they take a while # to run, so we skip them. See: -# https://github.com/netbox-community/netbox-docker/tree/master/startup_scripts +# https://github.com/netbox-community/netbox-docker/tree/worker/startup_scripts skipStartupScripts: true # This is a list of valid fully-qualified domain names (FQDNs) for the NetBox @@ -1238,18 +1238,274 @@ worker: ## Set to true if you would like to see extra information on logs ## debug: false - - replicaCount: 1 - - podAnnotations: {} - - podLabels: {} - + ## @param worker.command Override default container command (useful when using custom images) + ## + command: [] + ## @param worker.args Override default container args (useful when using custom images) + ## + args: [] + ## @param worker.enableServiceLinks Whether information about services should be injected into pod's environment variable + ## + enableServiceLinks: true + ## @param worker.preExecCmds Additional commands to run prior to starting Netbox worker + ## + preExecCmds: [] + ## @param worker.extraFlags Array with additional command line flags for Netbox worker + ## e.g: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + ## + extraFlags: [] + ## @param worker.extraEnvVars Array with extra environment variables to add to Netbox worker nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param worker.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Netbox worker nodes + ## + extraEnvVarsCM: "" + ## @param worker.extraEnvVarsSecret Name of existing Secret containing extra env vars for Netbox worker nodes + ## + extraEnvVarsSecret: "" + ## @param worker.containerPorts.redis Container port to open on Netbox worker nodes + ## + containerPorts: + http: 8080 + ## Configure extra options for Netbox containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param worker.startupProbe.enabled Enable startupProbe on Netbox worker nodes + ## @param worker.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param worker.startupProbe.periodSeconds Period seconds for startupProbe + ## @param worker.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param worker.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param worker.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param worker.livenessProbe.enabled Enable livenessProbe on Netbox worker nodes + ## @param worker.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param worker.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param worker.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param worker.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param worker.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param worker.readinessProbe.enabled Enable readinessProbe on Netbox worker nodes + ## @param worker.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param worker.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param worker.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param worker.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param worker.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param worker.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param worker.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param worker.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Netbox worker resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param worker.resources.limits The resources limits for the Netbox worker containers + ## @param worker.resources.requests The requested resources for the Netbox worker containers + ## + resources: + limits: {} + requests: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param worker.podSecurityContext.enabled Enabled Netbox worker pods' Security Context + ## @param worker.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param worker.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param worker.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param worker.podSecurityContext.fsGroup Set Netbox worker pod's Security Context fsGroup + ## podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + runAsNonRoot: true + sysctls: [] + supplementalGroups: [] fsGroup: 1000 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param worker.containerSecurityContext.enabled Enabled Netbox worker containers' Security Context + ## @param worker.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param worker.containerSecurityContext.runAsUser Set Netbox worker containers' Security Context runAsUser + ## @param worker.containerSecurityContext.runAsGroup Set Netbox worker containers' Security Context runAsGroup + ## @param worker.containerSecurityContext.runAsNonRoot Set Netbox worker containers' Security Context runAsNonRoot + ## @param worker.containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate Netbox pod(s) privileges + ## @param worker.containerSecurityContext.seccompProfile.type Set Netbox worker containers' Security Context seccompProfile + ## @param worker.containerSecurityContext.capabilities.drop Set Netbox worker containers' Security Context capabilities to drop + ## + containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true - # runAsUser: 1000 - # runAsGroup: 1000 + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + ## @param worker.schedulerName Alternate scheduler for Netbox worker pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param worker.updateStrategy.type Netbox worker statefulset strategy type + ## @skip worker.updateStrategy.rollingUpdate + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate, OnDelete (statefulset), Recreate (deployment) + ## + type: RollingUpdate + ## @param worker.minReadySeconds How many seconds a pod needs to be ready before killing the next, during update + ## + minReadySeconds: 0 + ## @param worker.priorityClassName Netbox worker pods' priorityClassName + ## + priorityClassName: "" + ## @param worker.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param worker.hostAliases Netbox worker pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param worker.podLabels Extra labels for Netbox worker pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param worker.podAnnotations Annotations for Netbox worker pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param worker.shareProcessNamespace Share a single process namespace between all of the containers in Netbox worker pods + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param worker.podAffinityPreset Pod affinity preset. Ignored if `worker.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param worker.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `worker.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node worker.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param worker.nodeAffinityPreset.type Node affinity preset type. Ignored if `worker.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param worker.nodeAffinityPreset.key Node label key to match. Ignored if `worker.affinity` is set + ## + key: "" + ## @param worker.nodeAffinityPreset.values Node label values to match. Ignored if `worker.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param worker.affinity Affinity for Netbox worker pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `worker.podAffinityPreset`, `worker.podAntiAffinityPreset`, and `worker.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param worker.nodeSelector Node labels for Netbox worker pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param worker.tolerations Tolerations for Netbox worker pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param worker.topologySpreadConstraints Spread Constraints for Netbox worker pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: node + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: [] + ## @param worker.dnsPolicy DNS Policy for Netbox worker pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsPolicy: ClusterFirst + ## + dnsPolicy: "" + ## @param worker.dnsConfig DNS Configuration for Netbox worker pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsConfig: + ## options: + ## - name: ndots + ## value: "4" + ## - name: single-request-reopen + ## + dnsConfig: {} + ## @param worker.lifecycleHooks for the Netbox worker container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param worker.extraVolumes Optionally specify extra list of additional volumes for the Netbox worker pod(s) + ## + extraVolumes: [] + ## @param worker.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Netbox worker container(s) + ## + extraVolumeMounts: [] + ## @param worker.sidecars Add additional sidecar containers to the Netbox worker pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param worker.initContainers Add additional init containers to the Netbox worker pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + + replicaCount: 1 securityContext: capabilities: @@ -1260,22 +1516,7 @@ worker: runAsUser: 1000 runAsGroup: 1000 - # Set this to true to automatically mount the service account token in the worker container - automountServiceAccountToken: false - - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - resources: {} - - ## Keycloak Pod Disruption Budget configuration + ## Network worker Pod Disruption Budget configuration ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -1306,36 +1547,6 @@ worker: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 - nodeSelector: {} - - tolerations: [] - - hostAliases: [] - - updateStrategy: {} - # type: RollingUpdate - - affinity: {} - - ## Additional environment variables to set - extraEnvs: [] - # - name: FOO - # valueFrom: - # secretKeyRef: - # key: FOO - # name: secret-resource - - ## Additional volumes to mount - extraVolumeMounts: [] - # - name: extra-volume - # mountPath: /run/secrets/super-secret - # readOnly: true - - extraVolumes: [] - # - name: extra-volume - # secret: - # secretName: super-secret - ## Additional containers to be added to the NetBox pod. extraContainers: [] # - name: my-sidecar @@ -1412,11 +1623,11 @@ metrics: ## namespace: "" ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## ref: https://github.com/coreos/prometheus-operator/blob/worker/Documentation/api.md#endpoint ## interval: "" ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## ref: https://github.com/coreos/prometheus-operator/blob/worker/Documentation/api.md#endpoint ## scrapeTimeout: "" ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus @@ -1542,10 +1753,10 @@ redis: # To use an external Redis instance, set this to false and configure the # settings under *both* tasksRedis *and* cachingRedis enabled: true - ## @param architecture Redis® architecture. Allowed values: `standalone` or `replication` + ## @param architecture Netbox architecture. Allowed values: `standalone` or `replication` ## architecture: standalone - ## Redis® Authentication parameters + ## Netbox Authentication parameters ## ref: https://github.com/bitnami/containers/tree/main/bitnami/redis#setting-the-server-password-on-first-run ## auth: From 4de16163a44dadb142fe3fe2f82a9f41857fb0fd Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:06:07 +0700 Subject: [PATCH 017/110] Fix deployment init-cointainer --- charts/netbox/templates/deployment.yaml | 95 ++++++++++++------------- 1 file changed, 46 insertions(+), 49 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index c07007c2..b823c81c 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -47,23 +47,7 @@ spec: {{- if .Values.podSecurityContext.enabled }} securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} - initContainers: - - name: init-dirs - image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" - imagePullPolicy: {{ .Values.init.image.pullPolicy }} - command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] - {{- if .Values.init.resources }} - resources: - {{- toYaml .Values.init.resources | nindent 10 }} - {{- end }} - securityContext: - {{- toYaml .Values.init.securityContext | nindent 10 }} - volumeMounts: - - name: optunit - mountPath: /opt/unit - {{- with .Values.extraInitContainers }} - {{- toYaml . | nindent 6 }} - {{- end }} + containers: - name: {{ .Chart.Name }} securityContext: @@ -71,34 +55,34 @@ spec: image: {{ template "netbox.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: - - name: SUPERUSER_NAME - value: {{ .Values.superuser.name | quote }} - - name: SUPERUSER_EMAIL - value: {{ .Values.superuser.email | quote }} - - name: SKIP_STARTUP_SCRIPTS - value: {{ .Values.skipStartupScripts | quote }} - {{- if .Values.dbWaitDebug }} - - name: DB_WAIT_DEBUG - value: "1" - {{- end }} - {{- if .Values.overrideUnitConfig }} - - name: UNIT_CONFIG - value: /run/config/netbox/nginx-unit.json - {{- end }} - {{- with .Values.extraEnvs }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.allowedHostsIncludesPodIp }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - {{- end }} + - name: SUPERUSER_NAME + value: {{ .Values.superuser.name | quote }} + - name: SUPERUSER_EMAIL + value: {{ .Values.superuser.email | quote }} + - name: SKIP_STARTUP_SCRIPTS + value: {{ .Values.skipStartupScripts | quote }} + {{- if .Values.dbWaitDebug }} + - name: DB_WAIT_DEBUG + value: "1" + {{- end }} + {{- if .Values.overrideUnitConfig }} + - name: UNIT_CONFIG + value: /run/config/netbox/nginx-unit.json + {{- end }} + {{- if .Values.allowedHostsIncludesPodIp }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + {{- end }} + {{- with .Values.extraEnvs }} + {{- toYaml . | nindent 8 }} + {{- end }} ports: - - name: http - containerPort: {{ .Values.containerPorts.http }} - protocol: TCP + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP {{- if .Values.readinessProbe.enabled }} readinessProbe: httpGet: @@ -106,16 +90,16 @@ spec: port: http {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} httpHeaders: - - name: Host - value: {{ (index .Values.allowedHosts 0) | quote }} + - name: Host + value: {{ (index .Values.allowedHosts 0) | quote }} {{- end }} initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} successThreshold: {{ .Values.readinessProbe.successThreshold }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} {{- end }} - {{- if .Values.worker.resources }} - resources: {{- toYaml .Values.worker.resources | nindent 12 }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} volumeMounts: - name: config @@ -169,8 +153,21 @@ spec: {{- end }} {{- end }} {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} - {{- if or .Values.initContainers $needsVolumePermissions }} initContainers: + - name: init-dirs + image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" + imagePullPolicy: {{ .Values.init.image.pullPolicy }} + command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] + {{- if .Values.init.resources }} + resources: + {{- toYaml .Values.init.resources | nindent 10 }} + {{- end }} + securityContext: + {{- toYaml .Values.init.securityContext | nindent 10 }} + volumeMounts: + - name: optunit + mountPath: /opt/unit + {{- if or .Values.initContainers $needsVolumePermissions }} {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} From c07f8bdfd02c343c6426e217cba8423dbbe022a6 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:07:13 +0700 Subject: [PATCH 018/110] Add deployment sidecars --- charts/netbox/templates/deployment.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index b823c81c..a2db8d0e 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -47,7 +47,6 @@ spec: {{- if .Values.podSecurityContext.enabled }} securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} - containers: - name: {{ .Chart.Name }} securityContext: @@ -152,6 +151,9 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} initContainers: - name: init-dirs From 3ebfdb49b677ef920ec23a9f25a0fd92575b6609 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:19:19 +0700 Subject: [PATCH 019/110] Fix deployment indents --- charts/netbox/README.md | 3 +- charts/netbox/templates/deployment.yaml | 264 +++++++++++------------- charts/netbox/values.yaml | 8 - 3 files changed, 122 insertions(+), 153 deletions(-) diff --git a/charts/netbox/README.md b/charts/netbox/README.md index 70f71d1d..3242ea7c 100644 --- a/charts/netbox/README.md +++ b/charts/netbox/README.md @@ -93,7 +93,8 @@ $ helm delete netbox --namespace netbox The command removes all the Kubernetes components associated with the chart and deletes the release. ## Breaking Changes - + * The `extraEnvs` setting has been renamed to `extraEnvVars`. + * The `securityContext` setting has been renamed to `podSecurityContext` and `containerSecurityContext` * The `worker.autoscaling.targetCPUUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetCPU`. * The `worker.autoscaling.targetMemoryUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetMemory`. * The `serviceMonitor` setting has been renamed to `metrics.serviceMonitor`. diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index a2db8d0e..db78b3e0 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -48,9 +48,7 @@ spec: securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + - name: netbox image: {{ template "netbox.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: @@ -75,8 +73,8 @@ spec: apiVersion: v1 fieldPath: status.podIP {{- end }} - {{- with .Values.extraEnvs }} - {{- toYaml . | nindent 8 }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} ports: - name: http @@ -101,56 +99,56 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} volumeMounts: - - name: config - mountPath: /etc/netbox/config/configuration.py - subPath: configuration.py - readOnly: true - {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - - name: config - mountPath: /etc/netbox/config/ldap/ldap_config.py - subPath: ldap_config.py - readOnly: true - {{ end -}} - - name: config - mountPath: /run/config/netbox - readOnly: true - - name: secrets - mountPath: /run/secrets/netbox - readOnly: true - {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} - - name: netbox-tmp - mountPath: /tmp - - name: media - mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - mountPath: /opt/netbox/netbox/reports - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - mountPath: /opt/netbox/netbox/scripts - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - {{- end }} - - name: optunit - mountPath: /opt/unit - - name: secrets - mountPath: /run/secrets/superuser_password - subPath: superuser_password - readOnly: true - - name: secrets - mountPath: /run/secrets/superuser_api_token - subPath: superuser_api_token - readOnly: true - {{- if .Values.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - {{- if .Values.metrics.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- end }} + - name: config + mountPath: /etc/netbox/config/configuration.py + subPath: configuration.py + readOnly: true + {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} + - name: config + mountPath: /etc/netbox/config/ldap/ldap_config.py + subPath: ldap_config.py + readOnly: true + {{ end -}} + - name: config + mountPath: /run/config/netbox + readOnly: true + - name: secrets + mountPath: /run/secrets/netbox + readOnly: true + # {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} + - name: netbox-tmp + mountPath: /tmp + - name: media + mountPath: /opt/netbox/netbox/media + subPath: {{ .Values.persistence.subPath | default "" | quote }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + mountPath: /opt/netbox/netbox/reports + subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + mountPath: /opt/netbox/netbox/scripts + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- end }} + - name: optunit + mountPath: /opt/unit + - name: secrets + mountPath: /run/secrets/superuser_password + subPath: superuser_password + readOnly: true + - name: secrets + mountPath: /run/secrets/superuser_api_token + subPath: superuser_api_token + readOnly: true + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} @@ -169,94 +167,72 @@ spec: volumeMounts: - name: optunit mountPath: /opt/unit - {{- if or .Values.initContainers $needsVolumePermissions }} - {{- if .Values.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} - {{- end }} - {{- end }} + {{- if or .Values.initContainers $needsVolumePermissions }} + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- end }} volumes: - - name: config - configMap: - name: {{ include "netbox.fullname" . }} - - name: secrets - projected: - sources: - - secret: - name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} - items: - # Used by netbox-docker entry scripts - - key: superuser_password - path: superuser_password - - key: superuser_api_token - path: superuser_api_token - # Used by our configuration - - key: email_password - path: email_password - - key: secret_key - path: secret_key - {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} - - key: ldap_bind_password - path: ldap_bind_password - {{- end }} - - secret: - name: {{ include "netbox.postgresql.secret" . | quote }} - items: - - key: {{ include "netbox.postgresql.secretKey" . | quote }} - path: db_password - - secret: - name: {{ include "netbox.tasksRedis.secret" . | quote }} - items: - - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} - path: redis_tasks_password - - secret: - name: {{ include "netbox.cachingRedis.secret" . | quote }} - items: - - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} - path: redis_cache_password - {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} - - name: netbox-tmp - emptyDir: - medium: Memory - - name: optunit - emptyDir: - medium: Memory - - name: media - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} + - name: config + configMap: + name: {{ include "netbox.fullname" . }} + - name: secrets + projected: + sources: + - secret: + name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} + items: + # Used by netbox-docker entry scripts + - key: superuser_password + path: superuser_password + - key: superuser_api_token + path: superuser_api_token + # Used by our configuration + - key: email_password + path: email_password + - key: secret_key + path: secret_key + {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} + - key: ldap_bind_password + path: ldap_bind_password + {{- end }} + - secret: + name: {{ include "netbox.postgresql.secret" . | quote }} + items: + - key: {{ include "netbox.postgresql.secretKey" . | quote }} + path: db_password + - secret: + name: {{ include "netbox.tasksRedis.secret" . | quote }} + items: + - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} + path: redis_tasks_password + - secret: + name: {{ include "netbox.cachingRedis.secret" . | quote }} + items: + - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} + path: redis_cache_password + {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} + - name: netbox-tmp + emptyDir: + medium: Memory + - name: optunit + emptyDir: + medium: Memory + - name: media + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + persistentVolumeClaim: + claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} {{- end }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - persistentVolumeClaim: - claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - persistentVolumeClaim: - claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - {{- end }} - {{- with .Values.extraVolumes }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- with .Values.hostAliases }} - hostAliases: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 6 }} - {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + persistentVolumeClaim: + claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + {{- end }} + diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index dbde9c13..3a668d2d 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -807,14 +807,6 @@ containerSecurityContext: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" -securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 ## Netbox resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param resources.limits The resources limits for the Netbox containers From 60489a77206a0df8d9ad344a72f294dbeff92f10 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:21:00 +0700 Subject: [PATCH 020/110] Disable resources --- charts/netbox/templates/deployment.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index db78b3e0..28f3006b 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -95,9 +95,9 @@ spec: successThreshold: {{ .Values.readinessProbe.successThreshold }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} {{- end }} - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} + # {{- if .Values.resources }} + # resources: {{- toYaml .Values.resources | nindent 12 }} + # {{- end }} volumeMounts: - name: config mountPath: /etc/netbox/config/configuration.py From 754da9555cef91653f4d6dfdfa1ffe2f037d7390 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:22:22 +0700 Subject: [PATCH 021/110] Disable probe --- charts/netbox/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 3a668d2d..5daabe69 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -839,7 +839,7 @@ livenessProbe: ## @param readinessProbe.successThreshold Success threshold for readinessProbe ## readinessProbe: - enabled: true + enabled: false initialDelaySeconds: 0 periodSeconds: 10 timeoutSeconds: 1 From 725da21d6d7bd373f713da520321f0dfa9044e5c Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:28:23 +0700 Subject: [PATCH 022/110] Add annotations and labels --- charts/netbox/templates/deployment.yaml | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 28f3006b..7fd6809b 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -2,19 +2,18 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "netbox.fullname" . }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: server app.kubernetes.io/part-of: netbox + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: -{{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} -{{- end }} + {{- if not .Values.autoscaling.enabled }} + replicas: {{ default 1 .Values.replicaCount }} + {{- end }} {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} @@ -31,14 +30,17 @@ spec: {{- if (not .Values.existingSecret) }} checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} {{- end }} - {{- with .Values.podAnnotations }} - {{- toYaml . | nindent 8 }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} {{- end }} labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} app.kubernetes.io/component: server app.kubernetes.io/part-of: netbox - {{- with .Values.podLabels }} - {{- toYaml . | nindent 8 }} + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} {{- end }} spec: {{- include "netbox.imagePullSecrets" . | nindent 6 }} From 46c9116c2954867fc8f31899dada30b4b2dfe09f Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:33:03 +0700 Subject: [PATCH 023/110] Debug deployment --- charts/netbox/archive/deployment.yaml | 240 ++++++++++++++++++++++++ charts/netbox/templates/deployment.yaml | 176 ----------------- 2 files changed, 240 insertions(+), 176 deletions(-) create mode 100644 charts/netbox/archive/deployment.yaml diff --git a/charts/netbox/archive/deployment.yaml b/charts/netbox/archive/deployment.yaml new file mode 100644 index 00000000..7fd6809b --- /dev/null +++ b/charts/netbox/archive/deployment.yaml @@ -0,0 +1,240 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "netbox.fullname" . }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ default 1 .Values.replicaCount }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox + {{ if .Values.updateStrategy -}} + strategy: + {{- toYaml .Values.updateStrategy | nindent 4 }} + {{ end -}} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/ConfigMap/netbox.yaml") . | sha256sum }} + {{- if (not .Values.existingSecret) }} + checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- include "netbox.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "netbox.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + containers: + - name: netbox + image: {{ template "netbox.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: SUPERUSER_NAME + value: {{ .Values.superuser.name | quote }} + - name: SUPERUSER_EMAIL + value: {{ .Values.superuser.email | quote }} + - name: SKIP_STARTUP_SCRIPTS + value: {{ .Values.skipStartupScripts | quote }} + {{- if .Values.dbWaitDebug }} + - name: DB_WAIT_DEBUG + value: "1" + {{- end }} + {{- if .Values.overrideUnitConfig }} + - name: UNIT_CONFIG + value: /run/config/netbox/nginx-unit.json + {{- end }} + {{- if .Values.allowedHostsIncludesPodIp }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /{{ .Values.basePath }}login/ + port: http + {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} + httpHeaders: + - name: Host + value: {{ (index .Values.allowedHosts 0) | quote }} + {{- end }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + {{- end }} + # {{- if .Values.resources }} + # resources: {{- toYaml .Values.resources | nindent 12 }} + # {{- end }} + volumeMounts: + - name: config + mountPath: /etc/netbox/config/configuration.py + subPath: configuration.py + readOnly: true + {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} + - name: config + mountPath: /etc/netbox/config/ldap/ldap_config.py + subPath: ldap_config.py + readOnly: true + {{ end -}} + - name: config + mountPath: /run/config/netbox + readOnly: true + - name: secrets + mountPath: /run/secrets/netbox + readOnly: true + # {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} + - name: netbox-tmp + mountPath: /tmp + - name: media + mountPath: /opt/netbox/netbox/media + subPath: {{ .Values.persistence.subPath | default "" | quote }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + mountPath: /opt/netbox/netbox/reports + subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + mountPath: /opt/netbox/netbox/scripts + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- end }} + - name: optunit + mountPath: /opt/unit + - name: secrets + mountPath: /run/secrets/superuser_password + subPath: superuser_password + readOnly: true + - name: secrets + mountPath: /run/secrets/superuser_api_token + subPath: superuser_api_token + readOnly: true + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} + initContainers: + - name: init-dirs + image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" + imagePullPolicy: {{ .Values.init.image.pullPolicy }} + command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] + {{- if .Values.init.resources }} + resources: + {{- toYaml .Values.init.resources | nindent 10 }} + {{- end }} + securityContext: + {{- toYaml .Values.init.securityContext | nindent 10 }} + volumeMounts: + - name: optunit + mountPath: /opt/unit + {{- if or .Values.initContainers $needsVolumePermissions }} + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ include "netbox.fullname" . }} + - name: secrets + projected: + sources: + - secret: + name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} + items: + # Used by netbox-docker entry scripts + - key: superuser_password + path: superuser_password + - key: superuser_api_token + path: superuser_api_token + # Used by our configuration + - key: email_password + path: email_password + - key: secret_key + path: secret_key + {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} + - key: ldap_bind_password + path: ldap_bind_password + {{- end }} + - secret: + name: {{ include "netbox.postgresql.secret" . | quote }} + items: + - key: {{ include "netbox.postgresql.secretKey" . | quote }} + path: db_password + - secret: + name: {{ include "netbox.tasksRedis.secret" . | quote }} + items: + - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} + path: redis_tasks_password + - secret: + name: {{ include "netbox.cachingRedis.secret" . | quote }} + items: + - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} + path: redis_cache_password + {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} + - name: netbox-tmp + emptyDir: + medium: Memory + - name: optunit + emptyDir: + medium: Memory + - name: media + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + persistentVolumeClaim: + claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} + {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + persistentVolumeClaim: + claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + {{- end }} + diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 7fd6809b..47411e39 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -52,189 +52,13 @@ spec: containers: - name: netbox image: {{ template "netbox.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: SUPERUSER_NAME - value: {{ .Values.superuser.name | quote }} - - name: SUPERUSER_EMAIL - value: {{ .Values.superuser.email | quote }} - - name: SKIP_STARTUP_SCRIPTS - value: {{ .Values.skipStartupScripts | quote }} - {{- if .Values.dbWaitDebug }} - - name: DB_WAIT_DEBUG - value: "1" - {{- end }} - {{- if .Values.overrideUnitConfig }} - - name: UNIT_CONFIG - value: /run/config/netbox/nginx-unit.json - {{- end }} - {{- if .Values.allowedHostsIncludesPodIp }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - {{- end }} - {{- if .Values.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} - {{- end }} ports: - name: http containerPort: {{ .Values.containerPorts.http }} protocol: TCP - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: /{{ .Values.basePath }}login/ - port: http - {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} - httpHeaders: - - name: Host - value: {{ (index .Values.allowedHosts 0) | quote }} - {{- end }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - {{- end }} - # {{- if .Values.resources }} - # resources: {{- toYaml .Values.resources | nindent 12 }} - # {{- end }} volumeMounts: - name: config mountPath: /etc/netbox/config/configuration.py subPath: configuration.py readOnly: true - {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - - name: config - mountPath: /etc/netbox/config/ldap/ldap_config.py - subPath: ldap_config.py - readOnly: true - {{ end -}} - - name: config - mountPath: /run/config/netbox - readOnly: true - - name: secrets - mountPath: /run/secrets/netbox - readOnly: true - # {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} - - name: netbox-tmp - mountPath: /tmp - - name: media - mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - mountPath: /opt/netbox/netbox/reports - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - mountPath: /opt/netbox/netbox/scripts - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - {{- end }} - - name: optunit - mountPath: /opt/unit - - name: secrets - mountPath: /run/secrets/superuser_password - subPath: superuser_password - readOnly: true - - name: secrets - mountPath: /run/secrets/superuser_api_token - subPath: superuser_api_token - readOnly: true - {{- if .Values.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - {{- if .Values.metrics.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} - {{- end }} - {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} - initContainers: - - name: init-dirs - image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" - imagePullPolicy: {{ .Values.init.image.pullPolicy }} - command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] - {{- if .Values.init.resources }} - resources: - {{- toYaml .Values.init.resources | nindent 10 }} - {{- end }} - securityContext: - {{- toYaml .Values.init.securityContext | nindent 10 }} - volumeMounts: - - name: optunit - mountPath: /opt/unit - {{- if or .Values.initContainers $needsVolumePermissions }} - {{- if .Values.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} - {{- end }} - {{- end }} - volumes: - - name: config - configMap: - name: {{ include "netbox.fullname" . }} - - name: secrets - projected: - sources: - - secret: - name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} - items: - # Used by netbox-docker entry scripts - - key: superuser_password - path: superuser_password - - key: superuser_api_token - path: superuser_api_token - # Used by our configuration - - key: email_password - path: email_password - - key: secret_key - path: secret_key - {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} - - key: ldap_bind_password - path: ldap_bind_password - {{- end }} - - secret: - name: {{ include "netbox.postgresql.secret" . | quote }} - items: - - key: {{ include "netbox.postgresql.secretKey" . | quote }} - path: db_password - - secret: - name: {{ include "netbox.tasksRedis.secret" . | quote }} - items: - - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} - path: redis_tasks_password - - secret: - name: {{ include "netbox.cachingRedis.secret" . | quote }} - items: - - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} - path: redis_cache_password - {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} - - name: netbox-tmp - emptyDir: - medium: Memory - - name: optunit - emptyDir: - medium: Memory - - name: media - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - persistentVolumeClaim: - claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - persistentVolumeClaim: - claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - {{- end }} From f06d5ef8e31c414fd24f56211f02bc8f9c1fe137 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:34:26 +0700 Subject: [PATCH 024/110] Restore deployment --- .../{deployment.yaml => deployment_full.yaml} | 0 charts/netbox/archive/deployment_simple.yaml | 64 +++++++ charts/netbox/templates/deployment.yaml | 177 +++++++++++++++++- 3 files changed, 240 insertions(+), 1 deletion(-) rename charts/netbox/archive/{deployment.yaml => deployment_full.yaml} (100%) create mode 100644 charts/netbox/archive/deployment_simple.yaml diff --git a/charts/netbox/archive/deployment.yaml b/charts/netbox/archive/deployment_full.yaml similarity index 100% rename from charts/netbox/archive/deployment.yaml rename to charts/netbox/archive/deployment_full.yaml diff --git a/charts/netbox/archive/deployment_simple.yaml b/charts/netbox/archive/deployment_simple.yaml new file mode 100644 index 00000000..11b59842 --- /dev/null +++ b/charts/netbox/archive/deployment_simple.yaml @@ -0,0 +1,64 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "netbox.fullname" . }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ default 1 .Values.replicaCount }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox + {{ if .Values.updateStrategy -}} + strategy: + {{- toYaml .Values.updateStrategy | nindent 4 }} + {{ end -}} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/ConfigMap/netbox.yaml") . | sha256sum }} + {{- if (not .Values.existingSecret) }} + checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- include "netbox.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "netbox.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + containers: + - name: netbox + image: {{ template "netbox.image" . }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP + volumeMounts: + - name: config + mountPath: /etc/netbox/config/configuration.py + subPath: configuration.py + readOnly: true + diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 47411e39..bb46cd25 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -52,13 +52,188 @@ spec: containers: - name: netbox image: {{ template "netbox.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: SUPERUSER_NAME + value: {{ .Values.superuser.name | quote }} + - name: SUPERUSER_EMAIL + value: {{ .Values.superuser.email | quote }} + - name: SKIP_STARTUP_SCRIPTS + value: {{ .Values.skipStartupScripts | quote }} + {{- if .Values.dbWaitDebug }} + - name: DB_WAIT_DEBUG + value: "1" + {{- end }} + {{- if .Values.overrideUnitConfig }} + - name: UNIT_CONFIG + value: /run/config/netbox/nginx-unit.json + {{- end }} + {{- if .Values.allowedHostsIncludesPodIp }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} ports: - name: http containerPort: {{ .Values.containerPorts.http }} protocol: TCP + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /{{ .Values.basePath }}login/ + port: http + {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} + httpHeaders: + - name: Host + value: {{ (index .Values.allowedHosts 0) | quote }} + {{- end }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + {{- end }} + # {{- if .Values.resources }} + # resources: {{- toYaml .Values.resources | nindent 12 }} + # {{- end }} volumeMounts: - name: config mountPath: /etc/netbox/config/configuration.py subPath: configuration.py readOnly: true - + {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} + - name: config + mountPath: /etc/netbox/config/ldap/ldap_config.py + subPath: ldap_config.py + readOnly: true + {{ end -}} + - name: config + mountPath: /run/config/netbox + readOnly: true + - name: secrets + mountPath: /run/secrets/netbox + readOnly: true + # {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} + - name: netbox-tmp + mountPath: /tmp + - name: media + mountPath: /opt/netbox/netbox/media + subPath: {{ .Values.persistence.subPath | default "" | quote }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + mountPath: /opt/netbox/netbox/reports + subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + mountPath: /opt/netbox/netbox/scripts + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- end }} + - name: optunit + mountPath: /opt/unit + - name: secrets + mountPath: /run/secrets/superuser_password + subPath: superuser_password + readOnly: true + - name: secrets + mountPath: /run/secrets/superuser_api_token + subPath: superuser_api_token + readOnly: true + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} + initContainers: + - name: init-dirs + image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" + imagePullPolicy: {{ .Values.init.image.pullPolicy }} + command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] + {{- if .Values.init.resources }} + resources: + {{- toYaml .Values.init.resources | nindent 10 }} + {{- end }} + securityContext: + {{- toYaml .Values.init.securityContext | nindent 10 }} + volumeMounts: + - name: optunit + mountPath: /opt/unit + {{- if or .Values.initContainers $needsVolumePermissions }} + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ include "netbox.fullname" . }} + - name: secrets + projected: + sources: + - secret: + name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} + items: + # Used by netbox-docker entry scripts + - key: superuser_password + path: superuser_password + - key: superuser_api_token + path: superuser_api_token + # Used by our configuration + - key: email_password + path: email_password + - key: secret_key + path: secret_key + {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} + - key: ldap_bind_password + path: ldap_bind_password + {{- end }} + - secret: + name: {{ include "netbox.postgresql.secret" . | quote }} + items: + - key: {{ include "netbox.postgresql.secretKey" . | quote }} + path: db_password + - secret: + name: {{ include "netbox.tasksRedis.secret" . | quote }} + items: + - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} + path: redis_tasks_password + - secret: + name: {{ include "netbox.cachingRedis.secret" . | quote }} + items: + - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} + path: redis_cache_password + {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} + - name: netbox-tmp + emptyDir: + medium: Memory + - name: optunit + emptyDir: + medium: Memory + - name: media + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + persistentVolumeClaim: + claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} + {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + persistentVolumeClaim: + claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + {{- end }} \ No newline at end of file From 9c09e16678c1c7be5cd1496f45b210d813b905b9 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:37:58 +0700 Subject: [PATCH 025/110] Restore deployment partially --- charts/netbox/templates/deployment.yaml | 151 +------------- .../netbox/templates/worker/Deployment.yaml | 194 +++++++++--------- 2 files changed, 98 insertions(+), 247 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index bb46cd25..eb6375b1 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -82,158 +82,9 @@ spec: - name: http containerPort: {{ .Values.containerPorts.http }} protocol: TCP - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: /{{ .Values.basePath }}login/ - port: http - {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} - httpHeaders: - - name: Host - value: {{ (index .Values.allowedHosts 0) | quote }} - {{- end }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - {{- end }} - # {{- if .Values.resources }} - # resources: {{- toYaml .Values.resources | nindent 12 }} - # {{- end }} volumeMounts: - name: config mountPath: /etc/netbox/config/configuration.py subPath: configuration.py readOnly: true - {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - - name: config - mountPath: /etc/netbox/config/ldap/ldap_config.py - subPath: ldap_config.py - readOnly: true - {{ end -}} - - name: config - mountPath: /run/config/netbox - readOnly: true - - name: secrets - mountPath: /run/secrets/netbox - readOnly: true - # {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} - - name: netbox-tmp - mountPath: /tmp - - name: media - mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - mountPath: /opt/netbox/netbox/reports - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - mountPath: /opt/netbox/netbox/scripts - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - {{- end }} - - name: optunit - mountPath: /opt/unit - - name: secrets - mountPath: /run/secrets/superuser_password - subPath: superuser_password - readOnly: true - - name: secrets - mountPath: /run/secrets/superuser_api_token - subPath: superuser_api_token - readOnly: true - {{- if .Values.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - {{- if .Values.metrics.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} - {{- end }} - {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} - initContainers: - - name: init-dirs - image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" - imagePullPolicy: {{ .Values.init.image.pullPolicy }} - command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] - {{- if .Values.init.resources }} - resources: - {{- toYaml .Values.init.resources | nindent 10 }} - {{- end }} - securityContext: - {{- toYaml .Values.init.securityContext | nindent 10 }} - volumeMounts: - - name: optunit - mountPath: /opt/unit - {{- if or .Values.initContainers $needsVolumePermissions }} - {{- if .Values.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} - {{- end }} - {{- end }} - volumes: - - name: config - configMap: - name: {{ include "netbox.fullname" . }} - - name: secrets - projected: - sources: - - secret: - name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} - items: - # Used by netbox-docker entry scripts - - key: superuser_password - path: superuser_password - - key: superuser_api_token - path: superuser_api_token - # Used by our configuration - - key: email_password - path: email_password - - key: secret_key - path: secret_key - {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} - - key: ldap_bind_password - path: ldap_bind_password - {{- end }} - - secret: - name: {{ include "netbox.postgresql.secret" . | quote }} - items: - - key: {{ include "netbox.postgresql.secretKey" . | quote }} - path: db_password - - secret: - name: {{ include "netbox.tasksRedis.secret" . | quote }} - items: - - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} - path: redis_tasks_password - - secret: - name: {{ include "netbox.cachingRedis.secret" . | quote }} - items: - - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} - path: redis_cache_password - {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} - - name: netbox-tmp - emptyDir: - medium: Memory - - name: optunit - emptyDir: - medium: Memory - - name: media - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - persistentVolumeClaim: - claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - persistentVolumeClaim: - claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - {{- end }} \ No newline at end of file + diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 3e25c1ab..1a78613b 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -66,7 +66,7 @@ spec: serviceAccountName: {{ template "netbox.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.worker.terminationGracePeriodSeconds }} containers: - - name: {{ template "netbox.worker.fullname" . }} + - name: worker image: {{ template "netbox.worker.image" . }} imagePullPolicy: {{ .Values.worker.image.pullPolicy | quote }} {{- if .Values.worker.containerSecurityContext.enabled }} @@ -90,46 +90,46 @@ spec: resources: {{- toYaml .Values.worker.resources | nindent 12 }} {{- end }} volumeMounts: - - name: config - mountPath: /etc/netbox/config/configuration.py - subPath: configuration.py - readOnly: true - {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - - name: config - mountPath: /etc/netbox/config/ldap/ldap_config.py - subPath: ldap_config.py - readOnly: true - {{ end -}} - - name: config - mountPath: /run/config/netbox - readOnly: true - - name: secrets - mountPath: /run/secrets/netbox - readOnly: true - {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} - - name: netbox-tmp - mountPath: /tmp - - name: media - mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - mountPath: /opt/netbox/netbox/reports - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - mountPath: /opt/netbox/netbox/scripts - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - {{- end }} - {{- if .Values.worker.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.worker.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - {{- if .Values.metrics.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- end }} + - name: config + mountPath: /etc/netbox/config/configuration.py + subPath: configuration.py + readOnly: true + {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} + - name: config + mountPath: /etc/netbox/config/ldap/ldap_config.py + subPath: ldap_config.py + readOnly: true + {{ end -}} + - name: config + mountPath: /run/config/netbox + readOnly: true + - name: secrets + mountPath: /run/secrets/netbox + readOnly: true + {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} + - name: netbox-tmp + mountPath: /tmp + - name: media + mountPath: /opt/netbox/netbox/media + subPath: {{ .Values.persistence.subPath | default "" | quote }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + mountPath: /opt/netbox/netbox/reports + subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + mountPath: /opt/netbox/netbox/scripts + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- end }} + {{- if .Values.worker.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.worker.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.worker.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.worker.sidecars "context" $) | nindent 8 }} {{- end }} @@ -141,61 +141,61 @@ spec: {{- end }} {{- end }} volumes: - - name: config - configMap: - name: {{ include "netbox.fullname" . }} - - name: secrets - projected: - sources: - - secret: - name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} - items: - # Used by our configuration - - key: email_password - path: email_password - - key: secret_key - path: secret_key - {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} - - key: ldap_bind_password - path: ldap_bind_password - {{- end }} - - secret: - name: {{ include "netbox.postgresql.secret" . | quote }} - items: - - key: {{ include "netbox.postgresql.secretKey" . | quote }} - path: db_password - - secret: - name: {{ include "netbox.tasksRedis.secret" . | quote }} - items: - - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} - path: redis_tasks_password - - secret: - name: {{ include "netbox.cachingRedis.secret" . | quote }} - items: - - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} - path: redis_cache_password - {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} - - name: netbox-tmp - emptyDir: - medium: Memory - - name: media - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} + - name: config + configMap: + name: {{ include "netbox.fullname" . }} + - name: secrets + projected: + sources: + - secret: + name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} + items: + # Used by our configuration + - key: email_password + path: email_password + - key: secret_key + path: secret_key + {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} + - key: ldap_bind_password + path: ldap_bind_password + {{- end }} + - secret: + name: {{ include "netbox.postgresql.secret" . | quote }} + items: + - key: {{ include "netbox.postgresql.secretKey" . | quote }} + path: db_password + - secret: + name: {{ include "netbox.tasksRedis.secret" . | quote }} + items: + - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} + path: redis_tasks_password + - secret: + name: {{ include "netbox.cachingRedis.secret" . | quote }} + items: + - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} + path: redis_cache_password + {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} + - name: netbox-tmp + emptyDir: + medium: Memory + - name: media + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + persistentVolumeClaim: + claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} + {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + persistentVolumeClaim: + claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + {{- end }} + {{- with .Values.worker.extraVolumes }} + {{- toYaml . | nindent 6 }} {{- end }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - persistentVolumeClaim: - claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - persistentVolumeClaim: - claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - {{- end }} - {{- with .Values.worker.extraVolumes }} - {{- toYaml . | nindent 6 }} - {{- end }} {{- end }} From 31f3a511fdeddd74d118538ff5e309e51e208231 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:41:00 +0700 Subject: [PATCH 026/110] Remove extraEnvVars --- charts/netbox/templates/deployment.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index eb6375b1..6279a03c 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -75,9 +75,6 @@ spec: apiVersion: v1 fieldPath: status.podIP {{- end }} - {{- if .Values.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} - {{- end }} ports: - name: http containerPort: {{ .Values.containerPorts.http }} From 28db18e6c02099b4a606aa64ce921361900a2112 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:42:09 +0700 Subject: [PATCH 027/110] Restore extraEnvVars --- charts/netbox/templates/deployment.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 6279a03c..eb6375b1 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -75,6 +75,9 @@ spec: apiVersion: v1 fieldPath: status.podIP {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} ports: - name: http containerPort: {{ .Values.containerPorts.http }} From fd0f6b5a11cebca9ce897bdc3c27fd9f62ee3aea Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:43:22 +0700 Subject: [PATCH 028/110] Restore readinessProbe --- charts/netbox/templates/deployment.yaml | 15 +++++++++++++++ charts/netbox/values.yaml | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index eb6375b1..7c2195ea 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -82,6 +82,21 @@ spec: - name: http containerPort: {{ .Values.containerPorts.http }} protocol: TCP + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /{{ .Values.basePath }}login/ + port: http + {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} + httpHeaders: + - name: Host + value: {{ (index .Values.allowedHosts 0) | quote }} + {{- end }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + {{- end }} volumeMounts: - name: config mountPath: /etc/netbox/config/configuration.py diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 5daabe69..3a668d2d 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -839,7 +839,7 @@ livenessProbe: ## @param readinessProbe.successThreshold Success threshold for readinessProbe ## readinessProbe: - enabled: false + enabled: true initialDelaySeconds: 0 periodSeconds: 10 timeoutSeconds: 1 From 73f558b7192373d260e7bacd32db24c6e6d04430 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:45:54 +0700 Subject: [PATCH 029/110] Restore volumeMounts --- charts/netbox/templates/deployment.yaml | 39 ++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 7c2195ea..17e3bd40 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -102,4 +102,41 @@ spec: mountPath: /etc/netbox/config/configuration.py subPath: configuration.py readOnly: true - + {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} + - name: config + mountPath: /etc/netbox/config/ldap/ldap_config.py + subPath: ldap_config.py + readOnly: true + {{ end -}} + - name: config + mountPath: /run/config/netbox + readOnly: true + - name: secrets + mountPath: /run/secrets/netbox + readOnly: true + # {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} + - name: netbox-tmp + mountPath: /tmp + - name: media + mountPath: /opt/netbox/netbox/media + subPath: {{ .Values.persistence.subPath | default "" | quote }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + mountPath: /opt/netbox/netbox/reports + subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + mountPath: /opt/netbox/netbox/scripts + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- end }} + - name: optunit + mountPath: /opt/unit + - name: secrets + mountPath: /run/secrets/superuser_password + subPath: superuser_password + readOnly: true + - name: secrets + mountPath: /run/secrets/superuser_api_token + subPath: superuser_api_token + readOnly: true From 9bf4137fec757aa6555a31cdf5e14d5a35e74ffe Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:50:10 +0700 Subject: [PATCH 030/110] Restore volume partially --- charts/netbox/archive/deployment_full.yaml | 12 ++++--- charts/netbox/templates/deployment.yaml | 42 +++------------------- 2 files changed, 12 insertions(+), 42 deletions(-) diff --git a/charts/netbox/archive/deployment_full.yaml b/charts/netbox/archive/deployment_full.yaml index 7fd6809b..7bc2bdae 100644 --- a/charts/netbox/archive/deployment_full.yaml +++ b/charts/netbox/archive/deployment_full.yaml @@ -227,14 +227,18 @@ spec: {{- else }} emptyDir: {} {{- end }} - {{- if .Values.reportsPersistence.enabled }} - name: reports + {{- if .Values.reportsPersistence.enabled }} persistentVolumeClaim: claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} + {{- else }} + emptyDir: {} + {{- end }} - name: scripts + {{- if .Values.scriptsPersistence.enabled }} persistentVolumeClaim: claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - {{- end }} + {{- else }} + emptyDir: {} + {{- end }} diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 17e3bd40..458e97eb 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -102,41 +102,7 @@ spec: mountPath: /etc/netbox/config/configuration.py subPath: configuration.py readOnly: true - {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - - name: config - mountPath: /etc/netbox/config/ldap/ldap_config.py - subPath: ldap_config.py - readOnly: true - {{ end -}} - - name: config - mountPath: /run/config/netbox - readOnly: true - - name: secrets - mountPath: /run/secrets/netbox - readOnly: true - # {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} - - name: netbox-tmp - mountPath: /tmp - - name: media - mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - mountPath: /opt/netbox/netbox/reports - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - mountPath: /opt/netbox/netbox/scripts - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - {{- end }} - - name: optunit - mountPath: /opt/unit - - name: secrets - mountPath: /run/secrets/superuser_password - subPath: superuser_password - readOnly: true - - name: secrets - mountPath: /run/secrets/superuser_api_token - subPath: superuser_api_token - readOnly: true + volumes: + - name: config + configMap: + name: {{ include "netbox.fullname" . }} From de52276d9f54f395d3c355664bd38cf04d707224 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:52:00 +0700 Subject: [PATCH 031/110] Add secrets volume --- charts/netbox/templates/deployment.yaml | 35 +++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 458e97eb..8e3c5e3d 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -106,3 +106,38 @@ spec: - name: config configMap: name: {{ include "netbox.fullname" . }} + - name: secrets + projected: + sources: + - secret: + name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} + items: + # Used by netbox-docker entry scripts + - key: superuser_password + path: superuser_password + - key: superuser_api_token + path: superuser_api_token + # Used by our configuration + - key: email_password + path: email_password + - key: secret_key + path: secret_key + {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} + - key: ldap_bind_password + path: ldap_bind_password + {{- end }} + - secret: + name: {{ include "netbox.postgresql.secret" . | quote }} + items: + - key: {{ include "netbox.postgresql.secretKey" . | quote }} + path: db_password + - secret: + name: {{ include "netbox.tasksRedis.secret" . | quote }} + items: + - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} + path: redis_tasks_password + - secret: + name: {{ include "netbox.cachingRedis.secret" . | quote }} + items: + - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} + path: redis_cache_password From 6b8a84e851f54cd62706fc59c0c2735a78a01fc3 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:53:42 +0700 Subject: [PATCH 032/110] Add more volumes --- charts/netbox/templates/deployment.yaml | 28 +++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 8e3c5e3d..2a8a4919 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -141,3 +141,31 @@ spec: items: - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} path: redis_cache_password + {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} + - name: netbox-tmp + emptyDir: + medium: Memory + - name: optunit + emptyDir: + medium: Memory + - name: media + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + - name: reports + {{- if .Values.reportsPersistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + - name: scripts + {{- if .Values.scriptsPersistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} \ No newline at end of file From e16add74bd1eb2a3a0c31341893153da829b5fba Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:54:57 +0700 Subject: [PATCH 033/110] Fix volumes --- charts/netbox/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 2a8a4919..4df1ea5d 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -141,7 +141,7 @@ spec: items: - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} path: redis_cache_password - {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} + # {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} - name: netbox-tmp emptyDir: medium: Memory From c7bc58f72012a5ae32b9f297212623b5c9fe7331 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:57:22 +0700 Subject: [PATCH 034/110] Remove volumes --- charts/netbox/templates/deployment.yaml | 54 ++++++++++++------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 4df1ea5d..4ccc1fef 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -142,30 +142,30 @@ spec: - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} path: redis_cache_password # {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} - - name: netbox-tmp - emptyDir: - medium: Memory - - name: optunit - emptyDir: - medium: Memory - - name: media - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - - name: reports - {{- if .Values.reportsPersistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - - name: scripts - {{- if .Values.scriptsPersistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} \ No newline at end of file + # - name: netbox-tmp + # emptyDir: + # medium: Memory + # - name: optunit + # emptyDir: + # medium: Memory + # - name: media + # {{- if .Values.persistence.enabled }} + # persistentVolumeClaim: + # claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + # {{- else }} + # emptyDir: {} + # {{- end }} + # - name: reports + # {{- if .Values.reportsPersistence.enabled }} + # persistentVolumeClaim: + # claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} + # {{- else }} + # emptyDir: {} + # {{- end }} + # - name: scripts + # {{- if .Values.scriptsPersistence.enabled }} + # persistentVolumeClaim: + # claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + # {{- else }} + # emptyDir: {} + # {{- end }} \ No newline at end of file From 9d6ac9b83f05688892c102113612e92eddfd7e2f Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:59:22 +0700 Subject: [PATCH 035/110] Restore volumes --- charts/netbox/templates/deployment.yaml | 26 ++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 4ccc1fef..1ed4ed5e 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -142,19 +142,19 @@ spec: - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} path: redis_cache_password # {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} - # - name: netbox-tmp - # emptyDir: - # medium: Memory - # - name: optunit - # emptyDir: - # medium: Memory - # - name: media - # {{- if .Values.persistence.enabled }} - # persistentVolumeClaim: - # claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - # {{- else }} - # emptyDir: {} - # {{- end }} + - name: netbox-tmp + emptyDir: + medium: Memory + - name: optunit + emptyDir: + medium: Memory + - name: media + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} # - name: reports # {{- if .Values.reportsPersistence.enabled }} # persistentVolumeClaim: From 1e3739865067d0bba1000af3df32ef2e0ffc35c6 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:02:00 +0700 Subject: [PATCH 036/110] Remove media volume --- charts/netbox/templates/deployment.yaml | 14 ++++---- .../netbox/templates/worker/Deployment.yaml | 34 +++++++++---------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 1ed4ed5e..7a0d930f 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -148,13 +148,13 @@ spec: - name: optunit emptyDir: medium: Memory - - name: media - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} + # - name: media + # {{- if .Values.persistence.enabled }} + # persistentVolumeClaim: + # claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + # {{- else }} + # emptyDir: {} + # {{- end }} # - name: reports # {{- if .Values.reportsPersistence.enabled }} # persistentVolumeClaim: diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 1a78613b..89e98273 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -178,23 +178,23 @@ spec: - name: netbox-tmp emptyDir: medium: Memory - - name: media - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - persistentVolumeClaim: - claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - persistentVolumeClaim: - claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - {{- end }} + # - name: media + # {{- if .Values.persistence.enabled }} + # persistentVolumeClaim: + # claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + # {{- else }} + # emptyDir: {} + # {{- end }} + # {{- if .Values.reportsPersistence.enabled }} + # - name: reports + # persistentVolumeClaim: + # claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} + # {{- end }} + # {{- if .Values.scriptsPersistence.enabled }} + # - name: scripts + # persistentVolumeClaim: + # claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + # {{- end }} {{- with .Values.worker.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} From 5505b1cf31f6529784f345387cd79eedd1d66523 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:07:36 +0700 Subject: [PATCH 037/110] Restore deployment to original --- charts/netbox/archive/deployment_simple.yaml | 109 +++++- charts/netbox/templates/deployment.yaml | 348 +++++++++++------- .../netbox/templates/worker/Deployment.yaml | 2 +- 3 files changed, 320 insertions(+), 139 deletions(-) diff --git a/charts/netbox/archive/deployment_simple.yaml b/charts/netbox/archive/deployment_simple.yaml index 11b59842..5ad1b9cd 100644 --- a/charts/netbox/archive/deployment_simple.yaml +++ b/charts/netbox/archive/deployment_simple.yaml @@ -52,13 +52,120 @@ spec: containers: - name: netbox image: {{ template "netbox.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: SUPERUSER_NAME + value: {{ .Values.superuser.name | quote }} + - name: SUPERUSER_EMAIL + value: {{ .Values.superuser.email | quote }} + - name: SKIP_STARTUP_SCRIPTS + value: {{ .Values.skipStartupScripts | quote }} + {{- if .Values.dbWaitDebug }} + - name: DB_WAIT_DEBUG + value: "1" + {{- end }} + {{- if .Values.overrideUnitConfig }} + - name: UNIT_CONFIG + value: /run/config/netbox/nginx-unit.json + {{- end }} + {{- if .Values.allowedHostsIncludesPodIp }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} ports: - name: http containerPort: {{ .Values.containerPorts.http }} protocol: TCP + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /{{ .Values.basePath }}login/ + port: http + {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} + httpHeaders: + - name: Host + value: {{ (index .Values.allowedHosts 0) | quote }} + {{- end }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + {{- end }} volumeMounts: - name: config mountPath: /etc/netbox/config/configuration.py subPath: configuration.py readOnly: true - + volumes: + - name: config + configMap: + name: {{ include "netbox.fullname" . }} + - name: secrets + projected: + sources: + - secret: + name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} + items: + # Used by netbox-docker entry scripts + - key: superuser_password + path: superuser_password + - key: superuser_api_token + path: superuser_api_token + # Used by our configuration + - key: email_password + path: email_password + - key: secret_key + path: secret_key + {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} + - key: ldap_bind_password + path: ldap_bind_password + {{- end }} + - secret: + name: {{ include "netbox.postgresql.secret" . | quote }} + items: + - key: {{ include "netbox.postgresql.secretKey" . | quote }} + path: db_password + - secret: + name: {{ include "netbox.tasksRedis.secret" . | quote }} + items: + - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} + path: redis_tasks_password + - secret: + name: {{ include "netbox.cachingRedis.secret" . | quote }} + items: + - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} + path: redis_cache_password + # {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} + # - name: netbox-tmp + # emptyDir: + # medium: Memory + # - name: optunit + # emptyDir: + # medium: Memory + # - name: media + # {{- if .Values.persistence.enabled }} + # persistentVolumeClaim: + # claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + # {{- else }} + # emptyDir: {} + # {{- end }} + # - name: reports + # {{- if .Values.reportsPersistence.enabled }} + # persistentVolumeClaim: + # claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} + # {{- else }} + # emptyDir: {} + # {{- end }} + # - name: scripts + # {{- if .Values.scriptsPersistence.enabled }} + # persistentVolumeClaim: + # claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + # {{- else }} + # emptyDir: {} + # {{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 7a0d930f..aeab6422 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -1,4 +1,4 @@ -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "netbox.fullname" . }} @@ -11,14 +11,13 @@ metadata: annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ default 1 .Values.replicaCount }} - {{- end }} - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} +{{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} +{{- end }} selector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: server - app.kubernetes.io/part-of: netbox + matchLabels: + {{- include "netbox.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: netbox {{ if .Values.updateStrategy -}} strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} @@ -26,146 +25,221 @@ spec: template: metadata: annotations: - checksum/config: {{ include (print $.Template.BasePath "/ConfigMap/netbox.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} {{- if (not .Values.existingSecret) }} - checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} - {{- end }} - {{- if .Values.podAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} {{- end }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} - app.kubernetes.io/component: server - app.kubernetes.io/part-of: netbox - {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} + labels: + {{- include "netbox.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: netbox + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- include "netbox.imagePullSecrets" . | nindent 6 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 6 }} + {{- end }} serviceAccountName: {{ include "netbox.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} - {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + initContainers: + - name: init-dirs + image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" + imagePullPolicy: {{ .Values.init.image.pullPolicy }} + command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] + {{- if .Values.init.resources }} + resources: + {{- toYaml .Values.init.resources | nindent 10 }} + {{- end }} + securityContext: + {{- toYaml .Values.init.securityContext | nindent 10 }} + volumeMounts: + - name: optunit + mountPath: /opt/unit + {{- with .Values.extraInitContainers }} + {{- toYaml . | nindent 6 }} {{- end }} containers: - - name: netbox - image: {{ template "netbox.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: SUPERUSER_NAME - value: {{ .Values.superuser.name | quote }} - - name: SUPERUSER_EMAIL - value: {{ .Values.superuser.email | quote }} - - name: SKIP_STARTUP_SCRIPTS - value: {{ .Values.skipStartupScripts | quote }} - {{- if .Values.dbWaitDebug }} - - name: DB_WAIT_DEBUG - value: "1" - {{- end }} - {{- if .Values.overrideUnitConfig }} - - name: UNIT_CONFIG - value: /run/config/netbox/nginx-unit.json - {{- end }} - {{- if .Values.allowedHostsIncludesPodIp }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - {{- end }} - {{- if .Values.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: SUPERUSER_NAME + value: {{ .Values.superuser.name | quote }} + - name: SUPERUSER_EMAIL + value: {{ .Values.superuser.email | quote }} + - name: SKIP_STARTUP_SCRIPTS + value: {{ .Values.skipStartupScripts | quote }} + {{- if .Values.dbWaitDebug }} + - name: DB_WAIT_DEBUG + value: "1" + {{- end }} + {{- if .Values.overrideUnitConfig }} + - name: UNIT_CONFIG + value: /run/config/netbox/nginx-unit.json + {{- end }} + {{- with .Values.extraEnvs }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.allowedHostsIncludesPodIp }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /{{ .Values.basePath }}login/ + port: http + {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} + httpHeaders: + - name: Host + value: {{ (index .Values.allowedHosts 0) | quote }} {{- end }} - ports: - - name: http - containerPort: {{ .Values.containerPorts.http }} - protocol: TCP - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: /{{ .Values.basePath }}login/ - port: http - {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} - httpHeaders: - - name: Host - value: {{ (index .Values.allowedHosts 0) | quote }} - {{- end }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - {{- end }} - volumeMounts: - - name: config - mountPath: /etc/netbox/config/configuration.py - subPath: configuration.py - readOnly: true - volumes: + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/netbox/config/configuration.py + subPath: configuration.py + readOnly: true + {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - name: config - configMap: - name: {{ include "netbox.fullname" . }} + mountPath: /etc/netbox/config/ldap/ldap_config.py + subPath: ldap_config.py + readOnly: true + {{ end -}} + - name: config + mountPath: /run/config/netbox + readOnly: true - name: secrets - projected: - sources: - - secret: - name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} - items: - # Used by netbox-docker entry scripts - - key: superuser_password - path: superuser_password - - key: superuser_api_token - path: superuser_api_token - # Used by our configuration - - key: email_password - path: email_password - - key: secret_key - path: secret_key - {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} - - key: ldap_bind_password - path: ldap_bind_password - {{- end }} - - secret: - name: {{ include "netbox.postgresql.secret" . | quote }} - items: - - key: {{ include "netbox.postgresql.secretKey" . | quote }} - path: db_password - - secret: - name: {{ include "netbox.tasksRedis.secret" . | quote }} - items: - - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} - path: redis_tasks_password - - secret: - name: {{ include "netbox.cachingRedis.secret" . | quote }} - items: - - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} - path: redis_cache_password - # {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} + mountPath: /run/secrets/netbox + readOnly: true + {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} - name: netbox-tmp - emptyDir: - medium: Memory + mountPath: /tmp + - name: media + mountPath: /opt/netbox/netbox/media + subPath: {{ .Values.persistence.subPath | default "" | quote }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + mountPath: /opt/netbox/netbox/reports + subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + {{- end }} - name: optunit - emptyDir: - medium: Memory - # - name: media - # {{- if .Values.persistence.enabled }} - # persistentVolumeClaim: - # claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - # {{- else }} - # emptyDir: {} - # {{- end }} - # - name: reports - # {{- if .Values.reportsPersistence.enabled }} - # persistentVolumeClaim: - # claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - # {{- else }} - # emptyDir: {} - # {{- end }} - # - name: scripts - # {{- if .Values.scriptsPersistence.enabled }} - # persistentVolumeClaim: - # claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - # {{- else }} - # emptyDir: {} - # {{- end }} \ No newline at end of file + mountPath: /opt/unit + - name: secrets + mountPath: /run/secrets/superuser_password + subPath: superuser_password + readOnly: true + - name: secrets + mountPath: /run/secrets/superuser_api_token + subPath: superuser_api_token + readOnly: true + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.resources }} + resources: + {{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- with .Values.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ include "netbox.fullname" . }} + - name: secrets + projected: + sources: + - secret: + name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} + items: + # Used by netbox-docker entry scripts + - key: superuser_password + path: superuser_password + - key: superuser_api_token + path: superuser_api_token + # Used by our configuration + - key: email_password + path: email_password + - key: secret_key + path: secret_key + {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} + - key: ldap_bind_password + path: ldap_bind_password + {{- end }} + - secret: + name: {{ include "netbox.postgresql.secret" . | quote }} + items: + - key: {{ include "netbox.postgresql.secretKey" . | quote }} + path: db_password + - secret: + name: {{ include "netbox.tasksRedis.secret" . | quote }} + items: + - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} + path: redis_tasks_password + - secret: + name: {{ include "netbox.cachingRedis.secret" . | quote }} + items: + - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} + path: redis_cache_password + {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} + - name: netbox-tmp + emptyDir: + medium: Memory + - name: optunit + emptyDir: + medium: Memory + - name: media + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + persistentVolumeClaim: + claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.hostAliases }} + hostAliases: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 6 }} + {{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 89e98273..18391407 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -174,7 +174,7 @@ spec: items: - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} path: redis_cache_password - {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} + # {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} - name: netbox-tmp emptyDir: medium: Memory From 99c2b30d64242f2f429e42d188064b2ca8461980 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:09:13 +0700 Subject: [PATCH 038/110] Fix deployment checksum --- charts/netbox/templates/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index aeab6422..d20331f8 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -25,9 +25,9 @@ spec: template: metadata: annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/ConfigMap/netbox.yaml") . | sha256sum }} {{- if (not .Values.existingSecret) }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} From d8509d2e94573fc6ed00334ba7f22370d0921db8 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:12:07 +0700 Subject: [PATCH 039/110] Add deployment annotations --- .vscode/settings.json | 5 +++++ charts/netbox/templates/deployment.yaml | 20 ++++++++++++-------- 2 files changed, 17 insertions(+), 8 deletions(-) create mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 00000000..0416b476 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,5 @@ +{ + "yaml.schemas": { + "https://json.schemastore.org/helmfile.json": "vscode-vfs://github%2B7b2276223a312c22726566223a7b2274797065223a342c226964223a226e6574626f78227d7d/startechnica/apps/charts/netbox/archive/deployment_full.yaml" + } +} \ No newline at end of file diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index d20331f8..5f8e7436 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -11,13 +11,14 @@ metadata: annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: -{{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} -{{- end }} + {{- if not .Values.autoscaling.enabled }} + replicas: {{ default 1 .Values.replicaCount }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} selector: - matchLabels: - {{- include "netbox.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: netbox + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox {{ if .Values.updateStrategy -}} strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} @@ -29,8 +30,11 @@ spec: {{- if (not .Values.existingSecret) }} checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} {{- end }} - {{- with .Values.podAnnotations }} - {{- toYaml . | nindent 8 }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} {{- end }} labels: {{- include "netbox.selectorLabels" . | nindent 8 }} From aade36ec0d8730244985228f62f6e060093104a9 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:13:32 +0700 Subject: [PATCH 040/110] Add labels --- charts/netbox/templates/deployment.yaml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 5f8e7436..5f66f3c1 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -36,17 +36,14 @@ spec: {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} {{- end }} - labels: - {{- include "netbox.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: netbox - {{- with .Values.podLabels }} - {{- toYaml . | nindent 8 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: netbox + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 6 }} - {{- end }} + {{- include "netbox.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "netbox.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} securityContext: From dc03fecd86f4bf2f4baa33e01f8198d269463899 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:16:33 +0700 Subject: [PATCH 041/110] Add init-container --- charts/netbox/README.md | 1 + charts/netbox/templates/deployment.yaml | 35 +++++++++++++------------ 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/charts/netbox/README.md b/charts/netbox/README.md index 3242ea7c..cc1293ef 100644 --- a/charts/netbox/README.md +++ b/charts/netbox/README.md @@ -94,6 +94,7 @@ The command removes all the Kubernetes components associated with the chart and ## Breaking Changes * The `extraEnvs` setting has been renamed to `extraEnvVars`. + * The `extraInitContainers` setting has been renamed to `initContainers`. * The `securityContext` setting has been renamed to `podSecurityContext` and `containerSecurityContext` * The `worker.autoscaling.targetCPUUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetCPU`. * The `worker.autoscaling.targetMemoryUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetMemory`. diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 5f66f3c1..4956ff65 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -46,25 +46,26 @@ spec: {{- include "netbox.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "netbox.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} initContainers: - - name: init-dirs - image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" - imagePullPolicy: {{ .Values.init.image.pullPolicy }} - command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] - {{- if .Values.init.resources }} - resources: - {{- toYaml .Values.init.resources | nindent 10 }} + - name: init-dirs + image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" + imagePullPolicy: {{ .Values.init.image.pullPolicy }} + command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] + {{- if .Values.init.resources }} + resources: + {{- toYaml .Values.init.resources | nindent 10 }} + {{- end }} + securityContext: + {{- toYaml .Values.init.securityContext | nindent 10 }} + volumeMounts: + - name: optunit + mountPath: /opt/unit + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} - securityContext: - {{- toYaml .Values.init.securityContext | nindent 10 }} - volumeMounts: - - name: optunit - mountPath: /opt/unit - {{- with .Values.extraInitContainers }} - {{- toYaml . | nindent 6 }} - {{- end }} containers: - name: {{ .Chart.Name }} securityContext: From 3b49d728c858866266fba90e062fab24f7d5900d Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:19:53 +0700 Subject: [PATCH 042/110] Fix deloyment --- charts/netbox/templates/deployment.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 4956ff65..702b5fbe 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -49,6 +49,7 @@ spec: {{- if .Values.podSecurityContext.enabled }} securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} initContainers: - name: init-dirs image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" @@ -63,11 +64,14 @@ spec: volumeMounts: - name: optunit mountPath: /opt/unit + {{- if or .Values.initContainers $needsVolumePermissions }} {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} + {{- end }} containers: - - name: {{ .Chart.Name }} + - name: netbox + image: {{ template "netbox.image" . }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" From 1ad0c6db22ba4613b963981290882799bc37f23a Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:23:12 +0700 Subject: [PATCH 043/110] Add extraEnvVars --- charts/netbox/templates/deployment.yaml | 57 +++++++++++++------------ 1 file changed, 30 insertions(+), 27 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 702b5fbe..dbbf15b4 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -77,34 +77,37 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - - name: SUPERUSER_NAME - value: {{ .Values.superuser.name | quote }} - - name: SUPERUSER_EMAIL - value: {{ .Values.superuser.email | quote }} - - name: SKIP_STARTUP_SCRIPTS - value: {{ .Values.skipStartupScripts | quote }} - {{- if .Values.dbWaitDebug }} - - name: DB_WAIT_DEBUG - value: "1" - {{- end }} - {{- if .Values.overrideUnitConfig }} - - name: UNIT_CONFIG - value: /run/config/netbox/nginx-unit.json - {{- end }} - {{- with .Values.extraEnvs }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.allowedHostsIncludesPodIp }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - {{- end }} + - name: SUPERUSER_NAME + value: {{ .Values.superuser.name | quote }} + - name: SUPERUSER_EMAIL + value: {{ .Values.superuser.email | quote }} + - name: SKIP_STARTUP_SCRIPTS + value: {{ .Values.skipStartupScripts | quote }} + {{- if .Values.dbWaitDebug }} + - name: DB_WAIT_DEBUG + value: "1" + {{- end }} + {{- if .Values.overrideUnitConfig }} + - name: UNIT_CONFIG + value: /run/config/netbox/nginx-unit.json + {{- end }} + {{- with .Values.extraEnvs }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.allowedHostsIncludesPodIp }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} ports: - - name: http - containerPort: 8080 - protocol: TCP + - name: http + containerPort: 8080 + protocol: TCP {{- if .Values.readinessProbe.enabled }} readinessProbe: httpGet: From 892515a269c9bef9092e38e870fa2cbdc6991c5c Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:26:42 +0700 Subject: [PATCH 044/110] Add VolumeMounts --- charts/netbox/README.md | 1 + charts/netbox/templates/deployment.yaml | 85 +++++++++++++------------ 2 files changed, 46 insertions(+), 40 deletions(-) diff --git a/charts/netbox/README.md b/charts/netbox/README.md index cc1293ef..3eb2818b 100644 --- a/charts/netbox/README.md +++ b/charts/netbox/README.md @@ -95,6 +95,7 @@ The command removes all the Kubernetes components associated with the chart and ## Breaking Changes * The `extraEnvs` setting has been renamed to `extraEnvVars`. * The `extraInitContainers` setting has been renamed to `initContainers`. + * The `extraInitContainers` setting has been renamed to `initContainers`. * The `securityContext` setting has been renamed to `podSecurityContext` and `containerSecurityContext` * The `worker.autoscaling.targetCPUUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetCPU`. * The `worker.autoscaling.targetMemoryUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetMemory`. diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index dbbf15b4..120845c7 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -124,46 +124,51 @@ spec: periodSeconds: {{ .Values.readinessProbe.periodSeconds }} {{- end }} volumeMounts: - - name: config - mountPath: /etc/netbox/config/configuration.py - subPath: configuration.py - readOnly: true - {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - - name: config - mountPath: /etc/netbox/config/ldap/ldap_config.py - subPath: ldap_config.py - readOnly: true - {{ end -}} - - name: config - mountPath: /run/config/netbox - readOnly: true - - name: secrets - mountPath: /run/secrets/netbox - readOnly: true - {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} - - name: netbox-tmp - mountPath: /tmp - - name: media - mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - mountPath: /opt/netbox/netbox/reports - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} - {{- end }} - - name: optunit - mountPath: /opt/unit - - name: secrets - mountPath: /run/secrets/superuser_password - subPath: superuser_password - readOnly: true - - name: secrets - mountPath: /run/secrets/superuser_api_token - subPath: superuser_api_token - readOnly: true - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} + - name: config + mountPath: /etc/netbox/config/configuration.py + subPath: configuration.py + readOnly: true + {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} + - name: config + mountPath: /etc/netbox/config/ldap/ldap_config.py + subPath: ldap_config.py + readOnly: true + {{ end -}} + - name: config + mountPath: /run/config/netbox + readOnly: true + - name: secrets + mountPath: /run/secrets/netbox + readOnly: true + {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} + - name: netbox-tmp + mountPath: /tmp + - name: media + mountPath: /opt/netbox/netbox/media + subPath: {{ .Values.persistence.subPath | default "" | quote }} + {{- if .Values.reportsPersistence.enabled }} + - name: reports + mountPath: /opt/netbox/netbox/reports + subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + {{- end }} + {{- if .Values.scriptsPersistence.enabled }} + - name: scripts + mountPath: /opt/netbox/netbox/scripts + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- end }} + - name: optunit + mountPath: /opt/unit + - name: secrets + mountPath: /run/secrets/superuser_password + subPath: superuser_password + readOnly: true + - name: secrets + mountPath: /run/secrets/superuser_api_token + subPath: superuser_api_token + readOnly: true + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 10 }} From 3e5c44a7731b738bb1b545257afc4cde1192cc57 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:27:51 +0700 Subject: [PATCH 045/110] Remove volume --- charts/netbox/templates/deployment.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 120845c7..c5fb1254 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -151,11 +151,6 @@ spec: mountPath: /opt/netbox/netbox/reports subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - mountPath: /opt/netbox/netbox/scripts - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - {{- end }} - name: optunit mountPath: /opt/unit - name: secrets From 7a87b73c7f2f2eb67f4616b0292189949af92ccb Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:29:39 +0700 Subject: [PATCH 046/110] Add indent --- charts/netbox/templates/deployment.yaml | 5 +---- charts/netbox/templates/worker/Deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index c5fb1254..7271b2b7 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -140,7 +140,7 @@ spec: - name: secrets mountPath: /run/secrets/netbox readOnly: true - {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} + {{- include "netbox.extraConfig.volumeMounts" . | nindent 10 -}} - name: netbox-tmp mountPath: /tmp - name: media @@ -161,9 +161,6 @@ spec: mountPath: /run/secrets/superuser_api_token subPath: superuser_api_token readOnly: true - {{- if .Values.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 10 }} diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 18391407..25fe2082 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -106,7 +106,7 @@ spec: - name: secrets mountPath: /run/secrets/netbox readOnly: true - {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} + {{- include "netbox.extraConfig.volumeMounts" . | nindent 12 -}} - name: netbox-tmp mountPath: /tmp - name: media From d095f2e60b8bed1006c1bf1b179cfa9a7feb08ef Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:33:14 +0700 Subject: [PATCH 047/110] Fix indents --- charts/netbox/README.md | 1 + charts/netbox/templates/worker/Deployment.yaml | 7 +++---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/netbox/README.md b/charts/netbox/README.md index 3eb2818b..6241125a 100644 --- a/charts/netbox/README.md +++ b/charts/netbox/README.md @@ -99,6 +99,7 @@ The command removes all the Kubernetes components associated with the chart and * The `securityContext` setting has been renamed to `podSecurityContext` and `containerSecurityContext` * The `worker.autoscaling.targetCPUUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetCPU`. * The `worker.autoscaling.targetMemoryUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetMemory`. + * The `worker.extraEnvs` setting has been renamed to `worker.extraEnvVars`. * The `serviceMonitor` setting has been renamed to `metrics.serviceMonitor`. * The `metricsEnabled` setting has been renamed to `metrics.enabled`. * The `serviceMonitor` setting has been renamed to `metrics.serviceMonitor`. diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 25fe2082..072981f6 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -70,7 +70,7 @@ spec: image: {{ template "netbox.worker.image" . }} imagePullPolicy: {{ .Values.worker.image.pullPolicy | quote }} {{- if .Values.worker.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.worker.containerSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- omit .Values.worker.containerSecurityContext "enabled" | toYaml | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -82,9 +82,8 @@ spec: - /opt/netbox/netbox/manage.py - rqworker {{- end }} - {{- with .Values.worker.extraEnvs }} - env: - {{- toYaml . | nindent 8 }} + {{- if .Values.worker.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.worker.extraEnvVars "context" $) | nindent 12 }} {{- end }} {{- if .Values.worker.resources }} resources: {{- toYaml .Values.worker.resources | nindent 12 }} From 8513a6da2f4d2df369e935f843fedc5422ac4c24 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 21:17:36 +0700 Subject: [PATCH 048/110] FIx indent --- charts/netbox/templates/deployment.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 7271b2b7..d9a06c75 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -1,4 +1,4 @@ -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "netbox.fullname" . }} @@ -106,7 +106,7 @@ spec: {{- end }} ports: - name: http - containerPort: 8080 + containerPort: {{ .Values.containerPorts.http }} protocol: TCP {{- if .Values.readinessProbe.enabled }} readinessProbe: @@ -221,11 +221,13 @@ spec: {{- else }} emptyDir: {} {{- end }} - {{- if .Values.reportsPersistence.enabled }} - name: reports + {{- if .Values.reportsPersistence.enabled }} persistentVolumeClaim: claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- end }} + {{- else }} + emptyDir: {} + {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} @@ -248,4 +250,4 @@ spec: {{- with .Values.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml . | nindent 6 }} - {{- end }} \ No newline at end of file + {{- end }} From a93fae00b4ff6216612e5b5b1863f52bbf5b5190 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 21:20:15 +0700 Subject: [PATCH 049/110] Fix indent --- charts/netbox/templates/deployment.yaml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index d9a06c75..7271b2b7 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -1,4 +1,4 @@ -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "netbox.fullname" . }} @@ -106,7 +106,7 @@ spec: {{- end }} ports: - name: http - containerPort: {{ .Values.containerPorts.http }} + containerPort: 8080 protocol: TCP {{- if .Values.readinessProbe.enabled }} readinessProbe: @@ -221,13 +221,11 @@ spec: {{- else }} emptyDir: {} {{- end }} + {{- if .Values.reportsPersistence.enabled }} - name: reports - {{- if .Values.reportsPersistence.enabled }} persistentVolumeClaim: claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} + {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} @@ -250,4 +248,4 @@ spec: {{- with .Values.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml . | nindent 6 }} - {{- end }} + {{- end }} \ No newline at end of file From d4cd98c89061355f2ca0bc1aa2693336b5f4c95b Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 21:23:40 +0700 Subject: [PATCH 050/110] Edit apiversion --- charts/netbox/templates/_helpers.tpl | 7 +++++++ charts/netbox/templates/deployment.yaml | 5 ++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 3bf4afa3..ad0a2966 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -59,6 +59,13 @@ Return the proper Netbox housekeeping image name {{ include "common.images.image" (dict "imageRoot" .Values.housekeeping.image "global" .Values.global) }} {{- end -}} +{{/* +Return the proper Netbox init image name +*/}} +{{- define "netbox.init.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.init.image "global" .Values.global) }} +{{- end -}} + {{/* Return the proper Docker Image Registry Secret Names */}} diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 7271b2b7..549d1624 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -1,4 +1,4 @@ -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "netbox.fullname" . }} @@ -52,7 +52,7 @@ spec: {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} initContainers: - name: init-dirs - image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" + image: {{ template "netbox.init.image" . }} imagePullPolicy: {{ .Values.init.image.pullPolicy }} command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] {{- if .Values.init.resources }} @@ -74,7 +74,6 @@ spec: image: {{ template "netbox.image" . }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: SUPERUSER_NAME From 0f0e64540d5685171fd80b1f4143e66e6c826568 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 21:29:41 +0700 Subject: [PATCH 051/110] Add scriipt persistence --- charts/netbox/templates/deployment.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 549d1624..a4cb3633 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -105,7 +105,7 @@ spec: {{- end }} ports: - name: http - containerPort: 8080 + containerPort: {{ .Values.containerPorts.http }} protocol: TCP {{- if .Values.readinessProbe.enabled }} readinessProbe: @@ -225,6 +225,13 @@ spec: persistentVolumeClaim: claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} {{- end }} + - name: scripts + {{- if .Values.scriptsPersistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} From 4d0fef809050e1742217fbc010014627897664d0 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 21:34:44 +0700 Subject: [PATCH 052/110] Fix reportsPersistence --- charts/netbox/templates/deployment.yaml | 6 ++++-- charts/netbox/values.yaml | 15 ++++++++++++--- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index a4cb3633..d5a4090c 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -220,11 +220,13 @@ spec: {{- else }} emptyDir: {} {{- end }} - {{- if .Values.reportsPersistence.enabled }} - name: reports + {{- if .Values.reportsPersistence.enabled }} persistentVolumeClaim: claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- end }} + {{- else }} + emptyDir: {} + {{- end }} - name: scripts {{- if .Values.scriptsPersistence.enabled }} persistentVolumeClaim: diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 3a668d2d..8274d48c 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -673,6 +673,12 @@ reportsPersistence: ## @param reportsPersistence.enabled Enable reportsPersistence using Persistent Volume Claims ## enabled: false + ## @param reportsPersistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## @param reportsPersistence.sizeLimit Set this to enable a size limit for `emptyDir` volumes. + ## + sizeLimit: "" ## @param reportsPersistence.storageClass Persistent Volume storage class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning @@ -680,9 +686,6 @@ reportsPersistence: ## (gp2 on AWS, standard on GKE, AWS & OpenStack) ## storageClass: "" - ## @param reportsPersistence.existingClaim Use a existing PVC which must be created manually before bound - ## - existingClaim: "" ## @param reportsPersistence.subPath Existing claim's subPath to use, e.g. "media" (optional) ## subPath: "" @@ -704,6 +707,12 @@ reportsPersistence: ## app: my-app ## selector: {} + ## @param reportsPersistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param reportsPersistence.existingClaim Use a existing PVC which must be created manually before bound + ## + existingClaim: "" ## Storage configuration for scripts ## From 0164362b0f61979b4dc8bade7d89c41f6941269b Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 21:43:20 +0700 Subject: [PATCH 053/110] Add reports and scripts path --- charts/netbox/templates/deployment.yaml | 7 ++++--- charts/netbox/values.yaml | 16 ++++++++++++++-- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index d5a4090c..68a5c0e1 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -145,11 +145,12 @@ spec: - name: media mountPath: /opt/netbox/netbox/media subPath: {{ .Values.persistence.subPath | default "" | quote }} - {{- if .Values.reportsPersistence.enabled }} - name: reports - mountPath: /opt/netbox/netbox/reports + mountPath: {{ .Values.reportsPersistence.path }} subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} - {{- end }} + - name: scripts + mountPath: {{ .Values.scriptsPersistence.path }} + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - name: optunit mountPath: /opt/unit - name: secrets diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 8274d48c..4de0b8e0 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -686,6 +686,10 @@ reportsPersistence: ## (gp2 on AWS, standard on GKE, AWS & OpenStack) ## storageClass: "" + ## @param reportsPersistence.path The path the volume will be mounted at on Redis® master containers + ## NOTE: Useful when using different Redis® images + ## + path: /opt/netbox/netbox/reports ## @param reportsPersistence.subPath Existing claim's subPath to use, e.g. "media" (optional) ## subPath: "" @@ -727,9 +731,11 @@ scriptsPersistence: ## (gp2 on AWS, standard on GKE, AWS & OpenStack) ## storageClass: "" - ## @param scriptsPersistence.existingClaim Use a existing PVC which must be created manually before bound + + ## @param scriptsPersistence.path The path the volume will be mounted at on Netbox containers + ## NOTE: Useful when using different Netbox images ## - existingClaim: "" + path: /opt/netbox/netbox/scripts ## @param scriptsPersistence.subPath Existing claim's subPath to use, e.g. "media" (optional) ## subPath: "" @@ -751,6 +757,12 @@ scriptsPersistence: ## app: my-app ## selector: {} + ## @param scriptsPersistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param scriptsPersistence.existingClaim Use a existing PVC which must be created manually before bound + ## + existingClaim: "" podAnnotations: {} From 92a54d96a26fdccfa998b5cb425e841f3776d32f Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 21:48:25 +0700 Subject: [PATCH 054/110] Fix mount --- charts/netbox/templates/worker/Deployment.yaml | 11 ++++------- charts/netbox/values.yaml | 1 - 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 072981f6..61ad0d30 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -83,6 +83,7 @@ spec: - rqworker {{- end }} {{- if .Values.worker.extraEnvVars }} + env: {{- include "common.tplvalues.render" (dict "value" .Values.worker.extraEnvVars "context" $) | nindent 12 }} {{- end }} {{- if .Values.worker.resources }} @@ -111,16 +112,12 @@ spec: - name: media mountPath: /opt/netbox/netbox/media subPath: {{ .Values.persistence.subPath | default "" | quote }} - {{- if .Values.reportsPersistence.enabled }} - name: reports - mountPath: /opt/netbox/netbox/reports + mountPath: {{ .Values.reportsPersistence.path }} subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - name: scripts - mountPath: /opt/netbox/netbox/scripts + mountPath: {{ .Values.scriptsPersistence.path }} subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - {{- end }} {{- if .Values.worker.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.worker.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} @@ -195,6 +192,6 @@ spec: # claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} # {{- end }} {{- with .Values.worker.extraVolumes }} - {{- toYaml . | nindent 6 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- end }} diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 4de0b8e0..1a73014b 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -731,7 +731,6 @@ scriptsPersistence: ## (gp2 on AWS, standard on GKE, AWS & OpenStack) ## storageClass: "" - ## @param scriptsPersistence.path The path the volume will be mounted at on Netbox containers ## NOTE: Useful when using different Netbox images ## From cd4e62708c23d0fe71f4f77d37ba5e5b0a642739 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 22:48:08 +0700 Subject: [PATCH 055/110] Fix deployment --- charts/netbox/templates/deployment.yaml | 6 +++--- charts/netbox/templates/worker/Deployment.yaml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 68a5c0e1..12c599a1 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -90,9 +90,6 @@ spec: - name: UNIT_CONFIG value: /run/config/netbox/nginx-unit.json {{- end }} - {{- with .Values.extraEnvs }} - {{- toYaml . | nindent 8 }} - {{- end }} {{- if .Values.allowedHostsIncludesPodIp }} - name: POD_IP valueFrom: @@ -122,6 +119,9 @@ spec: successThreshold: {{ .Values.readinessProbe.successThreshold }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 10 }} + {{- end }} volumeMounts: - name: config mountPath: /etc/netbox/config/configuration.py diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 61ad0d30..68a70c69 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -191,7 +191,7 @@ spec: # persistentVolumeClaim: # claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} # {{- end }} - {{- with .Values.worker.extraVolumes }} - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} + # {{- with .Values.worker.extraVolumes }} + # {{- toYaml . | nindent 8 }} + # {{- end }} +{{- end }} \ No newline at end of file From 5e3b0a8ed44dd1288c9ea91e5824b3e28ad77668 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 22:51:23 +0700 Subject: [PATCH 056/110] Fix deployment indent --- charts/netbox/templates/deployment.yaml | 187 ++++++++++++------------ 1 file changed, 92 insertions(+), 95 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 12c599a1..75260f84 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -70,104 +70,101 @@ spec: {{- end }} {{- end }} containers: - - name: netbox - image: {{ template "netbox.image" . }} - securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: SUPERUSER_NAME - value: {{ .Values.superuser.name | quote }} - - name: SUPERUSER_EMAIL - value: {{ .Values.superuser.email | quote }} - - name: SKIP_STARTUP_SCRIPTS - value: {{ .Values.skipStartupScripts | quote }} - {{- if .Values.dbWaitDebug }} - - name: DB_WAIT_DEBUG - value: "1" - {{- end }} - {{- if .Values.overrideUnitConfig }} - - name: UNIT_CONFIG - value: /run/config/netbox/nginx-unit.json - {{- end }} - {{- if .Values.allowedHostsIncludesPodIp }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP + - name: netbox + image: {{ template "netbox.image" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: SUPERUSER_NAME + value: {{ .Values.superuser.name | quote }} + - name: SUPERUSER_EMAIL + value: {{ .Values.superuser.email | quote }} + - name: SKIP_STARTUP_SCRIPTS + value: {{ .Values.skipStartupScripts | quote }} + {{- if .Values.dbWaitDebug }} + - name: DB_WAIT_DEBUG + value: "1" + {{- end }} + {{- if .Values.overrideUnitConfig }} + - name: UNIT_CONFIG + value: /run/config/netbox/nginx-unit.json + {{- end }} + {{- if .Values.allowedHostsIncludesPodIp }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /{{ .Values.basePath }}login/ + port: http + {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} + httpHeaders: + - name: Host + value: {{ (index .Values.allowedHosts 0) | quote }} + {{- end }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} {{- end }} - {{- if .Values.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + + volumeMounts: + - name: config + mountPath: /etc/netbox/config/configuration.py + subPath: configuration.py + readOnly: true + {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} + - name: config + mountPath: /etc/netbox/config/ldap/ldap_config.py + subPath: ldap_config.py + readOnly: true + {{ end -}} + - name: config + mountPath: /run/config/netbox + readOnly: true + - name: secrets + mountPath: /run/secrets/netbox + readOnly: true + {{- include "netbox.extraConfig.volumeMounts" . | nindent 12 -}} + - name: netbox-tmp + mountPath: /tmp + - name: media + mountPath: /opt/netbox/netbox/media + subPath: {{ .Values.persistence.subPath | default "" | quote }} + - name: reports + mountPath: {{ .Values.reportsPersistence.path }} + subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + - name: scripts + mountPath: {{ .Values.scriptsPersistence.path }} + subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + - name: optunit + mountPath: /opt/unit + - name: secrets + mountPath: /run/secrets/superuser_password + subPath: superuser_password + readOnly: true + - name: secrets + mountPath: /run/secrets/superuser_api_token + subPath: superuser_api_token + readOnly: true + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} - ports: - - name: http - containerPort: {{ .Values.containerPorts.http }} - protocol: TCP - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: /{{ .Values.basePath }}login/ - port: http - {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} - httpHeaders: - - name: Host - value: {{ (index .Values.allowedHosts 0) | quote }} - {{- end }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + {{- with .Values.extraContainers }} + {{- toYaml . | nindent 6 }} {{- end }} - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 10 }} - {{- end }} - volumeMounts: - - name: config - mountPath: /etc/netbox/config/configuration.py - subPath: configuration.py - readOnly: true - {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - - name: config - mountPath: /etc/netbox/config/ldap/ldap_config.py - subPath: ldap_config.py - readOnly: true - {{ end -}} - - name: config - mountPath: /run/config/netbox - readOnly: true - - name: secrets - mountPath: /run/secrets/netbox - readOnly: true - {{- include "netbox.extraConfig.volumeMounts" . | nindent 10 -}} - - name: netbox-tmp - mountPath: /tmp - - name: media - mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} - - name: reports - mountPath: {{ .Values.reportsPersistence.path }} - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} - - name: scripts - mountPath: {{ .Values.scriptsPersistence.path }} - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - - name: optunit - mountPath: /opt/unit - - name: secrets - mountPath: /run/secrets/superuser_password - subPath: superuser_password - readOnly: true - - name: secrets - mountPath: /run/secrets/superuser_api_token - subPath: superuser_api_token - readOnly: true - {{- if .Values.resources }} - resources: - {{- toYaml .Values.resources | nindent 10 }} - {{- end }} - {{- with .Values.extraContainers }} - {{- toYaml . | nindent 6 }} - {{- end }} volumes: - name: config configMap: From 081b9598461904de580f945af5d6fcce94c65b40 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 22:57:16 +0700 Subject: [PATCH 057/110] Fix deployment indent --- charts/netbox/README.md | 2 +- charts/netbox/templates/deployment.yaml | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/charts/netbox/README.md b/charts/netbox/README.md index 6241125a..69965ea8 100644 --- a/charts/netbox/README.md +++ b/charts/netbox/README.md @@ -94,7 +94,7 @@ The command removes all the Kubernetes components associated with the chart and ## Breaking Changes * The `extraEnvs` setting has been renamed to `extraEnvVars`. - * The `extraInitContainers` setting has been renamed to `initContainers`. + * The `extraContainers` setting has been renamed to `sidecars`. * The `extraInitContainers` setting has been renamed to `initContainers`. * The `securityContext` setting has been renamed to `podSecurityContext` and `containerSecurityContext` * The `worker.autoscaling.targetCPUUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetCPU`. diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 75260f84..5c901735 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -66,15 +66,16 @@ spec: mountPath: /opt/unit {{- if or .Values.initContainers $needsVolumePermissions }} {{- if .Values.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 10 }} {{- end }} {{- end }} containers: - name: netbox image: {{ template "netbox.image" . }} - securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: - name: SUPERUSER_NAME value: {{ .Values.superuser.name | quote }} @@ -162,8 +163,8 @@ spec: {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} - {{- with .Values.extraContainers }} - {{- toYaml . | nindent 6 }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: - name: config From 94686ccd048ff06ce23dbd74f48de85aabd32c2a Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 23:06:54 +0700 Subject: [PATCH 058/110] Fix deployment indent --- charts/netbox/templates/deployment.yaml | 138 +++++++++--------- .../netbox/templates/worker/Deployment.yaml | 50 ++++--- 2 files changed, 96 insertions(+), 92 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 5c901735..c3d36949 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -167,75 +167,75 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: - - name: config - configMap: - name: {{ include "netbox.fullname" . }} - - name: secrets - projected: - sources: - - secret: - name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} - items: - # Used by netbox-docker entry scripts - - key: superuser_password - path: superuser_password - - key: superuser_api_token - path: superuser_api_token - # Used by our configuration - - key: email_password - path: email_password - - key: secret_key - path: secret_key - {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} - - key: ldap_bind_password - path: ldap_bind_password - {{- end }} - - secret: - name: {{ include "netbox.postgresql.secret" . | quote }} - items: - - key: {{ include "netbox.postgresql.secretKey" . | quote }} - path: db_password - - secret: - name: {{ include "netbox.tasksRedis.secret" . | quote }} - items: - - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} - path: redis_tasks_password - - secret: - name: {{ include "netbox.cachingRedis.secret" . | quote }} - items: - - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} - path: redis_cache_password - {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} - - name: netbox-tmp - emptyDir: - medium: Memory - - name: optunit - emptyDir: - medium: Memory - - name: media - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - - name: reports - {{- if .Values.reportsPersistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - - name: scripts - {{- if .Values.scriptsPersistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- with .Values.extraVolumes }} - {{- toYaml . | nindent 6 }} - {{- end }} + - name: config + configMap: + name: {{ include "netbox.fullname" . }} + - name: secrets + projected: + sources: + - secret: + name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} + items: + # Used by netbox-docker entry scripts + - key: superuser_password + path: superuser_password + - key: superuser_api_token + path: superuser_api_token + # Used by our configuration + - key: email_password + path: email_password + - key: secret_key + path: secret_key + {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} + - key: ldap_bind_password + path: ldap_bind_password + {{- end }} + - secret: + name: {{ include "netbox.postgresql.secret" . | quote }} + items: + - key: {{ include "netbox.postgresql.secretKey" . | quote }} + path: db_password + - secret: + name: {{ include "netbox.tasksRedis.secret" . | quote }} + items: + - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} + path: redis_tasks_password + - secret: + name: {{ include "netbox.cachingRedis.secret" . | quote }} + items: + - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} + path: redis_cache_password + {{- include "netbox.extraConfig.volumes" . | nindent 8 -}} + - name: netbox-tmp + emptyDir: + medium: Memory + - name: optunit + emptyDir: + medium: Memory + - name: media + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + - name: reports + {{- if .Values.reportsPersistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + - name: scripts + {{- if .Values.scriptsPersistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 68a70c69..88592de4 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -132,9 +132,9 @@ spec: {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.worker.podSecurityContext.enabled .Values.worker.containerSecurityContext.enabled }} {{- if or .Values.worker.initContainers $needsVolumePermissions }} initContainers: - {{- if .Values.worker.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.worker.initContainers "context" $) | nindent 8 }} - {{- end }} + {{- if .Values.worker.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.worker.initContainers "context" $) | nindent 8 }} + {{- end }} {{- end }} volumes: - name: config @@ -174,24 +174,28 @@ spec: - name: netbox-tmp emptyDir: medium: Memory - # - name: media - # {{- if .Values.persistence.enabled }} - # persistentVolumeClaim: - # claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - # {{- else }} - # emptyDir: {} - # {{- end }} - # {{- if .Values.reportsPersistence.enabled }} - # - name: reports - # persistentVolumeClaim: - # claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - # {{- end }} - # {{- if .Values.scriptsPersistence.enabled }} - # - name: scripts - # persistentVolumeClaim: - # claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - # {{- end }} - # {{- with .Values.worker.extraVolumes }} - # {{- toYaml . | nindent 8 }} - # {{- end }} + - name: media + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + - name: reports + {{- if .Values.reportsPersistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + - name: scripts + {{- if .Values.scriptsPersistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} {{- end }} \ No newline at end of file From 592c3674e035f0765ba858ccb803cafefd8d9b39 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 23:12:35 +0700 Subject: [PATCH 059/110] Move init container --- charts/netbox/README.md | 1 + charts/netbox/templates/deployment.yaml | 41 +++++++++---------- .../netbox/templates/worker/Deployment.yaml | 2 +- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/charts/netbox/README.md b/charts/netbox/README.md index 69965ea8..be426810 100644 --- a/charts/netbox/README.md +++ b/charts/netbox/README.md @@ -95,6 +95,7 @@ The command removes all the Kubernetes components associated with the chart and ## Breaking Changes * The `extraEnvs` setting has been renamed to `extraEnvVars`. * The `extraContainers` setting has been renamed to `sidecars`. + * The `extraContainers` setting has been renamed to `sidecars`. * The `extraInitContainers` setting has been renamed to `initContainers`. * The `securityContext` setting has been renamed to `podSecurityContext` and `containerSecurityContext` * The `worker.autoscaling.targetCPUUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetCPU`. diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index c3d36949..c32174bb 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -49,26 +49,6 @@ spec: {{- if .Values.podSecurityContext.enabled }} securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} - {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} - initContainers: - - name: init-dirs - image: {{ template "netbox.init.image" . }} - imagePullPolicy: {{ .Values.init.image.pullPolicy }} - command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] - {{- if .Values.init.resources }} - resources: - {{- toYaml .Values.init.resources | nindent 10 }} - {{- end }} - securityContext: - {{- toYaml .Values.init.securityContext | nindent 10 }} - volumeMounts: - - name: optunit - mountPath: /opt/unit - {{- if or .Values.initContainers $needsVolumePermissions }} - {{- if .Values.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 10 }} - {{- end }} - {{- end }} containers: - name: netbox image: {{ template "netbox.image" . }} @@ -120,7 +100,6 @@ spec: successThreshold: {{ .Values.readinessProbe.successThreshold }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} {{- end }} - volumeMounts: - name: config mountPath: /etc/netbox/config/configuration.py @@ -166,6 +145,26 @@ spec: {{- if .Values.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} + initContainers: + - name: init-dirs + image: {{ template "netbox.init.image" . }} + imagePullPolicy: {{ .Values.init.image.pullPolicy }} + command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] + {{- if .Values.init.resources }} + resources: + {{- toYaml .Values.init.resources | nindent 10 }} + {{- end }} + securityContext: + {{- toYaml .Values.init.securityContext | nindent 10 }} + volumeMounts: + - name: optunit + mountPath: /opt/unit + {{- if or .Values.initContainers $needsVolumePermissions }} + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 10 }} + {{- end }} + {{- end }} volumes: - name: config configMap: diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 88592de4..aaa93332 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -170,7 +170,7 @@ spec: items: - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} path: redis_cache_password - # {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} + {{- include "netbox.extraConfig.volumes" . | nindent 8 -}} - name: netbox-tmp emptyDir: medium: Memory From 899615b81933234feb7b9ee0939635bf254f4433 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 23:18:19 +0700 Subject: [PATCH 060/110] Enable redis auth --- charts/netbox/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 1a73014b..bd953712 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1774,7 +1774,7 @@ redis: auth: ## @param auth.enabled Enable password authentication ## - enabled: false + enabled: true tasksRedis: database: 0 From 258dbf5cf9a4516ba78a3e7eded03088808866dd Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 23:34:09 +0700 Subject: [PATCH 061/110] Add database helper --- .../redis => archive}/ServiceAccount.yaml | 0 charts/netbox/templates/Secret/netbox.yaml | 10 +- charts/netbox/templates/_helpers.tpl | 177 ++++++++++++++++-- charts/netbox/templates/service.yaml | 2 +- charts/netbox/values.yaml | 16 +- 5 files changed, 176 insertions(+), 29 deletions(-) rename charts/netbox/{templates/redis => archive}/ServiceAccount.yaml (100%) diff --git a/charts/netbox/templates/redis/ServiceAccount.yaml b/charts/netbox/archive/ServiceAccount.yaml similarity index 100% rename from charts/netbox/templates/redis/ServiceAccount.yaml rename to charts/netbox/archive/ServiceAccount.yaml diff --git a/charts/netbox/templates/Secret/netbox.yaml b/charts/netbox/templates/Secret/netbox.yaml index d10d320b..d59329f7 100644 --- a/charts/netbox/templates/Secret/netbox.yaml +++ b/charts/netbox/templates/Secret/netbox.yaml @@ -3,12 +3,10 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "netbox.fullname" . }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} + labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }} + {{- if or .Values.externalDatabase.annotations .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.externalDatabase.annotations .Values.commonAnnotations) "context" $) | nindent 4 }} {{- end }} - labels: - {{- include "netbox.labels" . | nindent 4 }} type: Opaque data: {{ if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecretName) -}} @@ -27,4 +25,4 @@ data: {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} ldap_bind_password: {{ .Values.remoteAuth.ldap.bindPassword | b64enc | quote }} {{ end -}} -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index ad0a2966..44d3e580 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -6,20 +6,6 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} -{{/* -Return the proper Netbox worker fullname -*/}} -{{- define "netbox.worker.fullname" -}} -{{- printf "%s-%s" (include "common.names.fullname" .) "worker" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Return the proper Netbox housekeeping fullname -*/}} -{{- define "netbox.housekeeping.fullname" -}} -{{- printf "%s-%s" (include "common.names.fullname" .) "housekeeping" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -38,6 +24,20 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- end }} +{{/* +Return the proper Netbox worker fullname +*/}} +{{- define "netbox.worker.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "worker" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper Netbox housekeeping fullname +*/}} +{{- define "netbox.housekeeping.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "housekeeping" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Return the proper Netbox image name */}} @@ -222,3 +222,152 @@ Volume mounts for .Values.extraConfig entries readOnly: true {{ end -}} {{- end }} + +{{/* +Return the Database hostname +*/}} +{{- define "netbox.databaseHost" -}} +{{- if eq .Values.postgresql.architecture "replication" }} + {{- ternary (include "netbox.postgresql.fullname" .) (tpl .Values.externalDatabase.host $) .Values.postgresql.enabled -}}-primary +{{- else -}} + {{- ternary (include "netbox.postgresql.fullname" .) (tpl .Values.externalDatabase.host $) .Values.postgresql.enabled -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Database port +*/}} +{{- define "netbox.databasePort" -}} + {{- ternary "5432" .Values.externalDatabase.port .Values.postgresql.enabled | quote -}} +{{- end -}} + +{{/* +Return the Database database name +*/}} +{{- define "netbox.databaseName" -}} +{{- if .Values.postgresql.enabled }} + {{- if .Values.global.postgresql }} + {{- if .Values.global.postgresql.auth }} + {{- coalesce .Values.global.postgresql.auth.database .Values.postgresql.auth.database -}} + {{- else -}} + {{- .Values.postgresql.auth.database -}} + {{- end -}} + {{- else -}} + {{- .Values.postgresql.auth.database -}} + {{- end -}} +{{- else -}} + {{- .Values.externalDatabase.database -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Database user +*/}} +{{- define "netbox.databaseUser" -}} +{{- if .Values.postgresql.enabled -}} + {{- if .Values.global.postgresql -}} + {{- if .Values.global.postgresql.auth -}} + {{- coalesce .Values.global.postgresql.auth.username .Values.postgresql.auth.username -}} + {{- else -}} + {{- .Values.postgresql.auth.username -}} + {{- end -}} + {{- else -}} + {{- .Values.postgresql.auth.username -}} + {{- end -}} +{{- else -}} + {{- .Values.externalDatabase.user -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Database encrypted password +*/}} +{{- define "netbox.databaseSecretName" -}} +{{- if .Values.postgresql.enabled -}} + {{- if .Values.global.postgresql -}} + {{- if .Values.global.postgresql.auth -}} + {{- if .Values.global.postgresql.auth.existingSecret -}} + {{- tpl .Values.global.postgresql.auth.existingSecret $ -}} + {{- else -}} + {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}} + {{- end -}} + {{- else -}} + {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}} + {{- end -}} + {{- else -}} + {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}} + {{- end -}} +{{- else -}} + {{- default (printf "%s-externaldb" .Release.Name) (tpl .Values.externalDatabase.existingSecret $) -}} +{{- end -}} +{{- end -}} + +{{/* +Add environment variables to configure database values +*/}} +{{- define "netbox.databaseSecretPasswordKey" -}} +{{- if .Values.postgresql.enabled -}} + {{- print "password" -}} +{{- else -}} + {{- if .Values.externalDatabase.existingSecret -}} + {{- if .Values.externalDatabase.existingSecretPasswordKey -}} + {{- printf "%s" .Values.externalDatabase.existingSecretPasswordKey -}} + {{- else -}} + {{- print "db-password" -}} + {{- end -}} + {{- else -}} + {{- print "db-password" -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "netbox.databaseSecretHostKey" -}} + {{- if .Values.externalDatabase.existingSecretHostKey -}} + {{- printf "%s" .Values.externalDatabase.existingSecretHostKey -}} + {{- else -}} + {{- print "db-host" -}} + {{- end -}} +{{- end -}} +{{- define "netbox.databaseSecretPortKey" -}} + {{- if .Values.externalDatabase.existingSecretPortKey -}} + {{- printf "%s" .Values.externalDatabase.existingSecretPortKey -}} + {{- else -}} + {{- print "db-port" -}} + {{- end -}} +{{- end -}} +{{- define "netbox.databaseSecretUserKey" -}} + {{- if .Values.externalDatabase.existingSecretUserKey -}} + {{- printf "%s" .Values.externalDatabase.existingSecretUserKey -}} + {{- else -}} + {{- print "db-port" -}} + {{- end -}} +{{- end -}} +{{- define "netbox.databaseSecretDatabaseKey" -}} + {{- if .Values.externalDatabase.existingSecretDatabaseKey -}} + {{- printf "%s" .Values.externalDatabase.existingSecretDatabaseKey -}} + {{- else -}} + {{- print "db-port" -}} + {{- end -}} +{{- end -}} + +{{/* Validate values of Netbox - database */}} +{{- define "netbox.validateValues.database" -}} +{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.host) (and (not .Values.externalDatabase.password) (not .Values.externalDatabase.existingSecret)) -}} +netbox: database + You disabled the PostgreSQL sub-chart but did not specify an external PostgreSQL host. + Either deploy the PostgreSQL sub-chart (--set postgresql.enabled=true), + or set a value for the external database host (--set externalDatabase.host=FOO) + and set a value for the external database password (--set externalDatabase.password=BAR) + or existing secret (--set externalDatabase.existingSecret=BAR). +{{- end -}} +{{- end -}} + +{{/* Validate values of Netbox - TLS enabled */}} +{{- define "netbox.validateValues.tls" -}} +{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated) (not .Values.tls.existingSecret) }} +netbox: tls.enabled + In order to enable TLS, you also need to provide + an existing secret containing the Keystore and Truststore or + enable auto-generated certificates. +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/netbox/templates/service.yaml b/charts/netbox/templates/service.yaml index c6ba647c..c757f095 100644 --- a/charts/netbox/templates/service.yaml +++ b/charts/netbox/templates/service.yaml @@ -56,7 +56,7 @@ spec: {{- end }} {{- end }} {{- if .Values.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} {{- end }} {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index bd953712..eceeb12d 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1740,6 +1740,14 @@ externalDatabase: database: netbox username: netbox password: "" + existingSecret: "" + existingSecretHostKey: "" + existingSecretPortKey: "" + existingSecretUserKey: "" + existingSecretDatabaseKey: "" + existingSecretPasswordKey: "" + annotations: {} + existingSecretName: "" existingSecretKey: postgresql-password @@ -1749,14 +1757,6 @@ externalDatabase: disableServerSideCursors: false targetSessionAttrs: read-write - existingSecret: "" - existingSecretHostKey: "" - existingSecretPortKey: "" - existingSecretUserKey: "" - existingSecretDatabaseKey: "" - existingSecretPasswordKey: "" - annotations: {} - ## @section Redis common configuration parameters ## https://github.com/bitnami/containers/tree/main/bitnami/redis#configuration ## From ae687ea957c8ac13f460ccc2756340fe953607b0 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Tue, 30 Jan 2024 23:58:34 +0700 Subject: [PATCH 062/110] Fix database helper --- charts/netbox/archive/netbox copy.yaml | 28 +++++++++++++++++++ charts/netbox/templates/ConfigMap/netbox.yaml | 16 +++++------ charts/netbox/templates/Secret/netbox.yaml | 9 +++--- charts/netbox/templates/_helpers.tpl | 24 ++++++++++++++++ charts/netbox/values.yaml | 22 +++++++++++++-- 5 files changed, 85 insertions(+), 14 deletions(-) create mode 100644 charts/netbox/archive/netbox copy.yaml diff --git a/charts/netbox/archive/netbox copy.yaml b/charts/netbox/archive/netbox copy.yaml new file mode 100644 index 00000000..d59329f7 --- /dev/null +++ b/charts/netbox/archive/netbox copy.yaml @@ -0,0 +1,28 @@ +{{- if not .Values.existingSecret -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "netbox.fullname" . }} + labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }} + {{- if or .Values.externalDatabase.annotations .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.externalDatabase.annotations .Values.commonAnnotations) "context" $) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{ if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecretName) -}} + db_password: {{ .Values.externalDatabase.password | b64enc | quote }} + {{ end -}} + email_password: {{ .Values.email.password | b64enc | quote }} + {{ if and (not .Values.redis.enabled) (not .Values.tasksRedis.existingSecretName) -}} + redis_tasks_password: {{ .Values.tasksRedis.password | b64enc | quote }} + {{ end -}} + {{ if and (not .Values.redis.enabled) (not .Values.cachingRedis.existingSecretName) -}} + redis_cache_password: {{ .Values.cachingRedis.password | b64enc | quote }} + {{ end -}} + secret_key: {{ .Values.secretKey | default (randAscii 60) | b64enc }} + superuser_password: {{ .Values.superuser.password | default (randAlphaNum 16) | b64enc }} + superuser_api_token: {{ .Values.superuser.apiToken | default uuidv4 | b64enc }} + {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} + ldap_bind_password: {{ .Values.remoteAuth.ldap.bindPassword | b64enc | quote }} + {{ end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/netbox/templates/ConfigMap/netbox.yaml b/charts/netbox/templates/ConfigMap/netbox.yaml index acafa62d..80236704 100644 --- a/charts/netbox/templates/ConfigMap/netbox.yaml +++ b/charts/netbox/templates/ConfigMap/netbox.yaml @@ -79,15 +79,15 @@ data: DATABASE: {{ if .Values.postgresql.enabled -}} - HOST: {{ include "postgresql.v1.primary.fullname" .Subcharts.postgresql | quote }} - USER: {{ include "postgresql.v1.username" .Subcharts.postgresql | quote }} - NAME: {{ include "postgresql.v1.database" .Subcharts.postgresql | quote }} - PORT: {{ include "postgresql.v1.service.port" .Subcharts.postgresql | int }} + HOST: {{ include "netbox.databaseHost" . | quote }} + USER: {{ include "netbox.databaseUser" . | quote }} + NAME: {{ include "netbox.databaseName" . | quote }} + PORT: {{ include "netbox.databasePort" . | int }} {{- else -}} - HOST: {{ .Values.externalDatabase.host | quote }} - USER: {{ .Values.externalDatabase.username | quote }} - NAME: {{ .Values.externalDatabase.database | quote }} - PORT: {{ .Values.externalDatabase.port | int }} + HOST: {{ include "netbox.databaseHost" . | quote }} + USER: {{ include "netbox.databaseUser" . | quote }} + NAME: {{ include "netbox.databaseName" . | quote }} + PORT: {{ include "netbox.databasePort" . | int }} {{- end }} OPTIONS: sslmode: {{ .Values.externalDatabase.sslMode | quote }} diff --git a/charts/netbox/templates/Secret/netbox.yaml b/charts/netbox/templates/Secret/netbox.yaml index d59329f7..619cd5b3 100644 --- a/charts/netbox/templates/Secret/netbox.yaml +++ b/charts/netbox/templates/Secret/netbox.yaml @@ -2,10 +2,10 @@ apiVersion: v1 kind: Secret metadata: - name: {{ include "netbox.fullname" . }} + name: {{ printf "%s" (include "netbox.fullname" .) }} labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }} - {{- if or .Values.externalDatabase.annotations .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.externalDatabase.annotations .Values.commonAnnotations) "context" $) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} type: Opaque data: @@ -20,7 +20,8 @@ data: redis_cache_password: {{ .Values.cachingRedis.password | b64enc | quote }} {{ end -}} secret_key: {{ .Values.secretKey | default (randAscii 60) | b64enc }} - superuser_password: {{ .Values.superuser.password | default (randAlphaNum 16) | b64enc }} + # superuser_password: {{ .Values.superuser.password | default (randAlphaNum 16) | b64enc }} + superuser_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.fullname" .)) "key" "superuser_password" "length" 10 "providedValues" (list "superuser.password") "context" $) }} superuser_api_token: {{ .Values.superuser.apiToken | default uuidv4 | b64enc }} {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} ldap_bind_password: {{ .Values.remoteAuth.ldap.bindPassword | b64enc | quote }} diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 44d3e580..d5a498a5 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -350,6 +350,30 @@ Add environment variables to configure database values {{- end -}} {{- end -}} +{{/* +Return the secret containing the Netbox superuser password +*/}} +{{- define "netbox.secretName" -}} +{{- $secretName := .Values.superuser.existingSecret -}} +{{- if $secretName -}} + {{- printf "%s" (tpl $secretName $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret key that contains the Netbox superuser password +*/}} +{{- define "netbox.secretKey" -}} +{{- $secretName := .Values.superuser.existingSecret -}} +{{- if and $secretName .Values.superuser.passwordSecretKey -}} + {{- printf "%s" .Values.superuser.passwordSecretKey -}} +{{- else -}} + {{- print "superuser_password" -}} +{{- end -}} +{{- end -}} + {{/* Validate values of Netbox - database */}} {{- define "netbox.validateValues.database" -}} {{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.host) (and (not .Values.externalDatabase.password) (not .Values.externalDatabase.existingSecret)) -}} diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index eceeb12d..36089adc 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -112,13 +112,31 @@ image: ## debug: false -# You can also use an existing secret for the superuser password and API token -# See `existingSecret` for details +## You can also use an existing secret for the superuser password and API token +## See `existingSecret` for details +## superuser: + ## @param superuser.name Netbox administrator user + ## name: admin + ## @param superuser.email Netbox administrator email address + ## email: admin@example.com + ## @param superuser.password Netbox administrator password for the new superuser + ## password: admin + ## @param superuser.apiToken Netbox administrator superuser token + ## apiToken: 0123456789abcdef0123456789abcdef01234567 + ## @param superuser.existingSecret Existing secret containing Netbox superuser password + ## + existingSecret: "" + ## @param superuser.passwordSecretKey Key where the Netbox superuser password is being stored inside the existing secret. + ## + passwordSecretKey: "" + ## @param superuser.annotations Additional custom annotations for Netbox superuser secret object + ## + annotations: {} # Skip the netbox-docker startup scripts which can pre-populate objects into a # fresh NetBox installation. By default these do nothing, but they take a while From dec7d3f0d06c9cb6f132deaf9e3a95f4080fa9e7 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:01:48 +0700 Subject: [PATCH 063/110] Add postgres helper --- charts/netbox/templates/_helpers.tpl | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index d5a498a5..62e1bb55 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -38,6 +38,22 @@ Return the proper Netbox housekeeping fullname {{- printf "%s-%s" (include "common.names.fullname" .) "housekeeping" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "netbox.postgresql.fullname" -}} +{{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "netbox.redis.fullname" -}} +{{- include "common.names.dependency.fullname" (dict "chartName" "redis" "chartValues" .Values.postgresql "context" $) -}} +{{- end -}} + {{/* Return the proper Netbox image name */}} @@ -112,6 +128,16 @@ Create the name of the service account to use {{- end }} {{- end }} +{{/* +Return the path Netbox is hosted on. This looks at httpRelativePath and returns it with a trailing slash. For example: + / -> / (the default httpRelativePath) + /auth -> /auth/ (trailing slash added) + /custom/ -> /custom/ (unchanged) +*/}} +{{- define "netbox.httpPath" -}} +{{ ternary .Values.httpRelativePath (printf "%s%s" .Values.httpRelativePath "/") (hasSuffix "/" .Values.httpRelativePath) }} +{{- end -}} + {{/* Name of the Secret that contains the PostgreSQL password */}} From 7399ada0c21dba5f7b421d8ab9f394e62a392d08 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:13:06 +0700 Subject: [PATCH 064/110] Fix database values --- charts/netbox/values.yaml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 36089adc..460bf37c 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1725,7 +1725,6 @@ serviceMonitor: ## @param postgresql.auth.password Password for the custom user to create ## @param postgresql.auth.database Name for a custom database to create ## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials -## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) ## postgresql: enabled: true @@ -1735,7 +1734,26 @@ postgresql: password: "" database: netbox existingSecret: "" + ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## + secretKeys: + adminPasswordKey: postgres-password + userPasswordKey: password + replicationPasswordKey: replication-password + ## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) + ## architecture: standalone + ## @section PostgreSQL Primary parameters + ## + primary: + ## PostgreSQL Primary persistence configuration + ## + persistence: + ## @param postgresql.primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC + ## + enabled: false ## External PostgreSQL configuration ## All of these values are only used when postgresql.enabled is set to false From 17500329402ed2ce726ab41e6f5d1be80c15cb45 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:28:32 +0700 Subject: [PATCH 065/110] Disable podSec --- charts/netbox/templates/deployment.yaml | 5 ++++- charts/netbox/values.yaml | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index c32174bb..66512890 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -150,7 +150,10 @@ spec: - name: init-dirs image: {{ template "netbox.init.image" . }} imagePullPolicy: {{ .Values.init.image.pullPolicy }} - command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] + command: + - /bin/sh + - '-c' + - mkdir -p /opt/unit/state /opt/unit/tmp {{- if .Values.init.resources }} resources: {{- toYaml .Values.init.resources | nindent 10 }} diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 460bf37c..aa68f621 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -813,10 +813,10 @@ extraContainerPorts: [] ## podSecurityContext: enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] fsGroup: 1000 + # fsGroupChangePolicy: Always + # sysctls: [] + # supplementalGroups: [] runAsNonRoot: true # runAsUser: 1000 # runAsGroup: 1000 From 35da29e5de4e68e8c225b028d95b47bf44ad5980 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:32:00 +0700 Subject: [PATCH 066/110] Fix PodSec --- charts/netbox/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index aa68f621..6fb15fb5 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -818,8 +818,8 @@ podSecurityContext: # sysctls: [] # supplementalGroups: [] runAsNonRoot: true - # runAsUser: 1000 - # runAsGroup: 1000 + runAsUser: 1000 + runAsGroup: 1000 ## Netbox containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled containers' Security Context From a21d6430bfa0a3377a63197b723d69b684d7d260 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:39:27 +0700 Subject: [PATCH 067/110] Fix ConfigMap --- charts/netbox/templates/ConfigMap/netbox.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/netbox/templates/ConfigMap/netbox.yaml b/charts/netbox/templates/ConfigMap/netbox.yaml index 80236704..6eb2de9d 100644 --- a/charts/netbox/templates/ConfigMap/netbox.yaml +++ b/charts/netbox/templates/ConfigMap/netbox.yaml @@ -82,12 +82,12 @@ data: HOST: {{ include "netbox.databaseHost" . | quote }} USER: {{ include "netbox.databaseUser" . | quote }} NAME: {{ include "netbox.databaseName" . | quote }} - PORT: {{ include "netbox.databasePort" . | int }} + PORT: {{ include "netbox.databasePort" . }} {{- else -}} HOST: {{ include "netbox.databaseHost" . | quote }} USER: {{ include "netbox.databaseUser" . | quote }} NAME: {{ include "netbox.databaseName" . | quote }} - PORT: {{ include "netbox.databasePort" . | int }} + PORT: {{ include "netbox.databasePort" . }} {{- end }} OPTIONS: sslmode: {{ .Values.externalDatabase.sslMode | quote }} From 0e5daa1a04ec47b5e531e6d63d4e7f87f65008f8 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:44:24 +0700 Subject: [PATCH 068/110] Fix secret deployment --- charts/netbox/templates/deployment.yaml | 4 ++-- charts/netbox/templates/worker/Deployment.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 66512890..029d90ea 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -193,9 +193,9 @@ spec: path: ldap_bind_password {{- end }} - secret: - name: {{ include "netbox.postgresql.secret" . | quote }} + name: {{ include "netbox.databaseSecretName" . | quote }} items: - - key: {{ include "netbox.postgresql.secretKey" . | quote }} + - key: {{ include "netbox.databaseSecretPasswordKey" . | quote }} path: db_password - secret: name: {{ include "netbox.tasksRedis.secret" . | quote }} diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index aaa93332..f6519401 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -156,9 +156,9 @@ spec: path: ldap_bind_password {{- end }} - secret: - name: {{ include "netbox.postgresql.secret" . | quote }} + name: {{ include "netbox.databaseSecretName" . | quote }} items: - - key: {{ include "netbox.postgresql.secretKey" . | quote }} + - key: {{ include "netbox.databaseSecretPasswordKey" . | quote }} path: db_password - secret: name: {{ include "netbox.tasksRedis.secret" . | quote }} From 02ead36d8926f6608a43392261c484171b4822df Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:52:08 +0700 Subject: [PATCH 069/110] Fix pqsl port helper --- charts/netbox/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 62e1bb55..c73ffc51 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -264,7 +264,7 @@ Return the Database hostname Return the Database port */}} {{- define "netbox.databasePort" -}} - {{- ternary "5432" .Values.externalDatabase.port .Values.postgresql.enabled | quote -}} + {{- ternary 5432 .Values.externalDatabase.port .Values.postgresql.enabled | int -}} {{- end -}} {{/* From e811b1091f28a1be06101d94ae308588b2f8ea08 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 01:04:08 +0700 Subject: [PATCH 070/110] Fix redis on configmap --- charts/netbox/templates/ConfigMap/netbox.yaml | 25 ++++--------- charts/netbox/templates/_helpers.tpl | 36 +++++++++++++++++++ 2 files changed, 42 insertions(+), 19 deletions(-) diff --git a/charts/netbox/templates/ConfigMap/netbox.yaml b/charts/netbox/templates/ConfigMap/netbox.yaml index 6eb2de9d..a214b648 100644 --- a/charts/netbox/templates/ConfigMap/netbox.yaml +++ b/charts/netbox/templates/ConfigMap/netbox.yaml @@ -78,17 +78,10 @@ data: ALLOWED_HOSTS: {{ toJson .Values.allowedHosts }} DATABASE: - {{ if .Values.postgresql.enabled -}} HOST: {{ include "netbox.databaseHost" . | quote }} USER: {{ include "netbox.databaseUser" . | quote }} NAME: {{ include "netbox.databaseName" . | quote }} PORT: {{ include "netbox.databasePort" . }} - {{- else -}} - HOST: {{ include "netbox.databaseHost" . | quote }} - USER: {{ include "netbox.databaseUser" . | quote }} - NAME: {{ include "netbox.databaseName" . | quote }} - PORT: {{ include "netbox.databasePort" . }} - {{- end }} OPTIONS: sslmode: {{ .Values.externalDatabase.sslMode | quote }} target_session_attrs: {{ .Values.externalDatabase.targetSessionAttrs | default "read-write" | quote }} @@ -175,16 +168,13 @@ data: REDIS: tasks: - {{- if .Values.redis.enabled }} - HOST: {{ printf "%s-master" (include "common.names.fullname" .Subcharts.redis) | quote }} - PORT: {{ .Values.redis.master.service.ports.redis | int }} - {{- else if .Values.tasksRedis.sentinels }} + {{- if .Values.tasksRedis.sentinels }} SENTINELS: {{ toJson .Values.tasksRedis.sentinels }} SENTINEL_SERVICE: {{ .Values.tasksRedis.sentinelService | quote }} SENTINEL_TIMEOUT: {{ .Values.tasksRedis.sentinelTimeout | int }} {{- else }} - HOST: {{ .Values.tasksRedis.host | quote }} - PORT: {{ .Values.tasksRedis.port | int}} + HOST: {{ include "netbox.tasksRedis.host" . | quote }} + PORT: {{ include "netbox.tasksRedis.port" . | int }} {{- end }} USERNAME: {{ .Values.tasksRedis.username | quote }} DATABASE: {{ int .Values.tasksRedis.database }} @@ -192,16 +182,13 @@ data: INSECURE_SKIP_TLS_VERIFY: {{ toJson .Values.tasksRedis.insecureSkipTlsVerify }} CA_CERT_PATH: {{ .Values.tasksRedis.caCertPath | quote }} caching: - {{- if .Values.redis.enabled }} - HOST: {{ printf "%s-master" (include "common.names.fullname" .Subcharts.redis) | quote }} - PORT: {{ .Values.redis.master.service.ports.redis | int }} - {{- else if .Values.cachingRedis.sentinels }} + {{- if .Values.cachingRedis.sentinels }} SENTINELS: {{ toJson .Values.cachingRedis.sentinels }} SENTINEL_SERVICE: {{ .Values.cachingRedis.sentinelService | quote }} SENTINEL_TIMEOUT: {{ .Values.cachingRedis.sentinelTimeout | int }} {{- else }} - HOST: {{ .Values.cachingRedis.host | quote }} - PORT: {{ .Values.cachingRedis.port | int}} + HOST: {{ include "netbox.cachingRedis.host" . | quote }} + PORT: {{ include "netbox.cachingRedis.port" . | int }} {{- end }} USERNAME: {{ .Values.cachingRedis.username | quote }} DATABASE: {{ int .Values.cachingRedis.database }} diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index c73ffc51..996593db 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -164,6 +164,24 @@ Name of the key in Secret that contains the PostgreSQL password {{- end -}} {{- end }} +{{/* +Return the task Redis hostname +*/}} +{{- define "netbox.tasksRedis.host" -}} +{{- if eq .Values.redis.architecture "replication" }} + {{- ternary (include "netbox.redis.fullname" .) (tpl .Values.tasksRedis.host $) .Values.redis.enabled -}}-master +{{- else -}} + {{- ternary (include "netbox.redis.fullname" .) (tpl .Values.tasksRedis.host $) .Values.redis.enabled -}} +{{- end -}} +{{- end -}} + +{{/* +Return the task Redis port +*/}} +{{- define "netbox.tasksRedis.port" -}} + {{- ternary 6379 .Values.tasksRedis.port .Values.redis.enabled | int -}} +{{- end -}} + {{/* Name of the Secret that contains the Redis tasks password */}} @@ -190,6 +208,24 @@ Name of the key in Secret that contains the Redis tasks password {{- end -}} {{- end }} +{{/* +Return the cache Redis hostname +*/}} +{{- define "netbox.cachingRedis.host" -}} +{{- if eq .Values.redis.architecture "replication" }} + {{- ternary (include "netbox.redis.fullname" .) (tpl .Values.cachingRedis.host $) .Values.redis.enabled -}}-master +{{- else -}} + {{- ternary (include "netbox.redis.fullname" .) (tpl .Values.cachingRedis.host $) .Values.redis.enabled -}} +{{- end -}} +{{- end -}} + +{{/* +Return the cache Redis port +*/}} +{{- define "netbox.cachingRedis.port" -}} + {{- ternary 6379 .Values.cachingRedis.port .Values.redis.enabled | int -}} +{{- end -}} + {{/* Name of the Secret that contains the Redis cache password */}} From e0e56311477244776e6748dfb8cb8619ea467b4e Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 01:04:53 +0700 Subject: [PATCH 071/110] Fix redis fullname --- charts/netbox/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 996593db..98f23458 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -51,7 +51,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} {{- define "netbox.redis.fullname" -}} -{{- include "common.names.dependency.fullname" (dict "chartName" "redis" "chartValues" .Values.postgresql "context" $) -}} +{{- include "common.names.dependency.fullname" (dict "chartName" "redis" "chartValues" .Values.redis "context" $) -}} {{- end -}} {{/* From 4f7af04a6b5a400eec64bdd0007d512b6f03599e Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 01:12:07 +0700 Subject: [PATCH 072/110] Fix redis hostname --- charts/netbox/templates/_helpers.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 98f23458..8f72b586 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -171,7 +171,7 @@ Return the task Redis hostname {{- if eq .Values.redis.architecture "replication" }} {{- ternary (include "netbox.redis.fullname" .) (tpl .Values.tasksRedis.host $) .Values.redis.enabled -}}-master {{- else -}} - {{- ternary (include "netbox.redis.fullname" .) (tpl .Values.tasksRedis.host $) .Values.redis.enabled -}} + {{- ternary (include "netbox.redis.fullname" .) (tpl .Values.tasksRedis.host $) .Values.redis.enabled -}}-master {{- end -}} {{- end -}} @@ -215,7 +215,7 @@ Return the cache Redis hostname {{- if eq .Values.redis.architecture "replication" }} {{- ternary (include "netbox.redis.fullname" .) (tpl .Values.cachingRedis.host $) .Values.redis.enabled -}}-master {{- else -}} - {{- ternary (include "netbox.redis.fullname" .) (tpl .Values.cachingRedis.host $) .Values.redis.enabled -}} + {{- ternary (include "netbox.redis.fullname" .) (tpl .Values.cachingRedis.host $) .Values.redis.enabled -}}-master {{- end -}} {{- end -}} From 7d78bc2677c9e8038da64c54920c5c3d4710051a Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 02:01:58 +0700 Subject: [PATCH 073/110] Fix redis password helper --- charts/netbox/templates/ConfigMap/netbox.yaml | 4 +- .../templates/Secret/external-redis.yaml | 15 ++++ charts/netbox/templates/Secret/netbox.yaml | 2 +- charts/netbox/templates/_helpers.tpl | 88 ++++++++++++++++++- charts/netbox/templates/deployment.yaml | 8 +- .../netbox/templates/worker/Deployment.yaml | 8 +- charts/netbox/values.yaml | 4 + 7 files changed, 116 insertions(+), 13 deletions(-) create mode 100644 charts/netbox/templates/Secret/external-redis.yaml diff --git a/charts/netbox/templates/ConfigMap/netbox.yaml b/charts/netbox/templates/ConfigMap/netbox.yaml index a214b648..562a5659 100644 --- a/charts/netbox/templates/ConfigMap/netbox.yaml +++ b/charts/netbox/templates/ConfigMap/netbox.yaml @@ -196,9 +196,9 @@ data: INSECURE_SKIP_TLS_VERIFY: {{ toJson .Values.cachingRedis.insecureSkipTlsVerify }} CA_CERT_PATH: {{ .Values.cachingRedis.caCertPath | quote }} - REPORTS_ROOT: /opt/netbox/netbox/reports + REPORTS_ROOT: {{ .Values.reportsPersistence.path }} RQ_DEFAULT_TIMEOUT: {{ .Values.rqDefaultTimeout | int }} - SCRIPTS_ROOT: /opt/netbox/netbox/scripts + SCRIPTS_ROOT: {{ .Values.scriptsPersistence.path }} CSRF_COOKIE_NAME: {{ .Values.csrf.cookieName | quote }} SESSION_COOKIE_NAME: {{ .Values.sessionCookieName }} ENABLE_LOCALIZATION: {{ toJson .Values.enableLocalization }} diff --git a/charts/netbox/templates/Secret/external-redis.yaml b/charts/netbox/templates/Secret/external-redis.yaml new file mode 100644 index 00000000..592198e8 --- /dev/null +++ b/charts/netbox/templates/Secret/external-redis.yaml @@ -0,0 +1,15 @@ +{{- if and (not .Values.redis.enabled) (not .Values.tasksRedis.existingSecret) (not .Values.cachingRedis.existingSecret) (not .Values.redis.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-external-redis" .Release.Name }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }} + {{- if or .Values.redis.annotations .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.redis.annotations .Values.commonAnnotations) "context" $) | nindent 4 }} + {{- end }} +type: Opaque +data: + redis-cache-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-external-redis" .Release.Name) "key" "redis-cache-password" "length" 12 "providedValues" (list "cachingRedis.password") "context" $) }} + redis-tasks-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-external-redis" .Release.Name) "key" "redis-tasks-password" "length" 12 "providedValues" (list "tasksRedis.password") "context" $) }} +{{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/Secret/netbox.yaml b/charts/netbox/templates/Secret/netbox.yaml index 619cd5b3..a09d194b 100644 --- a/charts/netbox/templates/Secret/netbox.yaml +++ b/charts/netbox/templates/Secret/netbox.yaml @@ -10,7 +10,7 @@ metadata: type: Opaque data: {{ if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecretName) -}} - db_password: {{ .Values.externalDatabase.password | b64enc | quote }} + db_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.postgresql.fullname" .)) "key" "password" "length" 10 "providedValues" (list "externalDatabase.password") "context" $) }} {{ end -}} email_password: {{ .Values.email.password | b64enc | quote }} {{ if and (not .Values.redis.enabled) (not .Values.tasksRedis.existingSecretName) -}} diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 8f72b586..7a77f741 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -164,6 +164,29 @@ Name of the key in Secret that contains the PostgreSQL password {{- end -}} {{- end }} +{{/* +Return the Redis secret name +*/}} +{{- define "netbox.tasksRedis.secretName" -}} +{{- if .Values.redis.enabled -}} + {{- if .Values.global.redis -}} + {{- if .Values.global.redis.auth -}} + {{- if .Values.global.redis.auth.existingSecret -}} + {{- tpl .Values.global.redis.auth.existingSecret $ -}} + {{- else -}} + {{- default (include "netbox.redis.fullname" .) (tpl .Values.redis.auth.existingSecret $) -}} + {{- end -}} + {{- else -}} + {{- default (include "netbox.redis.fullname" .) (tpl .Values.redis.auth.existingSecret $) -}} + {{- end -}} + {{- else -}} + {{- default (include "netbox.redis.fullname" .) (tpl .Values.redis.auth.existingSecret $) -}} + {{- end -}} +{{- else -}} + {{- default (printf "%s-external-redis" .Release.Name) (tpl .Values.tasksRedis.existingSecret $) -}} +{{- end -}} +{{- end -}} + {{/* Return the task Redis hostname */}} @@ -182,6 +205,25 @@ Return the task Redis port {{- ternary 6379 .Values.tasksRedis.port .Values.redis.enabled | int -}} {{- end -}} +{{/* +Add environment variables to configure tasks Redis values +*/}} +{{- define "netbox.tasksRedis.secretPasswordKey" -}} +{{- if .Values.redis.enabled -}} + {{- print "redis-password" -}} +{{- else -}} + {{- if .Values.tasksRedis.existingSecret -}} + {{- if .Values.tasksRedis.existingSecretPasswordKey -}} + {{- printf "%s" .Values.tasksRedis.existingSecretPasswordKey -}} + {{- else -}} + {{- print "redis-tasks-password" -}} + {{- end -}} + {{- else -}} + {{- print "redis-tasks-password" -}} + {{- end -}} +{{- end -}} +{{- end -}} + {{/* Name of the Secret that contains the Redis tasks password */}} @@ -208,6 +250,29 @@ Name of the key in Secret that contains the Redis tasks password {{- end -}} {{- end }} +{{/* +Return the Redis secret name +*/}} +{{- define "netbox.cachingRedis.secretName" -}} +{{- if .Values.redis.enabled -}} + {{- if .Values.global.redis -}} + {{- if .Values.global.redis.auth -}} + {{- if .Values.global.redis.auth.existingSecret -}} + {{- tpl .Values.global.redis.auth.existingSecret $ -}} + {{- else -}} + {{- default (include "netbox.redis.fullname" .) (tpl .Values.redis.auth.existingSecret $) -}} + {{- end -}} + {{- else -}} + {{- default (include "netbox.redis.fullname" .) (tpl .Values.redis.auth.existingSecret $) -}} + {{- end -}} + {{- else -}} + {{- default (include "netbox.redis.fullname" .) (tpl .Values.redis.auth.existingSecret $) -}} + {{- end -}} +{{- else -}} + {{- default (printf "%s-external-redis" .Release.Name) (tpl .Values.cachingRedis.existingSecret $) -}} +{{- end -}} +{{- end -}} + {{/* Return the cache Redis hostname */}} @@ -226,6 +291,25 @@ Return the cache Redis port {{- ternary 6379 .Values.cachingRedis.port .Values.redis.enabled | int -}} {{- end -}} +{{/* +Add environment variables to configure tasks Redis values +*/}} +{{- define "netbox.cachingRedis.secretPasswordKey" -}} +{{- if .Values.redis.enabled -}} + {{- print "redis-password" -}} +{{- else -}} + {{- if .Values.cachingRedis.existingSecret -}} + {{- if .Values.cachingRedis.existingSecretPasswordKey -}} + {{- printf "%s" .Values.cachingRedis.existingSecretPasswordKey -}} + {{- else -}} + {{- print "redis-cache-password" -}} + {{- end -}} + {{- else -}} + {{- print "redis-cache-password" -}} + {{- end -}} +{{- end -}} +{{- end -}} + {{/* Name of the Secret that contains the Redis cache password */}} @@ -401,14 +485,14 @@ Add environment variables to configure database values {{- if .Values.externalDatabase.existingSecretUserKey -}} {{- printf "%s" .Values.externalDatabase.existingSecretUserKey -}} {{- else -}} - {{- print "db-port" -}} + {{- print "db-user" -}} {{- end -}} {{- end -}} {{- define "netbox.databaseSecretDatabaseKey" -}} {{- if .Values.externalDatabase.existingSecretDatabaseKey -}} {{- printf "%s" .Values.externalDatabase.existingSecretDatabaseKey -}} {{- else -}} - {{- print "db-port" -}} + {{- print "db-name" -}} {{- end -}} {{- end -}} diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 029d90ea..e1d5f446 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -198,14 +198,14 @@ spec: - key: {{ include "netbox.databaseSecretPasswordKey" . | quote }} path: db_password - secret: - name: {{ include "netbox.tasksRedis.secret" . | quote }} + name: {{ include "netbox.tasksRedis.secretName" . | quote }} items: - - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} + - key: {{ include "netbox.tasksRedis.secretPasswordKey" . | quote }} path: redis_tasks_password - secret: - name: {{ include "netbox.cachingRedis.secret" . | quote }} + name: {{ include "netbox.cachingRedis.secretName" . | quote }} items: - - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} + - key: {{ include "netbox.cachingRedis.secretPasswordKey" . | quote }} path: redis_cache_password {{- include "netbox.extraConfig.volumes" . | nindent 8 -}} - name: netbox-tmp diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index f6519401..a788ad16 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -161,14 +161,14 @@ spec: - key: {{ include "netbox.databaseSecretPasswordKey" . | quote }} path: db_password - secret: - name: {{ include "netbox.tasksRedis.secret" . | quote }} + name: {{ include "netbox.tasksRedis.secretName" . | quote }} items: - - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} + - key: {{ include "netbox.tasksRedis.secretPasswordKey" . | quote }} path: redis_tasks_password - secret: - name: {{ include "netbox.cachingRedis.secret" . | quote }} + name: {{ include "netbox.cachingRedis.secretName" . | quote }} items: - - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} + - key: {{ include "netbox.cachingRedis.secretPasswordKey" . | quote }} path: redis_cache_password {{- include "netbox.extraConfig.volumes" . | nindent 8 -}} - name: netbox-tmp diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 6fb15fb5..c4ebbdff 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1828,8 +1828,10 @@ tasksRedis: sentinelTimeout: 300 username: "" password: "" + existingSecret: "" existingSecretName: "" existingSecretKey: redis-password + existingSecretPasswordKey: "" cachingRedis: database: 1 @@ -1847,8 +1849,10 @@ cachingRedis: sentinelTimeout: 300 username: "" password: "" + existingSecret: "" existingSecretName: "" existingSecretKey: redis-password + existingSecretPasswordKey: "" gateway: enabled: false From b1958e465ee3dfae1696ea5a995581d5965b2f3e Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 02:08:02 +0700 Subject: [PATCH 074/110] debug db password --- charts/netbox/templates/ConfigMap/netbox.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/netbox/templates/ConfigMap/netbox.yaml b/charts/netbox/templates/ConfigMap/netbox.yaml index 562a5659..a077e8a7 100644 --- a/charts/netbox/templates/ConfigMap/netbox.yaml +++ b/charts/netbox/templates/ConfigMap/netbox.yaml @@ -55,6 +55,7 @@ data: _load_yaml() + # db_password: {{ include "common.secrets.lookup" (dict "secret" (include "netbox.databaseSecretName" .) "key" (include "netbox.databaseSecretPasswordKey" .) "defaultValue" .Values.postgresql.auth.password "context" $) }} DATABASE["PASSWORD"] = _load_secret("netbox", "db_password") EMAIL["PASSWORD"] = _load_secret("netbox", "email_password") REDIS["tasks"]["PASSWORD"] = _load_secret("netbox", "redis_tasks_password") From 6754a52e5900bfbd1074675810c747300bc303bb Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 02:12:20 +0700 Subject: [PATCH 075/110] Disable redis persistence --- charts/netbox/values.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index c4ebbdff..d18b65a8 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1811,6 +1811,16 @@ redis: ## @param auth.enabled Enable password authentication ## enabled: true + ## @section Redis master configuration parameters + ## + master: + ## Persistence parameters + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## + persistence: + ## @param master.persistence.enabled Enable persistence on Redis master nodes using Persistent Volume Claims + ## + enabled: false tasksRedis: database: 0 From 027b0daa2d2604bc4c7dca36d62b94b3298727de Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 02:25:53 +0700 Subject: [PATCH 076/110] Fix subpath --- charts/netbox/templates/deployment.yaml | 12 +++++++++--- charts/netbox/templates/worker/Deployment.yaml | 12 +++++++++--- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index e1d5f446..c9803aa0 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -122,13 +122,19 @@ spec: mountPath: /tmp - name: media mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath | quote }} + {{- end }} - name: reports mountPath: {{ .Values.reportsPersistence.path }} - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + {{- if .Values.reportsPersistence.subPath }} + subPath: {{ .Values.reportsPersistence.subPath | quote }} + {{- end }} - name: scripts mountPath: {{ .Values.scriptsPersistence.path }} - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- if .Values.scriptsPersistence.subPath }} + subPath: {{ .Values.scriptsPersistence.subPath | quote }} + {{- end }} - name: optunit mountPath: /opt/unit - name: secrets diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index a788ad16..327f8b7a 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -111,13 +111,19 @@ spec: mountPath: /tmp - name: media mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath | quote }} + {{- end }} - name: reports mountPath: {{ .Values.reportsPersistence.path }} - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} + {{- if .Values.reportsPersistence.subPath }} + subPath: {{ .Values.reportsPersistence.subPath | quote }} + {{- end }} - name: scripts mountPath: {{ .Values.scriptsPersistence.path }} - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} + {{- if .Values.scriptsPersistence.subPath }} + subPath: {{ .Values.scriptsPersistence.subPath | quote }} + {{- end }} {{- if .Values.worker.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.worker.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} From 676733574adf7f39df91d61a6cef189527ee39d1 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 02:43:01 +0700 Subject: [PATCH 077/110] Add envFrom --- charts/netbox/templates/deployment.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index c9803aa0..8b46c51c 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -56,6 +56,11 @@ spec: {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} env: - name: SUPERUSER_NAME value: {{ .Values.superuser.name | quote }} @@ -81,6 +86,17 @@ spec: {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} + envFrom: + - configMapRef: + name: {{ printf "%s-env-vars" (include "netbox.fullname" .) }} + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} ports: - name: http containerPort: {{ .Values.containerPorts.http }} From f5630b6dd18e7b0db9e65d386af2884098ad9951 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 02:50:26 +0700 Subject: [PATCH 078/110] Add deployment tune --- charts/netbox/templates/deployment.yaml | 67 ++++++++++++++++--------- 1 file changed, 42 insertions(+), 25 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 8b46c51c..2ff24bda 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -20,8 +20,7 @@ spec: app.kubernetes.io/component: server app.kubernetes.io/part-of: netbox {{ if .Values.updateStrategy -}} - strategy: - {{- toYaml .Values.updateStrategy | nindent 4 }} + strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} {{ end -}} template: metadata: @@ -43,12 +42,50 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} {{- end }} spec: - {{- include "netbox.imagePullSecrets" . | nindent 6 }} - serviceAccountName: {{ include "netbox.serviceAccountName" . }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} + {{- if semverCompare ">= 1.13" (include "common.capabilities.kubeVersion" .) }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- end }} + {{- include "netbox.imagePullSecrets" . | nindent 6 }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName }} + {{- end }} {{- if .Values.podSecurityContext.enabled }} securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} + serviceAccountName: {{ include "netbox.serviceAccountName" . }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} containers: - name: netbox image: {{ template "netbox.image" . }} @@ -259,24 +296,4 @@ spec: {{- end }} {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- with .Values.hostAliases }} - hostAliases: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 6 }} - {{- end }} \ No newline at end of file + {{- end }} \ No newline at end of file From 2740bfdfc365e1095849b4002527e60d37685627 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 02:51:08 +0700 Subject: [PATCH 079/110] Enable postgres persistence --- charts/netbox/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index d18b65a8..5572d74c 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1753,7 +1753,7 @@ postgresql: persistence: ## @param postgresql.primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC ## - enabled: false + enabled: true ## External PostgreSQL configuration ## All of these values are only used when postgresql.enabled is set to false From d3850fd7d333bafe2125f37c6ebd13cd75dc1200 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 03:01:13 +0700 Subject: [PATCH 080/110] cleanup housekeeping --- charts/netbox/templates/cronjob.yaml | 50 ++++++++++++++-------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/charts/netbox/templates/cronjob.yaml b/charts/netbox/templates/cronjob.yaml index 98f7e15e..f2fb1403 100644 --- a/charts/netbox/templates/cronjob.yaml +++ b/charts/netbox/templates/cronjob.yaml @@ -3,13 +3,14 @@ apiVersion: batch/v1 kind: CronJob metadata: name: {{ template "netbox.housekeeping.fullname" . }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "netbox.labels" . | nindent 4 }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: housekeeping + app.kubernetes.io/part-of: netbox + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: concurrencyPolicy: {{ .Values.housekeeping.concurrencyPolicy }} failedJobsHistoryLimit: {{ .Values.housekeeping.failedJobsHistoryLimit }} @@ -18,21 +19,20 @@ spec: suspend: {{ .Values.housekeeping.suspend }} jobTemplate: metadata: - labels: - {{- include "netbox.labels" . | nindent 8 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.housekeeping.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: housekeeping + app.kubernetes.io/part-of: netbox spec: template: metadata: - {{- with .Values.housekeeping.podAnnotations }} + {{- if .Values.podAnnotations }} annotations: - {{- toYaml . | nindent 12 }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 12 }} {{- end }} - labels: - {{- include "netbox.selectorLabels" . | nindent 12 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 12 }} app.kubernetes.io/component: housekeeping - {{- with .Values.housekeeping.podLabels }} - {{- toYaml . | nindent 12 }} - {{- end }} + app.kubernetes.io/part-of: netbox spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -47,14 +47,14 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} containers: - - name: {{ template "netbox.housekeeping.fullname" . }} + - name: housekeeping securityContext: {{- toYaml .Values.housekeeping.securityContext | nindent 14 }} image: {{ template "netbox.housekeeping.image" . }} command: - - /opt/netbox/venv/bin/python - - /opt/netbox/netbox/manage.py - - housekeeping + - /opt/netbox/venv/bin/python + - /opt/netbox/netbox/manage.py + - housekeeping imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.housekeeping.extraEnvs }} env: @@ -123,19 +123,19 @@ spec: path: ldap_bind_password {{- end }} - secret: - name: {{ include "netbox.postgresql.secret" . | quote }} + name: {{ include "netbox.databaseSecretName" . | quote }} items: - - key: {{ include "netbox.postgresql.secretKey" . | quote }} + - key: {{ include "netbox.databaseSecretPasswordKey" . | quote }} path: db_password - secret: - name: {{ include "netbox.tasksRedis.secret" . | quote }} + name: {{ include "netbox.tasksRedis.secretName" . | quote }} items: - - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} + - key: {{ include "netbox.tasksRedis.secretPasswordKey" . | quote }} path: redis_tasks_password - secret: - name: {{ include "netbox.cachingRedis.secret" . | quote }} + name: {{ include "netbox.cachingRedis.secretName" . | quote }} items: - - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} + - key: {{ include "netbox.cachingRedis.secretPasswordKey" . | quote }} path: redis_cache_password {{- include "netbox.extraConfig.volumes" . | nindent 10 -}} - name: netbox-tmp From dfa2a3007ef800425fc6621023e5d51b767c9380 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 03:47:18 +0700 Subject: [PATCH 081/110] Add redis wait --- charts/netbox/templates/_helpers.tpl | 64 +++ charts/netbox/templates/deployment.yaml | 42 ++ charts/netbox/values.yaml | 550 +++++++++++++++--------- 3 files changed, 462 insertions(+), 194 deletions(-) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 7a77f741..2cd78abf 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -496,6 +496,70 @@ Add environment variables to configure database values {{- end -}} {{- end -}} +{{/* +Return the Redis® secret name +*/}} +{{- define "netbox.redis.secretName" -}} +{{- if .Values.redis.enabled }} + {{- if .Values.redis.auth.existingSecret }} + {{- printf "%s" .Values.redis.auth.existingSecret -}} + {{- else -}} + {{- printf "%s" (include "netbox.redis.fullname" .) }} + {{- end -}} +{{- else if .Values.externalRedis.existingSecret }} + {{- printf "%s" .Values.externalRedis.existingSecret -}} +{{- else -}} + {{- printf "%s-redis" (include "netbox.redis.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Redis® secret key +*/}} +{{- define "netbox.redis.secretPasswordKey" -}} +{{- if and .Values.redis.enabled .Values.redis.auth.existingSecret }} + {{- .Values.redis.auth.existingSecretPasswordKey | printf "%s" }} +{{- else if and (not .Values.redis.enabled) .Values.externalRedis.existingSecret }} + {{- .Values.externalRedis.existingSecretPasswordKey | printf "%s" }} +{{- else -}} + {{- printf "redis-password" -}} +{{- end -}} +{{- end -}} + +{{/* +Return whether Redis® uses password authentication or not +*/}} +{{- define "netbox.redis.auth.enabled" -}} +{{- if or (and .Values.redis.enabled .Values.redis.auth.enabled) (and (not .Values.redis.enabled) (or .Values.externalRedis.password .Values.externalRedis.existingSecret)) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Redis® hostname +*/}} +{{- define "netbox.redisHost" -}} +{{- if .Values.redis.enabled }} + {{- printf "%s-master" (include "netbox.redis.fullname" .) -}} +{{- else if .Values.externalRedis.host -}} + {{- .Values.externalRedis.host -}} +{{- else -}} + {{- required "If the redis dependency is disabled you need to add an external redis host" .Values.externalRedis.host -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Redis® port +*/}} +{{- define "netbox.redisPort" -}} +{{- if .Values.redis.enabled }} + {{- .Values.redis.service.port -}} +{{- else -}} + {{- .Values.externalRedis.port -}} +{{- end -}} +{{- end -}} + + {{/* Return the secret containing the Netbox superuser password */}} diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 2ff24bda..3a2e40d7 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -222,6 +222,48 @@ spec: volumeMounts: - name: optunit mountPath: /opt/unit + {{- if .Values.redisWait.enabled }} + - name: wait-for-redis + image: {{ include "netbox.redis.image" . }} + imagePullPolicy: {{ .Values.redis.image.pullPolicy | quote }} + securityContext: {{- omit .Values.redisWait.containerSecurityContext "enabled" | toYaml | nindent 12 }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + set -o errexit + set -o nounset + set -o pipefail + + . /opt/bitnami/scripts/libos.sh + . /opt/bitnami/scripts/liblog.sh + + check_redis_connection() { + local result="$(redis-cli -h {{ include "netbox.redisHost" . }} -p {{ include "netbox.redisPort" . }} {{ .Values.redisWait.extraArgs }} PING)" + if [[ "$result" != "PONG" ]]; then + false + fi + } + + info "Checking redis connection..." + if ! retry_while "check_redis_connection"; then + error "Could not connect to the Redis server" + return 1 + else + info "Connected to the Redis instance" + fi + {{- if include "netbox.redis.auth.enabled" . }} + env: + - name: REDISCLI_AUTH + valueFrom: + secretKeyRef: + name: {{ include "netbox.redis.secretName" . }} + key: {{ include "netbox.redis.secretPasswordKey" . }} + {{- end }} + {{- end }} {{- if or .Values.initContainers $needsVolumePermissions }} {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 10 }} diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 5572d74c..b3e9c5c5 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -111,6 +111,270 @@ image: ## Set to true if you would like to see extra information on logs ## debug: false +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param preExecCmds Additional commands to run prior to starting Netbox worker +## +preExecCmds: [] +## @param extraFlags Array with additional command line flags for Netbox worker +## e.g: +## extraFlags: +## - "--maxmemory-policy volatile-ttl" +## - "--repl-backlog-size 1024mb" +## +extraFlags: [] +## @param extraEnvVars Array with extra environment variables to add to Netbox worker nodes +## e.g: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @params extraEnvs Additional environment variables to set +## - name: FOO +## valueFrom: +## secretKeyRef: +## key: FOO +## name: secret-resource +## +extraEnvs: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Netbox worker nodes +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for Netbox worker nodes +## +extraEnvVarsSecret: "" +## @param containerPorts.redis Container port to open on Netbox worker nodes +## +containerPorts: + http: 8080 +## Configure extra options for Netbox containers' liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param startupProbe.enabled Enable startupProbe on Netbox worker nodes +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 60 +## @param livenessProbe.enabled Enable livenessProbe on Netbox worker nodes +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 300 + periodSeconds: 1 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 +## @param readinessProbe.enabled Enable readinessProbe on Netbox worker nodes +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 +## @param customStartupProbe Custom startupProbe that overrides the default one +## +customStartupProbe: {} +## @param customLivenessProbe Custom livenessProbe that overrides the default one +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readinessProbe that overrides the default one +## +customReadinessProbe: {} +## Netbox worker resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## @param resources.limits The resources limits for the Netbox worker containers +## @param resources.requests The requested resources for the Netbox worker containers +## +resources: + limits: {} + requests: {} +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled Netbox pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set Netbox worker pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroup: 1000 + fsGroupChangePolicy: Always + runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + sysctls: [] + supplementalGroups: [] +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled Netbox worker containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set Netbox worker containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set Netbox worker containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set Netbox worker containers' Security Context runAsNonRoot +## @param containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate Netbox pod(s) privileges +## @param containerSecurityContext.seccompProfile.type Set Netbox worker containers' Security Context seccompProfile +## @param containerSecurityContext.capabilities.drop Set Netbox worker containers' Security Context capabilities to drop +## +containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL +## @param schedulerName Alternate scheduler for Netbox worker pods +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param updateStrategy.type Netbox worker statefulset strategy type +## @skip updateStrategy.rollingUpdate +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate, OnDelete (statefulset), Recreate (deployment) + ## + type: RollingUpdate +## @param minReadySeconds How many seconds a pod needs to be ready before killing the next, during update +## +minReadySeconds: 0 +## @param priorityClassName Netbox worker pods' priorityClassName +## +priorityClassName: "" +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false +## @param podLabels Extra labels for Netbox worker pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations Annotations for Netbox worker pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param shareProcessNamespace Share a single process namespace between all of the containers in Netbox worker pods +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ +## +shareProcessNamespace: false +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for Netbox worker pods assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## NOTE: `podAffinityPreset`, `podAntiAffinityPreset`, and `nodeAffinityPreset` will be ignored when it's set +## +affinity: {} +## @param nodeSelector Node labels for Netbox worker pods assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param tolerations Tolerations for Netbox worker pods assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param topologySpreadConstraints Spread Constraints for Netbox worker pod assignment +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## E.g. +## topologySpreadConstraints: +## - maxSkew: 1 +## topologyKey: node +## whenUnsatisfiable: DoNotSchedule +## +topologySpreadConstraints: [] +## @param lifecycleHooks for the Netbox worker container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +## @param extraVolumes Optionally specify extra list of additional volumes for the Netbox worker pod(s) +## +extraVolumes: [] +## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Netbox worker container(s) +## +extraVolumeMounts: [] +## @param sidecars Add additional sidecar containers to the Netbox worker pod(s) +## e.g: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: [] +## @param extraContainers Additional containers to be added to the NetBox pod. +## - name: my-sidecar +## image: nginx:latest +## +extraContainers: [] +## @param worker.initContainers Add additional init containers to the Netbox worker pod(s) +## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +## e.g: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## command: ['sh', '-c', 'echo "hello world"'] +## +initContainers: [] +## @extraInitContainers Containers which are run before the NetBox containers are started. +## - name: init-myservice +## image: busybox +## command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] +## +extraInitContainers: [] ## You can also use an existing secret for the superuser password and API token ## See `existingSecret` for details @@ -781,10 +1045,6 @@ scriptsPersistence: ## existingClaim: "" -podAnnotations: {} - -podLabels: {} - ## @section Netbox deployment parameters ## @param replicaCount Number of Netbox replicas to deploy @@ -793,111 +1053,10 @@ replicaCount: 1 ## @param revisionHistoryLimitCount Number of controller revisions to keep ## revisionHistoryLimitCount: 10 -## @param containerPorts.http Netbox HTTP container port -## @param containerPorts.https Netbox HTTPS container port -## -containerPorts: - http: 8080 - https: 8443 ## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Netbox container ## extraContainerPorts: [] -## Netbox pods' SecurityContext -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## @param podSecurityContext.enabled Enabled Netbox pods' Security Context -## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy -## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface -## @param podSecurityContext.supplementalGroups Set filesystem extra groups -## @param podSecurityContext.fsGroup Set Netbox pod's Security Context fsGroup -## -podSecurityContext: - enabled: true - fsGroup: 1000 - # fsGroupChangePolicy: Always - # sysctls: [] - # supplementalGroups: [] - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 -## Netbox containers' Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## @param containerSecurityContext.enabled Enabled containers' Security Context -## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container -## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser -## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot -## @param containerSecurityContext.privileged Set container's Security Context privileged -## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem -## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation -## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped -## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile -## -containerSecurityContext: - enabled: false - seLinuxOptions: null - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" -## Netbox resource requests and limits -## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -## @param resources.limits The resources limits for the Netbox containers -## @param resources.requests The requested resources for the Netbox containers -## -resources: - limits: {} - requests: {} -## Configure extra options for Netbox containers' liveness, readiness and startup probes -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes -## @param livenessProbe.enabled Enable livenessProbe on Netbox containers -## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe -## @param livenessProbe.periodSeconds Period seconds for livenessProbe -## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe -## @param livenessProbe.failureThreshold Failure threshold for livenessProbe -## @param livenessProbe.successThreshold Success threshold for livenessProbe -## -livenessProbe: - enabled: false - initialDelaySeconds: 300 - periodSeconds: 1 - timeoutSeconds: 5 - failureThreshold: 3 - successThreshold: 1 -## @param readinessProbe.enabled Enable readinessProbe on Netbox containers -## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe -## @param readinessProbe.periodSeconds Period seconds for readinessProbe -## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe -## @param readinessProbe.failureThreshold Failure threshold for readinessProbe -## @param readinessProbe.successThreshold Success threshold for readinessProbe -## -readinessProbe: - enabled: true - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 -## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe -## @param startupProbe.enabled Enable startupProbe on Netbox containers -## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe -## @param startupProbe.periodSeconds Period seconds for startupProbe -## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe -## @param startupProbe.failureThreshold Failure threshold for startupProbe -## @param startupProbe.successThreshold Success threshold for startupProbe -## -startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 5 - timeoutSeconds: 1 - failureThreshold: 60 - successThreshold: 1 ## @section Exposure parameters ## @@ -924,17 +1083,6 @@ service: nodePorts: http: "" https: "" - ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin - ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - ## - sessionAffinity: None - ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} ## @param service.clusterIP Keycloak service clusterIP IP ## e.g: ## clusterIP: None @@ -966,7 +1114,17 @@ service: ## @param service.extraPorts Extra port to expose on Keycloak service ## extraPorts: [] - + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} port: 80 nodePort: "" @@ -1005,30 +1163,7 @@ ingress: # hosts: # - chart-example.local -# Set this to true to automatically mount the service account token in the main container -automountServiceAccountToken: false - -topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - # labelSelector: - # matchLabels: - # "app.kubernetes.io/component": netbox - # "app.kubernetes.io/name": netbox - -## @param initContainers Add additional init containers to the Netbox pods -## Example: -## initContainers: -## - name: your-image-name -## image: your-image -## imagePullPolicy: Always -## ports: -## - name: portname -## containerPort: 1234 -## -initContainers: [] init: image: repository: busybox @@ -1045,17 +1180,6 @@ init: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 # Keep the same as securityContext.runAsGroup -## @param sidecars Add additional sidecar containers to the Keycloak pods -## Example: -## sidecars: -## - name: your-image-name -## image: your-image -## imagePullPolicy: Always -## ports: -## - name: portname -## containerPort: 1234 -## -sidecars: [] test: image: @@ -1065,53 +1189,22 @@ test: resources: {} +## Netbox server deployment autoscaling +## @param server.autoscaling.enabled Enable Netbox server deployment autoscaling +## @param server.autoscaling.minReplicas Netbox server deployment autoscaling minimum number of replicas +## @param server.autoscaling.maxReplicas Netbox server deployment autoscaling maximum number of replicas +## @param server.autoscaling.targetCPU Netbox server deployment autoscaling target CPU percentage +## @param server.autoscaling.targetMemory Netbox server deployment autoscaling target CPU memory +## autoscaling: enabled: false minReplicas: 1 maxReplicas: 100 + targetCPU: 80 + targetMemory: 80 targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 -nodeSelector: {} - -tolerations: [] - -updateStrategy: {} - # type: RollingUpdate - -affinity: {} - -## Additional environment variables to set -extraEnvs: [] -# - name: FOO -# valueFrom: -# secretKeyRef: -# key: FOO -# name: secret-resource - -## Additional volumes to mount -extraVolumeMounts: [] -# - name: extra-volume -# mountPath: /run/secrets/super-secret -# readOnly: true - -extraVolumes: [] -# - name: extra-volume -# secret: -# secretName: super-secret - -## Additional containers to be added to the NetBox pod. -extraContainers: [] -# - name: my-sidecar -# image: nginx:latest - -## Containers which are run before the NetBox containers are started. -extraInitContainers: [] -# - name: init-myservice -# image: busybox -# command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - - ## @section Netbox housekeeping parameters ## Configuration of Cron settings @@ -1237,6 +1330,9 @@ worker: ## @param worker.enabled Whether to enable Netbox worker job ## enabled: true + ## @param worker.replicaCount Number of Netbox worker replicas to deploy + ## + replicaCount: 1 ## Netbox worker image version ## ref: https://hub.docker.com/r/netboxcommunity/netbox/tags ## @param image.registry [default: REGISTRY_NAME] Netbox worker image registry @@ -1535,7 +1631,7 @@ worker: ## initContainers: [] - replicaCount: 1 + securityContext: capabilities: @@ -1804,13 +1900,17 @@ redis: ## @param architecture Netbox architecture. Allowed values: `standalone` or `replication` ## architecture: standalone - ## Netbox Authentication parameters - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/redis#setting-the-server-password-on-first-run + ## Use password authentication + ## @param redis.auth.enabled Enable Redis dependency authentication + ## @param redis.auth.existingSecret Existing secret to load redis dependency password + ## @param redis.auth.existingSecretPasswordKey Pasword key name inside the existing secret ## auth: ## @param auth.enabled Enable password authentication ## enabled: true + existingSecret: "" + existingSecretPasswordKey: 'redis-password' ## @section Redis master configuration parameters ## master: @@ -1841,6 +1941,8 @@ tasksRedis: existingSecret: "" existingSecretName: "" existingSecretKey: redis-password + ## @param tasksRedis.existingSecretPasswordKey Pasword key name inside the existing secret + ## existingSecretPasswordKey: "" cachingRedis: @@ -1862,8 +1964,68 @@ cachingRedis: existingSecret: "" existingSecretName: "" existingSecretKey: redis-password + ## @param cachingRedis.existingSecretPasswordKey Pasword key name inside the existing secret + ## existingSecretPasswordKey: "" +## +## External Redis® +## +externalRedis: + ## Redis® host + ## @param externalRedis.host External Redis host + ## + host: "" + ## Redis® port + ## @param externalRedis.port External Redis port + ## + port: 6379 + ## Redis® password for authentication + ## Ignored if existingSecret is set + ## @param externalRedis.password External Redis password + ## + password: "" + ## Name of existing secret object containing the password + ## @param externalRedis.existingSecret Existing secret for the external redis + ## + existingSecret: "" + ## Password key to be retrieved from Redis® secret + ## @param externalRedis.existingSecretPasswordKey Password key for the existing secret containing the external redis password + ## + existingSecretPasswordKey: 'redis-password' + +## Wait-for-redis init container configuration +## +redisWait: + ## @param redisWait.enabled Enables waiting for redis + ## + enabled: true + ## @param redisWait.extraArgs Additional arguments for the redis-cli call, such as TLS + ## + extraArgs: '' + ## @param redisWait.containerSecurityContext.enabled Enabled Argo CD repo server containers' Security Context + ## @param redisWait.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param redisWait.containerSecurityContext.runAsUser Set Argo CD repo server containers' Security Context runAsUser + ## @param redisWait.containerSecurityContext.allowPrivilegeEscalation Set Argo CD repo server containers' Security Context allowPrivilegeEscalation + ## @param redisWait.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped + ## @param redisWait.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' repo server Security Context readOnlyRootFilesystem + ## @param redisWait.containerSecurityContext.runAsNonRoot Set Argo CD repo server containers' Security Context runAsNonRoot + ## @param redisWait.containerSecurityContext.privileged Set redisWait container's Security Context privileged + ## @param redisWait.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + gateway: enabled: false dedicated: false From 4e0f6287aba4cbd5be4a356a5d438ac421a73c2d Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 03:51:33 +0700 Subject: [PATCH 082/110] Fix image helper --- charts/netbox/templates/_helpers.tpl | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 2cd78abf..4de06b8e 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -82,6 +82,20 @@ Return the proper Netbox init image name {{ include "common.images.image" (dict "imageRoot" .Values.init.image "global" .Values.global) }} {{- end -}} +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "argocd.postgresql.image" -}} +{{- include "common.images.image" ( dict "imageRoot" .Values.postgresql.image "global" .Values.global ) -}} +{{- end -}} + +{{/* +Return the proper Redis image name +*/}} +{{- define "argocd.redis.image" -}} +{{- include "common.images.image" ( dict "imageRoot" .Values.redis.image "global" .Values.global ) -}} +{{- end -}} + {{/* Return the proper Docker Image Registry Secret Names */}} From 18d713f7a1256659b64034dda14d0cff8454a444 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 03:53:05 +0700 Subject: [PATCH 083/110] Fix helper typo --- charts/netbox/templates/_helpers.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 4de06b8e..1014dfc6 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -85,14 +85,14 @@ Return the proper Netbox init image name {{/* Return the proper PostgreSQL image name */}} -{{- define "argocd.postgresql.image" -}} +{{- define "netbox.postgresql.image" -}} {{- include "common.images.image" ( dict "imageRoot" .Values.postgresql.image "global" .Values.global ) -}} {{- end -}} {{/* Return the proper Redis image name */}} -{{- define "argocd.redis.image" -}} +{{- define "netbox.redis.image" -}} {{- include "common.images.image" ( dict "imageRoot" .Values.redis.image "global" .Values.global ) -}} {{- end -}} From 10a473b85548bd507fc10f86c30f8a35707918e7 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 04:00:12 +0700 Subject: [PATCH 084/110] Fix redis port helper --- charts/netbox/templates/_helpers.tpl | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 1014dfc6..8583e7b9 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -567,9 +567,11 @@ Return the Redis® port */}} {{- define "netbox.redisPort" -}} {{- if .Values.redis.enabled }} - {{- .Values.redis.service.port -}} -{{- else -}} + {{- .Values.redis.master.service.ports.redis -}} +{{- else if .Values.externalRedis.port -}} {{- .Values.externalRedis.port -}} +{{- else -}} + {{ 6379 | int }} {{- end -}} {{- end -}} From 62d3e043b849a3bc33a0c73bf156a037a7070fe6 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 04:05:49 +0700 Subject: [PATCH 085/110] Fix init container --- charts/netbox/templates/deployment.yaml | 8 ++++---- charts/netbox/values.yaml | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 3a2e40d7..aaaa9f04 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -214,11 +214,11 @@ spec: - '-c' - mkdir -p /opt/unit/state /opt/unit/tmp {{- if .Values.init.resources }} - resources: - {{- toYaml .Values.init.resources | nindent 10 }} + resources: {{- toYaml .Values.init.resources | nindent 10 }} + {{- end }} + {{- if .Values.init.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.init.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} - securityContext: - {{- toYaml .Values.init.securityContext | nindent 10 }} volumeMounts: - name: optunit mountPath: /opt/unit diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index b3e9c5c5..b8f26013 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1172,7 +1172,8 @@ init: resources: {} - securityContext: + containerSecurityContext: + enabled: true capabilities: drop: - ALL From 2fdae0c164d3be8f8f43d9bee2533b6d1e30ab83 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 04:09:22 +0700 Subject: [PATCH 086/110] Fix init container --- charts/netbox/templates/deployment.yaml | 2 -- charts/netbox/values.yaml | 25 +++++++++++++++++++------ 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index aaaa9f04..b05fe33b 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -216,9 +216,7 @@ spec: {{- if .Values.init.resources }} resources: {{- toYaml .Values.init.resources | nindent 10 }} {{- end }} - {{- if .Values.init.containerSecurityContext.enabled }} securityContext: {{- omit .Values.init.containerSecurityContext "enabled" | toYaml | nindent 10 }} - {{- end }} volumeMounts: - name: optunit mountPath: /opt/unit diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index b8f26013..cbe26402 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1172,15 +1172,28 @@ init: resources: {} + # containerSecurityContext: + # enabled: true + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 # Keep the same as securityContext.runAsGroup + containerSecurityContext: enabled: true - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true + seLinuxOptions: null runAsUser: 1000 - runAsGroup: 1000 # Keep the same as securityContext.runAsGroup + runAsNonRoot: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" test: image: From c6a41faa959cb76e08861b688be9c9025ac7f46b Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 04:12:50 +0700 Subject: [PATCH 087/110] Fix init cointainer indent --- charts/netbox/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index b05fe33b..9eabc98b 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -216,7 +216,7 @@ spec: {{- if .Values.init.resources }} resources: {{- toYaml .Values.init.resources | nindent 10 }} {{- end }} - securityContext: {{- omit .Values.init.containerSecurityContext "enabled" | toYaml | nindent 10 }} + securityContext: {{- omit .Values.init.containerSecurityContext "enabled" | toYaml | nindent 12 }} volumeMounts: - name: optunit mountPath: /opt/unit From 94033e19be9b28026ee286c044622a3b8a6252ca Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 09:54:42 +0700 Subject: [PATCH 088/110] Add env-vars ConfigMap --- charts/netbox/templates/ConfigMap/env-vars.yaml | 13 +++++++++++++ charts/netbox/templates/_helpers.tpl | 4 ++-- charts/netbox/templates/deployment.yaml | 10 +++++----- charts/netbox/values.yaml | 2 +- 4 files changed, 21 insertions(+), 8 deletions(-) create mode 100644 charts/netbox/templates/ConfigMap/env-vars.yaml diff --git a/charts/netbox/templates/ConfigMap/env-vars.yaml b/charts/netbox/templates/ConfigMap/env-vars.yaml new file mode 100644 index 00000000..22482a48 --- /dev/null +++ b/charts/netbox/templates/ConfigMap/env-vars.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-env-vars" (include "netbox.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: netbox + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + ALLOWED_HOSTS: {{ toJson .Values.allowedHosts }} + {{- end }} diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 8583e7b9..1fff7111 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -78,8 +78,8 @@ Return the proper Netbox housekeeping image name {{/* Return the proper Netbox init image name */}} -{{- define "netbox.init.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.init.image "global" .Values.global) }} +{{- define "netbox.init-dirs.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.initDirs.image "global" .Values.global) }} {{- end -}} {{/* diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 9eabc98b..39e4bfac 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -207,16 +207,16 @@ spec: {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} initContainers: - name: init-dirs - image: {{ template "netbox.init.image" . }} - imagePullPolicy: {{ .Values.init.image.pullPolicy }} + image: {{ template "netbox.init-dirs.image" . }} + imagePullPolicy: {{ .Values.initDirs.image.pullPolicy }} command: - /bin/sh - '-c' - mkdir -p /opt/unit/state /opt/unit/tmp - {{- if .Values.init.resources }} - resources: {{- toYaml .Values.init.resources | nindent 10 }} + {{- if .Values.initDirs.resources }} + resources: {{- toYaml .Values.initDirs.resources | nindent 10 }} {{- end }} - securityContext: {{- omit .Values.init.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- omit .Values.initDirs.containerSecurityContext "enabled" | toYaml | nindent 12 }} volumeMounts: - name: optunit mountPath: /opt/unit diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index cbe26402..58dba9d5 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1164,7 +1164,7 @@ ingress: # - chart-example.local -init: +initDirs: image: repository: busybox tag: 1.36.1 From 8cc20d25b29ca3648dfede9f9c473ee3603a1b6b Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:00:03 +0700 Subject: [PATCH 089/110] Fix env-vars ConfigMap --- charts/netbox/templates/ConfigMap/env-vars.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/charts/netbox/templates/ConfigMap/env-vars.yaml b/charts/netbox/templates/ConfigMap/env-vars.yaml index 22482a48..0c72fe98 100644 --- a/charts/netbox/templates/ConfigMap/env-vars.yaml +++ b/charts/netbox/templates/ConfigMap/env-vars.yaml @@ -9,5 +9,15 @@ metadata: annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} data: - ALLOWED_HOSTS: {{ toJson .Values.allowedHosts }} + {{- if not .Values.externalDatabase.existingSecretHostKey }} + NETBOX_DATABASE_HOST: {{ include "netbox.databaseHost" . | quote }} {{- end }} + {{- if not .Values.externalDatabase.existingSecretPortKey }} + NETBOX_DATABASE_PORT: {{ include "netbox.databasePort" . }} + {{- end }} + {{- if not .Values.externalDatabase.existingSecretDatabaseKey }} + NETBOX_DATABASE_NAME: {{ include "netbox.databaseName" . | quote }} + {{- end }} + {{- if not .Values.externalDatabase.existingSecretUserKey }} + NETBOX_DATABASE_USER: {{ include "netbox.databaseUser" . | quote }} + {{- end }} \ No newline at end of file From e3492b7b1544aa7bedcd2395e5ee6292aefc124a Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:07:34 +0700 Subject: [PATCH 090/110] Fix typo --- charts/netbox/README.md | 1 + charts/netbox/templates/ConfigMap/env-vars.yaml | 2 +- charts/netbox/templates/_helpers.tpl | 2 +- charts/netbox/templates/cronjob.yaml | 12 +++++------- charts/netbox/values.yaml | 3 ++- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/charts/netbox/README.md b/charts/netbox/README.md index be426810..612e7317 100644 --- a/charts/netbox/README.md +++ b/charts/netbox/README.md @@ -98,6 +98,7 @@ The command removes all the Kubernetes components associated with the chart and * The `extraContainers` setting has been renamed to `sidecars`. * The `extraInitContainers` setting has been renamed to `initContainers`. * The `securityContext` setting has been renamed to `podSecurityContext` and `containerSecurityContext` + * The `housekeeping.securityContext` setting has been renamed to `housekeeping.containerSecurityContext` * The `worker.autoscaling.targetCPUUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetCPU`. * The `worker.autoscaling.targetMemoryUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetMemory`. * The `worker.extraEnvs` setting has been renamed to `worker.extraEnvVars`. diff --git a/charts/netbox/templates/ConfigMap/env-vars.yaml b/charts/netbox/templates/ConfigMap/env-vars.yaml index 0c72fe98..fe6077a0 100644 --- a/charts/netbox/templates/ConfigMap/env-vars.yaml +++ b/charts/netbox/templates/ConfigMap/env-vars.yaml @@ -9,7 +9,7 @@ metadata: annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} data: - {{- if not .Values.externalDatabase.existingSecretHostKey }} + {{- if not .Values.externalDatabase.existingSecretHostKey }} NETBOX_DATABASE_HOST: {{ include "netbox.databaseHost" . | quote }} {{- end }} {{- if not .Values.externalDatabase.existingSecretPortKey }} diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 1fff7111..d64c4708 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -100,7 +100,7 @@ Return the proper Redis image name Return the proper Docker Image Registry Secret Names */}} {{- define "netbox.imagePullSecrets" -}} -{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.worker.image .Values.housekeeping.image .Values.init.image .Values.volumePermissions.image) "context" $) -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.worker.image .Values.housekeeping.image .Values.initDirs.image .Values.volumePermissions.image) "context" $) -}} {{- end -}} {{/* diff --git a/charts/netbox/templates/cronjob.yaml b/charts/netbox/templates/cronjob.yaml index f2fb1403..66ddbfa8 100644 --- a/charts/netbox/templates/cronjob.yaml +++ b/charts/netbox/templates/cronjob.yaml @@ -34,10 +34,7 @@ spec: app.kubernetes.io/component: housekeeping app.kubernetes.io/part-of: netbox spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 10 }} - {{- end }} + {{- include "netbox.imagePullSecrets" . | nindent 10 }} serviceAccountName: {{ include "netbox.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.housekeeping.automountServiceAccountToken }} securityContext: @@ -48,14 +45,15 @@ spec: {{- end }} containers: - name: housekeeping - securityContext: - {{- toYaml .Values.housekeeping.securityContext | nindent 14 }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} image: {{ template "netbox.housekeeping.image" . }} command: - /opt/netbox/venv/bin/python - /opt/netbox/netbox/manage.py - housekeeping - imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- include "netbox.imagePullSecrets" . | nindent 12 }} {{- with .Values.housekeeping.extraEnvs }} env: {{- toYaml . | nindent 12 }} diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 58dba9d5..74aaa5da 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1276,7 +1276,8 @@ housekeeping: # runAsUser: 1000 # runAsGroup: 1000 - securityContext: + containerSecurityContext: + enabled: true capabilities: drop: - ALL From 524db826d229c30844b4c76d64eb2683d45a7e16 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:09:49 +0700 Subject: [PATCH 091/110] Fix env-vars ConfigMap --- charts/netbox/templates/ConfigMap/env-vars.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/templates/ConfigMap/env-vars.yaml b/charts/netbox/templates/ConfigMap/env-vars.yaml index fe6077a0..3195a13b 100644 --- a/charts/netbox/templates/ConfigMap/env-vars.yaml +++ b/charts/netbox/templates/ConfigMap/env-vars.yaml @@ -13,7 +13,7 @@ data: NETBOX_DATABASE_HOST: {{ include "netbox.databaseHost" . | quote }} {{- end }} {{- if not .Values.externalDatabase.existingSecretPortKey }} - NETBOX_DATABASE_PORT: {{ include "netbox.databasePort" . }} + NETBOX_DATABASE_PORT: {{ include "netbox.databasePort" . | int }} {{- end }} {{- if not .Values.externalDatabase.existingSecretDatabaseKey }} NETBOX_DATABASE_NAME: {{ include "netbox.databaseName" . | quote }} From 53932e4d65b32426029fea9d792caadcd4dbb57f Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:13:21 +0700 Subject: [PATCH 092/110] Fix env-vars to string --- charts/netbox/templates/ConfigMap/env-vars.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/templates/ConfigMap/env-vars.yaml b/charts/netbox/templates/ConfigMap/env-vars.yaml index 3195a13b..949795bc 100644 --- a/charts/netbox/templates/ConfigMap/env-vars.yaml +++ b/charts/netbox/templates/ConfigMap/env-vars.yaml @@ -13,7 +13,7 @@ data: NETBOX_DATABASE_HOST: {{ include "netbox.databaseHost" . | quote }} {{- end }} {{- if not .Values.externalDatabase.existingSecretPortKey }} - NETBOX_DATABASE_PORT: {{ include "netbox.databasePort" . | int }} + NETBOX_DATABASE_PORT: {{ include "netbox.databasePort" . | quote }} {{- end }} {{- if not .Values.externalDatabase.existingSecretDatabaseKey }} NETBOX_DATABASE_NAME: {{ include "netbox.databaseName" . | quote }} From 385a57a5c74d52d119835b3697c07a44b9d65a53 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:16:35 +0700 Subject: [PATCH 093/110] Add values-test --- charts/netbox/values-test.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 charts/netbox/values-test.yaml diff --git a/charts/netbox/values-test.yaml b/charts/netbox/values-test.yaml new file mode 100644 index 00000000..4845b808 --- /dev/null +++ b/charts/netbox/values-test.yaml @@ -0,0 +1,7 @@ +netbox: + postgresql: + enabled: true + auth: + postgresPassword: "" + username: netbox + password: mRY5pxyx1aiDZPKHSCcdjXqSXLSYkA \ No newline at end of file From bdd49c0e7e35187c6ad5b9db429a2864a0538f14 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:18:49 +0700 Subject: [PATCH 094/110] Fix postgresql --- charts/netbox/values-test.yaml | 1 - charts/netbox/values.yaml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/netbox/values-test.yaml b/charts/netbox/values-test.yaml index 4845b808..d69d611f 100644 --- a/charts/netbox/values-test.yaml +++ b/charts/netbox/values-test.yaml @@ -2,6 +2,5 @@ netbox: postgresql: enabled: true auth: - postgresPassword: "" username: netbox password: mRY5pxyx1aiDZPKHSCcdjXqSXLSYkA \ No newline at end of file diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 74aaa5da..edfddd23 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1864,7 +1864,7 @@ postgresql: persistence: ## @param postgresql.primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC ## - enabled: true + enabled: false ## External PostgreSQL configuration ## All of these values are only used when postgresql.enabled is set to false From b411fe26638fcbf9190b240c566d129a83d48dc0 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:25:15 +0700 Subject: [PATCH 095/110] Add gateway API --- .../templates/gateway-api/HTTPRoute.yaml | 32 +++++++++++++++++++ charts/netbox/values.yaml | 8 +++++ 2 files changed, 40 insertions(+) create mode 100644 charts/netbox/templates/gateway-api/HTTPRoute.yaml diff --git a/charts/netbox/templates/gateway-api/HTTPRoute.yaml b/charts/netbox/templates/gateway-api/HTTPRoute.yaml new file mode 100644 index 00000000..6a0be86f --- /dev/null +++ b/charts/netbox/templates/gateway-api/HTTPRoute.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.gateway.enabled .Values.gateway.gatewayApi }} +{{- if (include "common.capabilities.networkingGateway.apiVersion" .) }} +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: {{ include "netbox.fullname" . }} + namespace: {{ include "common.names.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: adminer + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }} + {{- end }} +spec: + parentRefs: + - name: {{ default "ingressgateway" .Values.gateway.name }} + namespace: {{ default "istio-ingress" .Values.gateway.namespace }} + {{- if .Values.ingress.hosts }} + hostnames: + {{- range $host := $.Values.ingress.hosts }} + - {{ $host | quote }} + {{- end }} + {{- end }} + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: {{ include "netbox.fullname" . }} + port: {{ .Values.service.ports.http | int }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index edfddd23..80680c45 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -2042,9 +2042,17 @@ redisWait: type: "RuntimeDefault" gateway: + ## @param gateway.enabled Enable Istio Gateway and VirtualService + ## enabled: false + ## @param gateway.dedicated + ## dedicated: false + ## @param gateway.dedicated + ## gatewayApi: + ## @param gateway.gatewayApi.create Create Kubernetes Gateway API gateway + ## create: false name: "" namespace: "" From a407757365e66627b24dd8807f91578b142373ee Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:27:49 +0700 Subject: [PATCH 096/110] Fix housekeeping indent --- charts/netbox/templates/cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/templates/cronjob.yaml b/charts/netbox/templates/cronjob.yaml index 66ddbfa8..d99356cf 100644 --- a/charts/netbox/templates/cronjob.yaml +++ b/charts/netbox/templates/cronjob.yaml @@ -46,7 +46,7 @@ spec: containers: - name: housekeeping {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 14 }} {{- end }} image: {{ template "netbox.housekeeping.image" . }} command: From b3137f0369280eaa76a70daea7582bdc6d29044c Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:37:05 +0700 Subject: [PATCH 097/110] Fix securityContext --- charts/netbox/archive/ServiceAccount.yaml | 18 -- charts/netbox/archive/deployment_full.yaml | 244 ------------------ charts/netbox/archive/deployment_simple.yaml | 171 ------------ charts/netbox/archive/netbox copy.yaml | 28 -- .../HTTPRoute.yaml | 0 charts/netbox/values.yaml | 10 +- 6 files changed, 4 insertions(+), 467 deletions(-) delete mode 100644 charts/netbox/archive/ServiceAccount.yaml delete mode 100644 charts/netbox/archive/deployment_full.yaml delete mode 100644 charts/netbox/archive/deployment_simple.yaml delete mode 100644 charts/netbox/archive/netbox copy.yaml rename charts/netbox/templates/{gateway-api => gatewayApi}/HTTPRoute.yaml (100%) diff --git a/charts/netbox/archive/ServiceAccount.yaml b/charts/netbox/archive/ServiceAccount.yaml deleted file mode 100644 index 6d1d080c..00000000 --- a/charts/netbox/archive/ServiceAccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.redis.serviceAccount.create (not .Values.redis.sentinel.enabled) }} -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: {{ .Values.redis.serviceAccount.automountServiceAccountToken }} -metadata: - name: {{ template "redis.serviceAccountName" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if or .Values.commonAnnotations .Values.redis.serviceAccount.annotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.redis.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/netbox/archive/deployment_full.yaml b/charts/netbox/archive/deployment_full.yaml deleted file mode 100644 index 7bc2bdae..00000000 --- a/charts/netbox/archive/deployment_full.yaml +++ /dev/null @@ -1,244 +0,0 @@ -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} -kind: Deployment -metadata: - name: {{ include "netbox.fullname" . }} - {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.image "chart" .Chart ) ) }} - {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: server - app.kubernetes.io/part-of: netbox - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ default 1 .Values.replicaCount }} - {{- end }} - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} - selector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: server - app.kubernetes.io/part-of: netbox - {{ if .Values.updateStrategy -}} - strategy: - {{- toYaml .Values.updateStrategy | nindent 4 }} - {{ end -}} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/ConfigMap/netbox.yaml") . | sha256sum }} - {{- if (not .Values.existingSecret) }} - checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} - {{- end }} - {{- if .Values.podAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} - app.kubernetes.io/component: server - app.kubernetes.io/part-of: netbox - {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} - {{- end }} - spec: - {{- include "netbox.imagePullSecrets" . | nindent 6 }} - serviceAccountName: {{ include "netbox.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} - {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - containers: - - name: netbox - image: {{ template "netbox.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: SUPERUSER_NAME - value: {{ .Values.superuser.name | quote }} - - name: SUPERUSER_EMAIL - value: {{ .Values.superuser.email | quote }} - - name: SKIP_STARTUP_SCRIPTS - value: {{ .Values.skipStartupScripts | quote }} - {{- if .Values.dbWaitDebug }} - - name: DB_WAIT_DEBUG - value: "1" - {{- end }} - {{- if .Values.overrideUnitConfig }} - - name: UNIT_CONFIG - value: /run/config/netbox/nginx-unit.json - {{- end }} - {{- if .Values.allowedHostsIncludesPodIp }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - {{- end }} - {{- if .Values.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - ports: - - name: http - containerPort: {{ .Values.containerPorts.http }} - protocol: TCP - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: /{{ .Values.basePath }}login/ - port: http - {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} - httpHeaders: - - name: Host - value: {{ (index .Values.allowedHosts 0) | quote }} - {{- end }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - {{- end }} - # {{- if .Values.resources }} - # resources: {{- toYaml .Values.resources | nindent 12 }} - # {{- end }} - volumeMounts: - - name: config - mountPath: /etc/netbox/config/configuration.py - subPath: configuration.py - readOnly: true - {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - - name: config - mountPath: /etc/netbox/config/ldap/ldap_config.py - subPath: ldap_config.py - readOnly: true - {{ end -}} - - name: config - mountPath: /run/config/netbox - readOnly: true - - name: secrets - mountPath: /run/secrets/netbox - readOnly: true - # {{- include "netbox.extraConfig.volumeMounts" . | nindent 8 -}} - - name: netbox-tmp - mountPath: /tmp - - name: media - mountPath: /opt/netbox/netbox/media - subPath: {{ .Values.persistence.subPath | default "" | quote }} - {{- if .Values.reportsPersistence.enabled }} - - name: reports - mountPath: /opt/netbox/netbox/reports - subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }} - {{- end }} - {{- if .Values.scriptsPersistence.enabled }} - - name: scripts - mountPath: /opt/netbox/netbox/scripts - subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }} - {{- end }} - - name: optunit - mountPath: /opt/unit - - name: secrets - mountPath: /run/secrets/superuser_password - subPath: superuser_password - readOnly: true - - name: secrets - mountPath: /run/secrets/superuser_api_token - subPath: superuser_api_token - readOnly: true - {{- if .Values.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - {{- if .Values.metrics.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} - {{- end }} - {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} - initContainers: - - name: init-dirs - image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" - imagePullPolicy: {{ .Values.init.image.pullPolicy }} - command: [/bin/sh, -c, mkdir -p /opt/unit/state /opt/unit/tmp] - {{- if .Values.init.resources }} - resources: - {{- toYaml .Values.init.resources | nindent 10 }} - {{- end }} - securityContext: - {{- toYaml .Values.init.securityContext | nindent 10 }} - volumeMounts: - - name: optunit - mountPath: /opt/unit - {{- if or .Values.initContainers $needsVolumePermissions }} - {{- if .Values.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} - {{- end }} - {{- end }} - volumes: - - name: config - configMap: - name: {{ include "netbox.fullname" . }} - - name: secrets - projected: - sources: - - secret: - name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} - items: - # Used by netbox-docker entry scripts - - key: superuser_password - path: superuser_password - - key: superuser_api_token - path: superuser_api_token - # Used by our configuration - - key: email_password - path: email_password - - key: secret_key - path: secret_key - {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} - - key: ldap_bind_password - path: ldap_bind_password - {{- end }} - - secret: - name: {{ include "netbox.postgresql.secret" . | quote }} - items: - - key: {{ include "netbox.postgresql.secretKey" . | quote }} - path: db_password - - secret: - name: {{ include "netbox.tasksRedis.secret" . | quote }} - items: - - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} - path: redis_tasks_password - - secret: - name: {{ include "netbox.cachingRedis.secret" . | quote }} - items: - - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} - path: redis_cache_password - {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} - - name: netbox-tmp - emptyDir: - medium: Memory - - name: optunit - emptyDir: - medium: Memory - - name: media - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - - name: reports - {{- if .Values.reportsPersistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - - name: scripts - {{- if .Values.scriptsPersistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - diff --git a/charts/netbox/archive/deployment_simple.yaml b/charts/netbox/archive/deployment_simple.yaml deleted file mode 100644 index 5ad1b9cd..00000000 --- a/charts/netbox/archive/deployment_simple.yaml +++ /dev/null @@ -1,171 +0,0 @@ -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} -kind: Deployment -metadata: - name: {{ include "netbox.fullname" . }} - {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.image "chart" .Chart ) ) }} - {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: server - app.kubernetes.io/part-of: netbox - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ default 1 .Values.replicaCount }} - {{- end }} - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} - selector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: server - app.kubernetes.io/part-of: netbox - {{ if .Values.updateStrategy -}} - strategy: - {{- toYaml .Values.updateStrategy | nindent 4 }} - {{ end -}} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/ConfigMap/netbox.yaml") . | sha256sum }} - {{- if (not .Values.existingSecret) }} - checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} - {{- end }} - {{- if .Values.podAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} - app.kubernetes.io/component: server - app.kubernetes.io/part-of: netbox - {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} - {{- end }} - spec: - {{- include "netbox.imagePullSecrets" . | nindent 6 }} - serviceAccountName: {{ include "netbox.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} - {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - containers: - - name: netbox - image: {{ template "netbox.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: SUPERUSER_NAME - value: {{ .Values.superuser.name | quote }} - - name: SUPERUSER_EMAIL - value: {{ .Values.superuser.email | quote }} - - name: SKIP_STARTUP_SCRIPTS - value: {{ .Values.skipStartupScripts | quote }} - {{- if .Values.dbWaitDebug }} - - name: DB_WAIT_DEBUG - value: "1" - {{- end }} - {{- if .Values.overrideUnitConfig }} - - name: UNIT_CONFIG - value: /run/config/netbox/nginx-unit.json - {{- end }} - {{- if .Values.allowedHostsIncludesPodIp }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - {{- end }} - {{- if .Values.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - ports: - - name: http - containerPort: {{ .Values.containerPorts.http }} - protocol: TCP - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: /{{ .Values.basePath }}login/ - port: http - {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} - httpHeaders: - - name: Host - value: {{ (index .Values.allowedHosts 0) | quote }} - {{- end }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - {{- end }} - volumeMounts: - - name: config - mountPath: /etc/netbox/config/configuration.py - subPath: configuration.py - readOnly: true - volumes: - - name: config - configMap: - name: {{ include "netbox.fullname" . }} - - name: secrets - projected: - sources: - - secret: - name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} - items: - # Used by netbox-docker entry scripts - - key: superuser_password - path: superuser_password - - key: superuser_api_token - path: superuser_api_token - # Used by our configuration - - key: email_password - path: email_password - - key: secret_key - path: secret_key - {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} - - key: ldap_bind_password - path: ldap_bind_password - {{- end }} - - secret: - name: {{ include "netbox.postgresql.secret" . | quote }} - items: - - key: {{ include "netbox.postgresql.secretKey" . | quote }} - path: db_password - - secret: - name: {{ include "netbox.tasksRedis.secret" . | quote }} - items: - - key: {{ include "netbox.tasksRedis.secretKey" . | quote }} - path: redis_tasks_password - - secret: - name: {{ include "netbox.cachingRedis.secret" . | quote }} - items: - - key: {{ include "netbox.cachingRedis.secretKey" . | quote }} - path: redis_cache_password - # {{- include "netbox.extraConfig.volumes" . | nindent 6 -}} - # - name: netbox-tmp - # emptyDir: - # medium: Memory - # - name: optunit - # emptyDir: - # medium: Memory - # - name: media - # {{- if .Values.persistence.enabled }} - # persistentVolumeClaim: - # claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "netbox.fullname" .)) }} - # {{- else }} - # emptyDir: {} - # {{- end }} - # - name: reports - # {{- if .Values.reportsPersistence.enabled }} - # persistentVolumeClaim: - # claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "netbox.fullname" .)) }} - # {{- else }} - # emptyDir: {} - # {{- end }} - # - name: scripts - # {{- if .Values.scriptsPersistence.enabled }} - # persistentVolumeClaim: - # claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "netbox.fullname" .)) }} - # {{- else }} - # emptyDir: {} - # {{- end }} \ No newline at end of file diff --git a/charts/netbox/archive/netbox copy.yaml b/charts/netbox/archive/netbox copy.yaml deleted file mode 100644 index d59329f7..00000000 --- a/charts/netbox/archive/netbox copy.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if not .Values.existingSecret -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "netbox.fullname" . }} - labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }} - {{- if or .Values.externalDatabase.annotations .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.externalDatabase.annotations .Values.commonAnnotations) "context" $) | nindent 4 }} - {{- end }} -type: Opaque -data: - {{ if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecretName) -}} - db_password: {{ .Values.externalDatabase.password | b64enc | quote }} - {{ end -}} - email_password: {{ .Values.email.password | b64enc | quote }} - {{ if and (not .Values.redis.enabled) (not .Values.tasksRedis.existingSecretName) -}} - redis_tasks_password: {{ .Values.tasksRedis.password | b64enc | quote }} - {{ end -}} - {{ if and (not .Values.redis.enabled) (not .Values.cachingRedis.existingSecretName) -}} - redis_cache_password: {{ .Values.cachingRedis.password | b64enc | quote }} - {{ end -}} - secret_key: {{ .Values.secretKey | default (randAscii 60) | b64enc }} - superuser_password: {{ .Values.superuser.password | default (randAlphaNum 16) | b64enc }} - superuser_api_token: {{ .Values.superuser.apiToken | default uuidv4 | b64enc }} - {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} - ldap_bind_password: {{ .Values.remoteAuth.ldap.bindPassword | b64enc | quote }} - {{ end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/netbox/templates/gateway-api/HTTPRoute.yaml b/charts/netbox/templates/gatewayApi/HTTPRoute.yaml similarity index 100% rename from charts/netbox/templates/gateway-api/HTTPRoute.yaml rename to charts/netbox/templates/gatewayApi/HTTPRoute.yaml diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 80680c45..0152d3bb 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -244,8 +244,8 @@ podSecurityContext: containerSecurityContext: enabled: true seLinuxOptions: null - runAsUser: 1001 - runAsGroup: 0 + runAsUser: 1000 + runAsGroup: 1000 runAsNonRoot: true allowPrivilegeEscalation: false seccompProfile: @@ -1505,8 +1505,8 @@ worker: containerSecurityContext: enabled: true seLinuxOptions: null - runAsUser: 1001 - runAsGroup: 0 + runAsUser: 1000 + runAsGroup: 1000 runAsNonRoot: true allowPrivilegeEscalation: false seccompProfile: @@ -1646,8 +1646,6 @@ worker: ## initContainers: [] - - securityContext: capabilities: drop: From b2cbc8c9f4620fb10f32e4383b6a147d924a70c1 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:41:18 +0700 Subject: [PATCH 098/110] Fix housekeeping --- charts/netbox/values.yaml | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 0152d3bb..48fab8ea 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1269,22 +1269,42 @@ housekeeping: podAnnotations: {} podLabels: {} - + ## Configure Netbox housekeeping Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param housekeeping.podSecurityContext.enabled Enabled Netbox housekeeping pods' Security Context + ## @param housekeeping.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param housekeeping.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param housekeeping.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param housekeeping.podSecurityContext.fsGroup Set Netbox housekeeping pod's Security Context fsGroup + ## podSecurityContext: fsGroup: 1000 runAsNonRoot: true # runAsUser: 1000 # runAsGroup: 1000 - + ## Configure Netbox housekeeping container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param housekeeping.containerSecurityContext.enabled Enabled Netbox housekeeping containers' Security Context + ## @param housekeeping.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param housekeeping.containerSecurityContext.runAsUser Set Netbox housekeeping containers' Security Context runAsUser + ## @param housekeeping.containerSecurityContext.runAsGroup Set Netbox housekeeping containers' Security Context runAsGroup + ## @param housekeeping.containerSecurityContext.runAsNonRoot Set Netbox housekeeping containers' Security Context runAsNonRoot + ## @param housekeeping.containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate Netbox pod(s) privileges + ## @param housekeeping.containerSecurityContext.seccompProfile.type Set Netbox housekeeping containers' Security Context seccompProfile + ## @param housekeeping.containerSecurityContext.capabilities.drop Set Netbox housekeeping containers' Security Context capabilities to drop + ## containerSecurityContext: enabled: true + seLinuxOptions: null + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault capabilities: drop: - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 # Set this to true to automatically mount the service account token in the housekeeping container automountServiceAccountToken: false From 2405cb6ad2a41fc0eda2d72bcb083e0f16a44b20 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:46:23 +0700 Subject: [PATCH 099/110] Change postgres user --- charts/netbox/values-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/values-test.yaml b/charts/netbox/values-test.yaml index d69d611f..c967b5d2 100644 --- a/charts/netbox/values-test.yaml +++ b/charts/netbox/values-test.yaml @@ -2,5 +2,5 @@ netbox: postgresql: enabled: true auth: - username: netbox + username: netbox_user password: mRY5pxyx1aiDZPKHSCcdjXqSXLSYkA \ No newline at end of file From 00116eb60cf20c315094fdd5cec895c69cb305b0 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 12:18:52 +0700 Subject: [PATCH 100/110] Add superuser helper --- charts/netbox/Chart.yaml | 5 + charts/netbox/README.md | 3 +- charts/netbox/templates/Secret/netbox.yaml | 9 +- charts/netbox/templates/_helpers.tpl | 72 +++-- charts/netbox/templates/deployment.yaml | 4 +- charts/netbox/values.yaml | 289 +++++++++++++++------ 6 files changed, 283 insertions(+), 99 deletions(-) diff --git a/charts/netbox/Chart.yaml b/charts/netbox/Chart.yaml index 2fe502ca..e42f138e 100644 --- a/charts/netbox/Chart.yaml +++ b/charts/netbox/Chart.yaml @@ -1,3 +1,8 @@ +annotations: + licenses: Apache-2.0 + images: | + - name: netbox + image: docker.io/netboxcommunity/netbox:v3.7-2.8.0 apiVersion: v2 name: netbox version: 5.0.1 diff --git a/charts/netbox/README.md b/charts/netbox/README.md index 612e7317..998906ce 100644 --- a/charts/netbox/README.md +++ b/charts/netbox/README.md @@ -97,7 +97,8 @@ The command removes all the Kubernetes components associated with the chart and * The `extraContainers` setting has been renamed to `sidecars`. * The `extraContainers` setting has been renamed to `sidecars`. * The `extraInitContainers` setting has been renamed to `initContainers`. - * The `securityContext` setting has been renamed to `podSecurityContext` and `containerSecurityContext` + * The `securityContext` setting has been renamed to `podSecurityContext` and `containerSecurityContext`. + * The `ingress.className` setting has been renamed to `ingress.ingressClassName`. * The `housekeeping.securityContext` setting has been renamed to `housekeeping.containerSecurityContext` * The `worker.autoscaling.targetCPUUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetCPU`. * The `worker.autoscaling.targetMemoryUtilizationPercentage` setting has been renamed to `worker.autoscaling.targetMemory`. diff --git a/charts/netbox/templates/Secret/netbox.yaml b/charts/netbox/templates/Secret/netbox.yaml index a09d194b..98d3e31d 100644 --- a/charts/netbox/templates/Secret/netbox.yaml +++ b/charts/netbox/templates/Secret/netbox.yaml @@ -10,7 +10,7 @@ metadata: type: Opaque data: {{ if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecretName) -}} - db_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.postgresql.fullname" .)) "key" "password" "length" 10 "providedValues" (list "externalDatabase.password") "context" $) }} + db_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.postgresql.fullname" .)) "key" "password" "length" 12 "providedValues" (list "externalDatabase.password") "context" $) }} {{ end -}} email_password: {{ .Values.email.password | b64enc | quote }} {{ if and (not .Values.redis.enabled) (not .Values.tasksRedis.existingSecretName) -}} @@ -20,9 +20,12 @@ data: redis_cache_password: {{ .Values.cachingRedis.password | b64enc | quote }} {{ end -}} secret_key: {{ .Values.secretKey | default (randAscii 60) | b64enc }} + {{- if (not .Values.superuser.existingSecretName) }} # superuser_password: {{ .Values.superuser.password | default (randAlphaNum 16) | b64enc }} - superuser_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.fullname" .)) "key" "superuser_password" "length" 10 "providedValues" (list "superuser.password") "context" $) }} - superuser_api_token: {{ .Values.superuser.apiToken | default uuidv4 | b64enc }} + # superuser_api_token: {{ .Values.superuser.apiToken | default uuidv4 | b64enc }} + superuser_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.fullname" .)) "key" "superuser_password" "length" 12 "providedValues" (list "superuser.password") "context" $) }} + superuser_api_token: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.fullname" .)) "key" "superuser_api_token" "length" 12 "providedValues" (list "superuser.apiToken") "context" $) }} + {{- end }} {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} ldap_bind_password: {{ .Values.remoteAuth.ldap.bindPassword | b64enc | quote }} {{ end -}} diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index d64c4708..37a21814 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -408,7 +408,7 @@ Return the Database database name {{- if .Values.postgresql.enabled }} {{- if .Values.global.postgresql }} {{- if .Values.global.postgresql.auth }} - {{- coalesce .Values.global.postgresql.auth.database .Values.postgresql.auth.database -}} + {{- coalesce .Values.global.postgresql.auth.database .Values.postgresql.auth.database | quote -}} {{- else -}} {{- .Values.postgresql.auth.database -}} {{- end -}} @@ -467,16 +467,16 @@ Add environment variables to configure database values */}} {{- define "netbox.databaseSecretPasswordKey" -}} {{- if .Values.postgresql.enabled -}} - {{- print "password" -}} + {{- printf "%s" "password" -}} {{- else -}} {{- if .Values.externalDatabase.existingSecret -}} {{- if .Values.externalDatabase.existingSecretPasswordKey -}} {{- printf "%s" .Values.externalDatabase.existingSecretPasswordKey -}} {{- else -}} - {{- print "db-password" -}} + {{- printf "%s" "db-password" -}} {{- end -}} {{- else -}} - {{- print "db-password" -}} + {{- printf "%s" "db-password" -}} {{- end -}} {{- end -}} {{- end -}} @@ -511,7 +511,7 @@ Add environment variables to configure database values {{- end -}} {{/* -Return the Redis® secret name +Return the Redis secret name */}} {{- define "netbox.redis.secretName" -}} {{- if .Values.redis.enabled }} @@ -523,25 +523,31 @@ Return the Redis® secret name {{- else if .Values.externalRedis.existingSecret }} {{- printf "%s" .Values.externalRedis.existingSecret -}} {{- else -}} - {{- printf "%s-redis" (include "netbox.redis.fullname" .) -}} + {{- printf "%s" (include "netbox.redis.fullname" .) -}} {{- end -}} {{- end -}} {{/* -Return the Redis® secret key +Return the Redis secret key */}} {{- define "netbox.redis.secretPasswordKey" -}} -{{- if and .Values.redis.enabled .Values.redis.auth.existingSecret }} - {{- .Values.redis.auth.existingSecretPasswordKey | printf "%s" }} -{{- else if and (not .Values.redis.enabled) .Values.externalRedis.existingSecret }} - {{- .Values.externalRedis.existingSecretPasswordKey | printf "%s" }} +{{- if .Values.redis.enabled -}} + {{- printf "%s" "redis-password" -}} {{- else -}} - {{- printf "redis-password" -}} + {{- if .Values.externalRedis.existingSecret -}} + {{- if .Values.externalRedis.existingSecretPasswordKey -}} + {{- printf "%s" .Values.externalRedis.existingSecretPasswordKey -}} + {{- else -}} + {{- printf "%s" "redis-password" -}} + {{- end -}} + {{- else -}} + {{- printf "%s" "redis-password" -}} + {{- end -}} {{- end -}} {{- end -}} {{/* -Return whether Redis® uses password authentication or not +Return whether Redis uses password authentication or not */}} {{- define "netbox.redis.auth.enabled" -}} {{- if or (and .Values.redis.enabled .Values.redis.auth.enabled) (and (not .Values.redis.enabled) (or .Values.externalRedis.password .Values.externalRedis.existingSecret)) }} @@ -550,7 +556,7 @@ Return whether Redis® uses password authentication or not {{- end -}} {{/* -Return the Redis® hostname +Return the Redis hostname */}} {{- define "netbox.redisHost" -}} {{- if .Values.redis.enabled }} @@ -563,7 +569,7 @@ Return the Redis® hostname {{- end -}} {{/* -Return the Redis® port +Return the Redis port */}} {{- define "netbox.redisPort" -}} {{- if .Values.redis.enabled }} @@ -600,6 +606,42 @@ Return the secret key that contains the Netbox superuser password {{- end -}} {{- end -}} +{{/* +Return the secret key that contains the Netbox superuser password +*/}} +{{- define "netbox.superuser.secretPasswordKey" -}} +{{- if .Values.existingSecret -}} + {{- printf "%s" "superuser-password" -}} +{{- else -}} + {{- if .Values.superuser.existingSecret -}} + {{- if .Values.superuser.existingSecretPasswordKey -}} + {{- printf "%s" .Values.superuser.existingSecretPasswordKey -}} + {{- else -}} + {{- printf "%s" "superuser-password" -}} + {{- end -}} + {{- else -}} + {{- printf "%s" "superuser_password" -}} + {{- end -}} + {{- end -}} + +{{/* +Return the secret key that contains the Netbox superuser API token +*/}} +{{- define "netbox.superuser.secretApiTokenKey" -}} +{{- if .Values.existingSecret -}} + {{- printf "%s" "superuser-api-token" -}} +{{- else -}} + {{- if .Values.superuser.existingSecret -}} + {{- if .Values.superuser.existingSecretApiTokenKey -}} + {{- printf "%s" .Values.superuser.existingSecretApiTokenKey -}} + {{- else -}} + {{- printf "%s" "superuser-api-token" -}} + {{- end -}} + {{- else -}} + {{- printf "%s" "superuser_api_token" -}} + {{- end -}} +{{- end -}} + {{/* Validate values of Netbox - database */}} {{- define "netbox.validateValues.database" -}} {{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.host) (and (not .Values.externalDatabase.password) (not .Values.externalDatabase.existingSecret)) -}} diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index 39e4bfac..d0092c46 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -278,9 +278,9 @@ spec: name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} items: # Used by netbox-docker entry scripts - - key: superuser_password + - key: {{ include "netbox.superuser.secretPasswordKey" . | quote }} path: superuser_password - - key: superuser_api_token + - key: {{ include "netbox.superuser.secretApiTokenKey" . | quote }} path: superuser_api_token # Used by our configuration - key: email_password diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 48fab8ea..6fec17bc 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -380,7 +380,7 @@ extraInitContainers: [] ## See `existingSecret` for details ## superuser: - ## @param superuser.name Netbox administrator user + ## @param superuser.name Netbox administrator username ## name: admin ## @param superuser.email Netbox administrator email address @@ -393,11 +393,15 @@ superuser: ## apiToken: 0123456789abcdef0123456789abcdef01234567 ## @param superuser.existingSecret Existing secret containing Netbox superuser password + ## @param superuser.existingSecretName Existing secret containing Netbox superuser password ## existingSecret: "" + existingSecretName: "" ## @param superuser.passwordSecretKey Key where the Netbox superuser password is being stored inside the existing secret. + ## @param superuser.existingSecretPasswordKey Key where the Netbox superuser password is being stored inside the existing secret. ## passwordSecretKey: "" + existingSecretPasswordKey: "" ## @param superuser.annotations Additional custom annotations for Netbox superuser secret object ## annotations: {} @@ -968,8 +972,8 @@ reportsPersistence: ## (gp2 on AWS, standard on GKE, AWS & OpenStack) ## storageClass: "" - ## @param reportsPersistence.path The path the volume will be mounted at on Redis® master containers - ## NOTE: Useful when using different Redis® images + ## @param reportsPersistence.path The path the volume will be mounted at on Redis master containers + ## NOTE: Useful when using different Redis images ## path: /opt/netbox/netbox/reports ## @param reportsPersistence.subPath Existing claim's subPath to use, e.g. "media" (optional) @@ -1136,11 +1140,106 @@ service: ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## ingress: + ## @param ingress.enabled Enable ingress record generation for Netbox + ## enabled: false - className: "" + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.hostname Default host for the ingress record + ## + hostname: netbox.local + ## @param ingress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: false + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: airflow.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - airflow.local + ## secretName: airflow.local-tls + ## + extraTls: [] + ## @param ingress.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: airflow.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] hosts: - host: chart-example.local paths: @@ -1158,43 +1257,6 @@ ingress: # NB: You may also want to set the basePath above - / - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - - -initDirs: - image: - repository: busybox - tag: 1.36.1 - pullPolicy: IfNotPresent - - resources: {} - - # containerSecurityContext: - # enabled: true - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - # runAsGroup: 1000 # Keep the same as securityContext.runAsGroup - - containerSecurityContext: - enabled: true - seLinuxOptions: null - runAsUser: 1000 - runAsNonRoot: true - readOnlyRootFilesystem: false - allowPrivilegeEscalation: false - privileged: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - test: image: repository: busybox @@ -1666,15 +1728,6 @@ worker: ## initContainers: [] - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - ## Network worker Pod Disruption Budget configuration ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## @@ -1765,9 +1818,6 @@ tls: ## Prometheus Exporter / Metrics ## -## @param metricsEnabled (DEPRECATED) Enable metrics -## -metricsEnabled: false metrics: ## @param metrics.enabled Enable metrics ## @@ -1834,15 +1884,58 @@ metrics: ## labels: ## severity: critical groups: [] -## @param serviceMonitor (DEPRECATED) Prometheus Operator ServiceMonitor configuration -## -serviceMonitor: - ## @param serviceMonitor.enabled (DEPRECATED) Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## Metrics Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## - enabled: false - additionalLabels: {} - interval: 1m - scrapeTimeout: 10s + networkPolicy: + ## @param metrics.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param metrics.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports Metrics is listening + ## on. When true, Metrics will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param metrics.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param metrics.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param metrics.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param metrics.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Database parameters @@ -2002,18 +2095,18 @@ cachingRedis: existingSecretPasswordKey: "" ## -## External Redis® +## External Redis ## externalRedis: - ## Redis® host + ## Redis host ## @param externalRedis.host External Redis host ## - host: "" - ## Redis® port + host: localhost + ## Redis port ## @param externalRedis.port External Redis port ## port: 6379 - ## Redis® password for authentication + ## Redis password for authentication ## Ignored if existingSecret is set ## @param externalRedis.password External Redis password ## @@ -2022,7 +2115,7 @@ externalRedis: ## @param externalRedis.existingSecret Existing secret for the external redis ## existingSecret: "" - ## Password key to be retrieved from Redis® secret + ## Password key to be retrieved from Redis secret ## @param externalRedis.existingSecretPasswordKey Password key for the existing secret containing the external redis password ## existingSecretPasswordKey: 'redis-password' @@ -2036,15 +2129,15 @@ redisWait: ## @param redisWait.extraArgs Additional arguments for the redis-cli call, such as TLS ## extraArgs: '' - ## @param redisWait.containerSecurityContext.enabled Enabled Argo CD repo server containers' Security Context + ## @param redisWait.containerSecurityContext.enabled Enabled wait-for-redis container Security Context ## @param redisWait.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param redisWait.containerSecurityContext.runAsUser Set Argo CD repo server containers' Security Context runAsUser - ## @param redisWait.containerSecurityContext.allowPrivilegeEscalation Set Argo CD repo server containers' Security Context allowPrivilegeEscalation - ## @param redisWait.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped - ## @param redisWait.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' repo server Security Context readOnlyRootFilesystem - ## @param redisWait.containerSecurityContext.runAsNonRoot Set Argo CD repo server containers' Security Context runAsNonRoot - ## @param redisWait.containerSecurityContext.privileged Set redisWait container's Security Context privileged - ## @param redisWait.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## @param redisWait.containerSecurityContext.runAsUser Set wait-for-redis container Security Context runAsUser + ## @param redisWait.containerSecurityContext.allowPrivilegeEscalation Set wait-for-redis container Security Context allowPrivilegeEscalation + ## @param redisWait.containerSecurityContext.capabilities.drop Set wait-for-redis container Security Context capabilities to be dropped + ## @param redisWait.containerSecurityContext.readOnlyRootFilesystem Set wait-for-redis container Security Context readOnlyRootFilesystem + ## @param redisWait.containerSecurityContext.runAsNonRoot Set wait-for-redis container Security Context runAsNonRoot + ## @param redisWait.containerSecurityContext.privileged Set wait-for-redis container Security Context privileged + ## @param redisWait.containerSecurityContext.seccompProfile.type Set wait-for-redis container Security Context seccomp profile ## containerSecurityContext: enabled: true @@ -2059,6 +2152,36 @@ redisWait: seccompProfile: type: "RuntimeDefault" +initDirs: + image: + repository: busybox + tag: 1.36.1 + pullPolicy: IfNotPresent + + resources: {} + ## @param initDirs.containerSecurityContext.enabled Enabled init-dirs container Security Context + ## @param initDirs.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param initDirs.containerSecurityContext.runAsUser Set init-dirs container Security Context runAsUser + ## @param initDirs.containerSecurityContext.allowPrivilegeEscalation Set init-dirs container Security Context allowPrivilegeEscalation + ## @param initDirs.containerSecurityContext.capabilities.drop Set init-dirs container Security Context capabilities to be dropped + ## @param initDirs.containerSecurityContext.readOnlyRootFilesystem Set init-dirs container Security Context readOnlyRootFilesystem + ## @param initDirs.containerSecurityContext.runAsNonRoot Set init-dirs container Security Context runAsNonRoot + ## @param initDirs.containerSecurityContext.privileged Set init-dirs container Security Context privileged + ## @param initDirs.containerSecurityContext.seccompProfile.type Set init-dirs container Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1000 + runAsNonRoot: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + gateway: ## @param gateway.enabled Enable Istio Gateway and VirtualService ## @@ -2066,14 +2189,20 @@ gateway: ## @param gateway.dedicated ## dedicated: false - ## @param gateway.dedicated + ## @param gateway.gatewayApi ## gatewayApi: ## @param gateway.gatewayApi.create Create Kubernetes Gateway API gateway ## create: false + ## @param gateway.name + ## name: "" + ## @param gateway.namespace + ## namespace: "" + ## @param gateway.gatewayClassName + ## gatewayClassName: istio ## @param gateway.listeners ## @@ -2084,7 +2213,11 @@ gateway: # - name: https # port: 443 # protocol: HTTPS + ## @param gateway.existingGateway + ## existingGateway: ~ + ## @param gateway.existingVirtualService + ## existingVirtualService: ~ ## @param gateway.extraRoute Array of extra Kubernetes Gateway API Route to deploy with the release ## From 14ba71a23af056411e88e4903258913302b5747f Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 13:04:54 +0700 Subject: [PATCH 101/110] Fix helper --- charts/netbox/templates/_helpers.tpl | 35 ++++++++++++++++++++++++- charts/netbox/templates/deployment.yaml | 28 ++++++++++---------- charts/netbox/values.yaml | 29 +++++++++++--------- 3 files changed, 64 insertions(+), 28 deletions(-) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 37a21814..501c0da0 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -606,6 +606,18 @@ Return the secret key that contains the Netbox superuser password {{- end -}} {{- end -}} +{{/* +Return the secret name containing the Netbox superuser password +*/}} +{{- define "netbox.superuser.secretName" -}} +{{- $secretName := .Values.superuser.existingSecret -}} +{{- if $secretName -}} + {{- printf "%s" (tpl $secretName $) -}} +{{- else -}} + {{- printf "%s-su" (include "netbox.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + {{/* Return the secret key that contains the Netbox superuser password */}} @@ -622,7 +634,8 @@ Return the secret key that contains the Netbox superuser password {{- else -}} {{- printf "%s" "superuser_password" -}} {{- end -}} - {{- end -}} +{{- end -}} +{{- end -}} {{/* Return the secret key that contains the Netbox superuser API token @@ -641,6 +654,26 @@ Return the secret key that contains the Netbox superuser API token {{- printf "%s" "superuser_api_token" -}} {{- end -}} {{- end -}} +{{- end -}} + +{{/* +Return the secret key that contains the Netbox email password +*/}} +{{- define "netbox.email.secretPasswordKey" -}} +{{- if .Values.existingSecretName -}} + {{- printf "%s" "email-password" -}} +{{- else -}} + {{- if .Values.email.existingSecretName -}} + {{- if .Values.email.existingSecretPasswordKey -}} + {{- printf "%s" .Values.email.existingSecretPasswordKey -}} + {{- else -}} + {{- printf "%s" "email-password" -}} + {{- end -}} + {{- else -}} + {{- printf "%s" "email_password" -}} + {{- end -}} +{{- end -}} +{{- end -}} {{/* Validate values of Netbox - database */}} {{- define "netbox.validateValues.database" -}} diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index d0092c46..e91389cc 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -277,20 +277,20 @@ spec: - secret: name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} items: - # Used by netbox-docker entry scripts - - key: {{ include "netbox.superuser.secretPasswordKey" . | quote }} - path: superuser_password - - key: {{ include "netbox.superuser.secretApiTokenKey" . | quote }} - path: superuser_api_token - # Used by our configuration - - key: email_password - path: email_password - - key: secret_key - path: secret_key - {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} - - key: ldap_bind_password - path: ldap_bind_password - {{- end }} + # Used by netbox-docker entry scripts + - key: {{ include "netbox.superuser.secretPasswordKey" . | quote }} + path: superuser_password + - key: {{ include "netbox.superuser.secretApiTokenKey" . | quote }} + path: superuser_api_token + # Used by our configuration + - key: {{ include "netbox.email.secretPasswordKey" . | quote }} + path: email_password + - key: secret_key + path: secret_key + {{- if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" }} + - key: ldap_bind_password + path: ldap_bind_password + {{- end }} - secret: name: {{ include "netbox.databaseSecretName" . | quote }} items: diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 6fec17bc..b90b471d 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -761,20 +761,23 @@ extraConfig: [] ## secretKey: "" -## Provide passwords using existing secret -# If set, this Secret must contain the following keys: -# - db_password: database password (if postgresql.enabled is false and -# externalDatabase.existingSecretName is blank) -# - email_password: SMTP user password -# - ldap_bind_password: Password for LDAP bind DN -# - redis_tasks_password: Redis password for tasks Redis instance (if -# redis.enabled is false and tasksRedis.existingSecretName is blank) -# - redis_cache_password: Redis password for caching Redis instance (if -# redis.enabled is false and cachingRedis.existingSecretName is blank) -# - secret_key: session encryption token (50+ random characters) -# - superuser_password: Password for the initial super-user account -# - superuser_api_token: API token created for the initial super-user account +## @param existingSecret Provide passwords using existing secret +## @param existingSecretName Provide passwords using existing secret +## If set, this Secret must contain the following keys: +## - db-password: database password (if postgresql.enabled is false and +## externalDatabase.existingSecretName is blank) +## - email-password: SMTP user password +## - ldap-bind-password: Password for LDAP bind DN +## - redis-tasks-password: Redis password for tasks Redis instance (if +## redis.enabled is false and tasksRedis.existingSecretName is blank) +## - redis-cache-password: Redis password for caching Redis instance (if +## redis.enabled is false and cachingRedis.existingSecretName is blank) +## - secret-key: session encryption token (50+ random characters) +## - superuser-password: Password for the initial super-user account +## - superuser-api-token: API token created for the initial super-user account +## existingSecret: "" +existingSecretName: "" # Override the NGINX Unit configuration inside the container. When enabled, this # overrides the default configuration loaded into Unit. The upstream config is: From 2d003da1cc3a4061bc7b7bf4929c85547e496b1d Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 18:47:33 +0700 Subject: [PATCH 102/110] Cleanup existingSecret --- charts/netbox/README.md | 10 ++-- .../netbox/templates/Secret/external-db.yaml | 4 +- .../templates/Secret/external-redis.yaml | 2 +- charts/netbox/templates/Secret/netbox.yaml | 13 +++-- charts/netbox/templates/_helpers.tpl | 56 +++++++++---------- charts/netbox/templates/cronjob.yaml | 4 +- charts/netbox/templates/deployment.yaml | 10 ++-- .../netbox/templates/worker/Deployment.yaml | 52 +++++++++++++++-- charts/netbox/values.yaml | 37 ++++++------ 9 files changed, 114 insertions(+), 74 deletions(-) diff --git a/charts/netbox/README.md b/charts/netbox/README.md index 998906ce..dcd51e04 100644 --- a/charts/netbox/README.md +++ b/charts/netbox/README.md @@ -201,7 +201,7 @@ The following table lists the configurable parameters for this chart and their d | `email.server` | SMTP server to use to send emails | `localhost` | | `email.port` | TCP port to connect to the SMTP server on | `25` | | `email.username` | Optional username for SMTP authentication | `""` | -| `email.password` | Password for SMTP authentication (see also `existingSecret`) | `""` | +| `email.password` | Password for SMTP authentication (see also `existingSecretName`) | `""` | | `email.useSSL` | Use SSL when connecting to the server | `false` | | `email.useTLS` | Use TLS when connecting to the server | `false` | | `email.sslCertFile` | SMTP SSL certificate file path (e.g. in a mounted volume) | `""` | @@ -289,7 +289,7 @@ The following table lists the configurable parameters for this chart and their d | `shortDateTimeFormat` | Django date format for short-form date and time strongs | `"Y-m-d H:i"` | | `extraConfig` | Additional NetBox configuration (see `values.yaml`) | `[]` | | `secretKey` | Django secret key used for sessions and password reset tokens | `""` (generated) | -| `existingSecret` | Use an existing Kubernetes `Secret` for secret values (see below) | `""` (use individual chart values) | +| `existingSecretName` | Use an existing Kubernetes `Secret` for secret values (see below) | `""` (use individual chart values) | | `overrideUnitConfig` | Override the NGINX Unit application server configuration | `{}` (*see values.yaml*) | | `postgresql.enabled` | Deploy PostgreSQL using bundled Bitnami PostgreSQL chart | `true` | | `postgresql.auth.username` | Username to create for NetBox in bundled PostgreSQL instance | `netbox` | @@ -299,7 +299,7 @@ The following table lists the configurable parameters for this chart and their d | `externalDatabase.port` | Port number for external PostgreSQL | `5432` | | `externalDatabase.database` | Database name for external PostgreSQL | `netbox` | | `externalDatabase.username` | Username for external PostgreSQL | `netbox` | -| `externalDatabase.password` | Password for external PostgreSQL (see also `existingSecret`) | `""` | +| `externalDatabase.password` | Password for external PostgreSQL (see also `existingSecretName`) | `""` | | `externalDatabase.existingSecretName` | Fetch password for external PostgreSQL from a different `Secret` | `""` | | `externalDatabase.existingSecretKey` | Key to fetch the password in the above `Secret` | `postgresql-password` | | `externalDatabase.sslMode` | PostgreSQL client SSL Mode setting | `prefer` | @@ -318,7 +318,7 @@ The following table lists the configurable parameters for this chart and their d | `tasksRedis.sentinelService` | Sentinel master service name | `"netbox-redis"` | | `tasksRedis.sentinelTimeout` | Sentinel connection timeout, in seconds | `300` (5 minutes) | | `tasksRedis.username` | Username for external Redis | `""` | -| `tasksRedis.password` | Password for external Redis (see also `existingSecret`) | `""` | +| `tasksRedis.password` | Password for external Redis (see also `existingSecretName`) | `""` | | `tasksRedis.existingSecretName` | Fetch password for external Redis from a different `Secret` | `""` | | `tasksRedis.existingSecretKey` | Key to fetch the password in the above `Secret` | `redis-password` | | `cachingRedis.database` | Redis database number used for caching views | `1` | @@ -331,7 +331,7 @@ The following table lists the configurable parameters for this chart and their d | `cachingRedis.sentinelService` | Sentinel master service name | `"netbox-redis"` | | `cachingRedis.sentinelTimeout` | Sentinel connection timeout, in seconds | `300` (5 minutes) | | `cachingRedis.username` | Username for external Redis | `""` | -| `cachingRedis.password` | Password for external Redis (see also `existingSecret`) | `""` | +| `cachingRedis.password` | Password for external Redis (see also `existingSecretName`) | `""` | | `cachingRedis.existingSecretName` | Fetch password for external Redis from a different `Secret` | `""` | | `cachingRedis.existingSecretKey` | Key to fetch the password in the above `Secret` | `redis-password` | | `imagePullSecrets` | List of `Secret` names containing private registry credentials | `[]` | diff --git a/charts/netbox/templates/Secret/external-db.yaml b/charts/netbox/templates/Secret/external-db.yaml index 5d976e85..68fc9792 100644 --- a/charts/netbox/templates/Secret/external-db.yaml +++ b/charts/netbox/templates/Secret/external-db.yaml @@ -1,4 +1,4 @@ -{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) (not .Values.postgresql.existingSecret) }} +{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecretName) (not .Values.postgresql.existingSecret) }} apiVersion: v1 kind: Secret metadata: @@ -10,5 +10,5 @@ metadata: {{- end }} type: Opaque data: - db-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-externaldb" .Release.Name) "key" "db-password" "length" 10 "providedValues" (list "externalDatabase.password") "context" $) }} + db-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-externaldb" .Release.Name) "key" "db-password" "length" 30 "providedValues" (list "externalDatabase.password") "context" $) }} {{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/Secret/external-redis.yaml b/charts/netbox/templates/Secret/external-redis.yaml index 592198e8..2f024a1f 100644 --- a/charts/netbox/templates/Secret/external-redis.yaml +++ b/charts/netbox/templates/Secret/external-redis.yaml @@ -1,4 +1,4 @@ -{{- if and (not .Values.redis.enabled) (not .Values.tasksRedis.existingSecret) (not .Values.cachingRedis.existingSecret) (not .Values.redis.existingSecret) }} +{{- if and (not .Values.redis.enabled) (not .Values.tasksRedis.existingSecretName) (not .Values.cachingRedis.existingSecretName) (not .Values.redis.existingSecret) }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/netbox/templates/Secret/netbox.yaml b/charts/netbox/templates/Secret/netbox.yaml index 98d3e31d..955b4071 100644 --- a/charts/netbox/templates/Secret/netbox.yaml +++ b/charts/netbox/templates/Secret/netbox.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.existingSecret -}} +{{- if not .Values.existingSecretName -}} apiVersion: v1 kind: Secret metadata: @@ -12,7 +12,10 @@ data: {{ if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecretName) -}} db_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.postgresql.fullname" .)) "key" "password" "length" 12 "providedValues" (list "externalDatabase.password") "context" $) }} {{ end -}} - email_password: {{ .Values.email.password | b64enc | quote }} + {{ if (not .Values.email.existingSecretName) -}} + # email_password: {{ .Values.email.password | b64enc | quote }} + email_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.fullname" .)) "key" "email_password" "length" 12 "providedValues" (list "email.password") "context" $) }} + {{ end -}} {{ if and (not .Values.redis.enabled) (not .Values.tasksRedis.existingSecretName) -}} redis_tasks_password: {{ .Values.tasksRedis.password | b64enc | quote }} {{ end -}} @@ -20,11 +23,11 @@ data: redis_cache_password: {{ .Values.cachingRedis.password | b64enc | quote }} {{ end -}} secret_key: {{ .Values.secretKey | default (randAscii 60) | b64enc }} - {{- if (not .Values.superuser.existingSecretName) }} + {{- if not .Values.superuser.existingSecretName }} # superuser_password: {{ .Values.superuser.password | default (randAlphaNum 16) | b64enc }} # superuser_api_token: {{ .Values.superuser.apiToken | default uuidv4 | b64enc }} - superuser_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.fullname" .)) "key" "superuser_password" "length" 12 "providedValues" (list "superuser.password") "context" $) }} - superuser_api_token: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.fullname" .)) "key" "superuser_api_token" "length" 12 "providedValues" (list "superuser.apiToken") "context" $) }} + superuser_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.fullname" .)) "key" "superuser_password" "length" 16 "providedValues" (list "superuser.password") "context" $) }} + superuser_api_token: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.fullname" .)) "key" "superuser_api_token" "length" 32 "providedValues" (list "superuser.apiToken") "context" $) }} {{- end }} {{ if eq .Values.remoteAuth.backend "netbox.authentication.LDAPBackend" -}} ldap_bind_password: {{ .Values.remoteAuth.ldap.bindPassword | b64enc | quote }} diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 501c0da0..017c5f1b 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -161,7 +161,7 @@ Name of the Secret that contains the PostgreSQL password {{- else if .Values.externalDatabase.existingSecretName }} {{- .Values.externalDatabase.existingSecretName }} {{- else }} - {{- .Values.existingSecret | default (include "netbox.fullname" .) }} + {{- .Values.existingSecretName | default (include "netbox.postgresql.fullname" .) }} {{- end }} {{- end }} @@ -197,7 +197,7 @@ Return the Redis secret name {{- default (include "netbox.redis.fullname" .) (tpl .Values.redis.auth.existingSecret $) -}} {{- end -}} {{- else -}} - {{- default (printf "%s-external-redis" .Release.Name) (tpl .Values.tasksRedis.existingSecret $) -}} + {{- default (printf "%s-external-redis" .Release.Name) (tpl .Values.tasksRedis.existingSecretName $) -}} {{- end -}} {{- end -}} @@ -226,7 +226,7 @@ Add environment variables to configure tasks Redis values {{- if .Values.redis.enabled -}} {{- print "redis-password" -}} {{- else -}} - {{- if .Values.tasksRedis.existingSecret -}} + {{- if .Values.tasksRedis.existingSecretName -}} {{- if .Values.tasksRedis.existingSecretPasswordKey -}} {{- printf "%s" .Values.tasksRedis.existingSecretPasswordKey -}} {{- else -}} @@ -247,7 +247,7 @@ Name of the Secret that contains the Redis tasks password {{- else if .Values.tasksRedis.existingSecretName }} {{- .Values.tasksRedis.existingSecretName }} {{- else }} - {{- .Values.existingSecret | default (include "netbox.fullname" .) }} + {{- .Values.existingSecretName | default (include "netbox.fullname" .) }} {{- end }} {{- end }} @@ -283,7 +283,7 @@ Return the Redis secret name {{- default (include "netbox.redis.fullname" .) (tpl .Values.redis.auth.existingSecret $) -}} {{- end -}} {{- else -}} - {{- default (printf "%s-external-redis" .Release.Name) (tpl .Values.cachingRedis.existingSecret $) -}} + {{- default (printf "%s-external-redis" .Release.Name) (tpl .Values.cachingRedis.existingSecretName $) -}} {{- end -}} {{- end -}} @@ -312,7 +312,7 @@ Add environment variables to configure tasks Redis values {{- if .Values.redis.enabled -}} {{- print "redis-password" -}} {{- else -}} - {{- if .Values.cachingRedis.existingSecret -}} + {{- if .Values.cachingRedis.existingSecretName -}} {{- if .Values.cachingRedis.existingSecretPasswordKey -}} {{- printf "%s" .Values.cachingRedis.existingSecretPasswordKey -}} {{- else -}} @@ -333,7 +333,7 @@ Name of the Secret that contains the Redis cache password {{- else if .Values.cachingRedis.existingSecretName }} {{- .Values.cachingRedis.existingSecretName }} {{- else }} - {{- .Values.existingSecret | default (include "netbox.fullname" .) }} + {{- .Values.existingSecretName | default (include "netbox.fullname" .) }} {{- end }} {{- end }} @@ -449,16 +449,16 @@ Return the Database encrypted password {{- if .Values.global.postgresql.auth.existingSecret -}} {{- tpl .Values.global.postgresql.auth.existingSecret $ -}} {{- else -}} - {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}} + {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecretName $) -}} {{- end -}} {{- else -}} - {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}} + {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecretName $) -}} {{- end -}} {{- else -}} - {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}} + {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecretName $) -}} {{- end -}} {{- else -}} - {{- default (printf "%s-externaldb" .Release.Name) (tpl .Values.externalDatabase.existingSecret $) -}} + {{- default (printf "%s-externaldb" .Release.Name) (tpl .Values.externalDatabase.existingSecretName $) -}} {{- end -}} {{- end -}} @@ -469,7 +469,7 @@ Add environment variables to configure database values {{- if .Values.postgresql.enabled -}} {{- printf "%s" "password" -}} {{- else -}} - {{- if .Values.externalDatabase.existingSecret -}} + {{- if .Values.externalDatabase.existingSecretName -}} {{- if .Values.externalDatabase.existingSecretPasswordKey -}} {{- printf "%s" .Values.externalDatabase.existingSecretPasswordKey -}} {{- else -}} @@ -520,8 +520,8 @@ Return the Redis secret name {{- else -}} {{- printf "%s" (include "netbox.redis.fullname" .) }} {{- end -}} -{{- else if .Values.externalRedis.existingSecret }} - {{- printf "%s" .Values.externalRedis.existingSecret -}} +{{- else if .Values.externalRedis.existingSecretName }} + {{- printf "%s" .Values.externalRedis.existingSecretName -}} {{- else -}} {{- printf "%s" (include "netbox.redis.fullname" .) -}} {{- end -}} @@ -534,7 +534,7 @@ Return the Redis secret key {{- if .Values.redis.enabled -}} {{- printf "%s" "redis-password" -}} {{- else -}} - {{- if .Values.externalRedis.existingSecret -}} + {{- if .Values.externalRedis.existingSecretName -}} {{- if .Values.externalRedis.existingSecretPasswordKey -}} {{- printf "%s" .Values.externalRedis.existingSecretPasswordKey -}} {{- else -}} @@ -550,7 +550,7 @@ Return the Redis secret key Return whether Redis uses password authentication or not */}} {{- define "netbox.redis.auth.enabled" -}} -{{- if or (and .Values.redis.enabled .Values.redis.auth.enabled) (and (not .Values.redis.enabled) (or .Values.externalRedis.password .Values.externalRedis.existingSecret)) }} +{{- if or (and .Values.redis.enabled .Values.redis.auth.enabled) (and (not .Values.redis.enabled) (or .Values.externalRedis.password .Values.externalRedis.existingSecretName)) }} {{- true -}} {{- end -}} {{- end -}} @@ -586,7 +586,7 @@ Return the Redis port Return the secret containing the Netbox superuser password */}} {{- define "netbox.secretName" -}} -{{- $secretName := .Values.superuser.existingSecret -}} +{{- $secretName := .Values.superuser.existingSecretName -}} {{- if $secretName -}} {{- printf "%s" (tpl $secretName $) -}} {{- else -}} @@ -598,9 +598,9 @@ Return the secret containing the Netbox superuser password Return the secret key that contains the Netbox superuser password */}} {{- define "netbox.secretKey" -}} -{{- $secretName := .Values.superuser.existingSecret -}} -{{- if and $secretName .Values.superuser.passwordSecretKey -}} - {{- printf "%s" .Values.superuser.passwordSecretKey -}} +{{- $secretName := .Values.superuser.existingSecretName -}} +{{- if and $secretName .Values.superuser.existingSecretPasswordKey -}} + {{- printf "%s" .Values.superuser.existingSecretPasswordKey -}} {{- else -}} {{- print "superuser_password" -}} {{- end -}} @@ -610,7 +610,7 @@ Return the secret key that contains the Netbox superuser password Return the secret name containing the Netbox superuser password */}} {{- define "netbox.superuser.secretName" -}} -{{- $secretName := .Values.superuser.existingSecret -}} +{{- $secretName := .Values.superuser.existingSecretName -}} {{- if $secretName -}} {{- printf "%s" (tpl $secretName $) -}} {{- else -}} @@ -622,10 +622,10 @@ Return the secret name containing the Netbox superuser password Return the secret key that contains the Netbox superuser password */}} {{- define "netbox.superuser.secretPasswordKey" -}} -{{- if .Values.existingSecret -}} +{{- if .Values.existingSecretName -}} {{- printf "%s" "superuser-password" -}} {{- else -}} - {{- if .Values.superuser.existingSecret -}} + {{- if .Values.superuser.existingSecretName -}} {{- if .Values.superuser.existingSecretPasswordKey -}} {{- printf "%s" .Values.superuser.existingSecretPasswordKey -}} {{- else -}} @@ -641,10 +641,10 @@ Return the secret key that contains the Netbox superuser password Return the secret key that contains the Netbox superuser API token */}} {{- define "netbox.superuser.secretApiTokenKey" -}} -{{- if .Values.existingSecret -}} +{{- if .Values.existingSecretName -}} {{- printf "%s" "superuser-api-token" -}} {{- else -}} - {{- if .Values.superuser.existingSecret -}} + {{- if .Values.superuser.existingSecretName -}} {{- if .Values.superuser.existingSecretApiTokenKey -}} {{- printf "%s" .Values.superuser.existingSecretApiTokenKey -}} {{- else -}} @@ -677,19 +677,19 @@ Return the secret key that contains the Netbox email password {{/* Validate values of Netbox - database */}} {{- define "netbox.validateValues.database" -}} -{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.host) (and (not .Values.externalDatabase.password) (not .Values.externalDatabase.existingSecret)) -}} +{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.host) (and (not .Values.externalDatabase.password) (not .Values.externalDatabase.existingSecretName)) -}} netbox: database You disabled the PostgreSQL sub-chart but did not specify an external PostgreSQL host. Either deploy the PostgreSQL sub-chart (--set postgresql.enabled=true), or set a value for the external database host (--set externalDatabase.host=FOO) and set a value for the external database password (--set externalDatabase.password=BAR) - or existing secret (--set externalDatabase.existingSecret=BAR). + or existing secret (--set externalDatabase.existingSecretName=BAR). {{- end -}} {{- end -}} {{/* Validate values of Netbox - TLS enabled */}} {{- define "netbox.validateValues.tls" -}} -{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated) (not .Values.tls.existingSecret) }} +{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated) (not .Values.tls.existingSecretName) }} netbox: tls.enabled In order to enable TLS, you also need to provide an existing secret containing the Keystore and Truststore or diff --git a/charts/netbox/templates/cronjob.yaml b/charts/netbox/templates/cronjob.yaml index d99356cf..159a467f 100644 --- a/charts/netbox/templates/cronjob.yaml +++ b/charts/netbox/templates/cronjob.yaml @@ -109,10 +109,10 @@ spec: projected: sources: - secret: - name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} + name: {{ .Values.existingSecretName | default (include "netbox.fullname" .) | quote }} items: # Used by our configuration - - key: email_password + - key: {{ include "netbox.email.secretPasswordKey" . | quote }} path: email_password - key: secret_key path: secret_key diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml index e91389cc..463c3239 100644 --- a/charts/netbox/templates/deployment.yaml +++ b/charts/netbox/templates/deployment.yaml @@ -26,7 +26,7 @@ spec: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/ConfigMap/netbox.yaml") . | sha256sum }} - {{- if (not .Values.existingSecret) }} + {{- if (not .Values.existingSecretName) }} checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} {{- end }} {{- if .Values.podAnnotations }} @@ -142,11 +142,11 @@ spec: readinessProbe: httpGet: path: /{{ .Values.basePath }}login/ - port: http + port: {{ .Values.containerPorts.http }} {{- if (not (eq (index .Values.allowedHosts 0) "*")) }} httpHeaders: - - name: Host - value: {{ (index .Values.allowedHosts 0) | quote }} + - name: Host + value: {{ (index .Values.allowedHosts 0) | quote }} {{- end }} initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} @@ -275,7 +275,7 @@ spec: projected: sources: - secret: - name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} + name: {{ .Values.existingSecretName | default (include "netbox.fullname" .) | quote }} items: # Used by netbox-docker entry scripts - key: {{ include "netbox.superuser.secretPasswordKey" . | quote }} diff --git a/charts/netbox/templates/worker/Deployment.yaml b/charts/netbox/templates/worker/Deployment.yaml index 327f8b7a..b635cbca 100644 --- a/charts/netbox/templates/worker/Deployment.yaml +++ b/charts/netbox/templates/worker/Deployment.yaml @@ -28,7 +28,7 @@ spec: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/ConfigMap/netbox.yaml") . | sha256sum }} - {{- if (not .Values.existingSecret) }} + {{- if (not .Values.existingSecretName) }} checksum/secret: {{ include (print $.Template.BasePath "/Secret/netbox.yaml") . | sha256sum }} {{- end }} {{- if .Values.worker.podAnnotations }} @@ -136,12 +136,54 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.worker.sidecars "context" $) | nindent 8 }} {{- end }} {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.worker.podSecurityContext.enabled .Values.worker.containerSecurityContext.enabled }} - {{- if or .Values.worker.initContainers $needsVolumePermissions }} initContainers: + {{- if .Values.redisWait.enabled }} + - name: wait-for-redis + image: {{ include "netbox.redis.image" . }} + imagePullPolicy: {{ .Values.redis.image.pullPolicy | quote }} + securityContext: {{- omit .Values.redisWait.containerSecurityContext "enabled" | toYaml | nindent 12 }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + set -o errexit + set -o nounset + set -o pipefail + + . /opt/bitnami/scripts/libos.sh + . /opt/bitnami/scripts/liblog.sh + + check_redis_connection() { + local result="$(redis-cli -h {{ include "netbox.redisHost" . }} -p {{ include "netbox.redisPort" . }} {{ .Values.redisWait.extraArgs }} PING)" + if [[ "$result" != "PONG" ]]; then + false + fi + } + + info "Checking redis connection..." + if ! retry_while "check_redis_connection"; then + error "Could not connect to the Redis server" + return 1 + else + info "Connected to the Redis instance" + fi + {{- if include "netbox.redis.auth.enabled" . }} + env: + - name: REDISCLI_AUTH + valueFrom: + secretKeyRef: + name: {{ include "netbox.redis.secretName" . }} + key: {{ include "netbox.redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + {{- if or .Values.worker.initContainers $needsVolumePermissions }} {{- if .Values.worker.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.worker.initContainers "context" $) | nindent 8 }} {{- end }} - {{- end }} + {{- end }} volumes: - name: config configMap: @@ -150,10 +192,10 @@ spec: projected: sources: - secret: - name: {{ .Values.existingSecret | default (include "netbox.fullname" .) | quote }} + name: {{ .Values.existingSecretName | default (include "netbox.fullname" .) | quote }} items: # Used by our configuration - - key: email_password + - key: {{ include "netbox.email.secretPasswordKey" . | quote }} path: email_password - key: secret_key path: secret_key diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index b90b471d..fb380ca1 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -377,7 +377,7 @@ initContainers: [] extraInitContainers: [] ## You can also use an existing secret for the superuser password and API token -## See `existingSecret` for details +## See `existingSecretName` for details ## superuser: ## @param superuser.name Netbox administrator username @@ -391,11 +391,9 @@ superuser: password: admin ## @param superuser.apiToken Netbox administrator superuser token ## - apiToken: 0123456789abcdef0123456789abcdef01234567 - ## @param superuser.existingSecret Existing secret containing Netbox superuser password + apiToken: "" ## @param superuser.existingSecretName Existing secret containing Netbox superuser password ## - existingSecret: "" existingSecretName: "" ## @param superuser.passwordSecretKey Key where the Netbox superuser password is being stored inside the existing secret. ## @param superuser.existingSecretPasswordKey Key where the Netbox superuser password is being stored inside the existing secret. @@ -513,7 +511,8 @@ debug: false # migrations. dbWaitDebug: false -# Email settings +## Email settings +## email: server: localhost port: 25 @@ -525,6 +524,7 @@ email: sslKeyFile: '' timeout: 10 # seconds from: '' + existingSecretPasswordKey: "" # Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce # unique IP space within the global table (all prefixes and IP addresses not @@ -672,9 +672,9 @@ remoteAuth: staffGroups: [] staffUsers: [] groupSeparator: '|' - ## @param remoteAuth.existingSecret Existing secret containing remote authentication parameters + ## @param remoteAuth.existingSecretName Existing secret containing remote authentication parameters ## - existingSecret: "" + existingSecretName: "" # The following options are specific for backend "netbox.authentication.LDAPBackend" # you can use an existing netbox secret with "ldap_bind_password" instead of "bindPassword" @@ -757,11 +757,10 @@ extraConfig: [] ## @param secretKey If provided, this should be a 50+ character string of random characters. It ## will be randomly generated if left blank. ## You can also use an existing secret with "secret_key" instead of "secretKey" -## See `existingSecret` for details +## See `existingSecretName` for details ## secretKey: "" -## @param existingSecret Provide passwords using existing secret ## @param existingSecretName Provide passwords using existing secret ## If set, this Secret must contain the following keys: ## - db-password: database password (if postgresql.enabled is false and @@ -776,7 +775,6 @@ secretKey: "" ## - superuser-password: Password for the initial super-user account ## - superuser-api-token: API token created for the initial super-user account ## -existingSecret: "" existingSecretName: "" # Override the NGINX Unit configuration inside the container. When enabled, this @@ -1809,11 +1807,11 @@ tls: certCAFilename: "" secretName: ~ - ## @param tls.existingSecret Existing secret containing the TLS certificates per Netbox replica + ## @param tls.existingSecretName Existing secret containing the TLS certificates per Netbox replica ## - existingSecret: "" + existingSecretName: "" ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores - ## If "true", the Netbox chart will look for the files netbox.key and netbox.crt inside the secret provided with 'existingSecret'. + ## If "true", the Netbox chart will look for the files netbox.key and netbox.crt inside the secret provided with 'existingSecretName'. ## usePem: false @@ -1987,7 +1985,7 @@ postgresql: ## @param externalDatabase.user Non-root username for Keycloak ## @param externalDatabase.password Password for the non-root username for Keycloak ## @param externalDatabase.database Keycloak database name -## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials +## @param externalDatabase.existingSecretName Name of an existing secret resource containing the database credentials ## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name ## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port ## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user @@ -2001,7 +1999,7 @@ externalDatabase: database: netbox username: netbox password: "" - existingSecret: "" + existingSecretName: "" existingSecretHostKey: "" existingSecretPortKey: "" existingSecretUserKey: "" @@ -2009,7 +2007,6 @@ externalDatabase: existingSecretPasswordKey: "" annotations: {} - existingSecretName: "" existingSecretKey: postgresql-password # The following settings also apply when using the bundled PostgreSQL chart: @@ -2067,7 +2064,6 @@ tasksRedis: sentinelTimeout: 300 username: "" password: "" - existingSecret: "" existingSecretName: "" existingSecretKey: redis-password ## @param tasksRedis.existingSecretPasswordKey Pasword key name inside the existing secret @@ -2090,7 +2086,6 @@ cachingRedis: sentinelTimeout: 300 username: "" password: "" - existingSecret: "" existingSecretName: "" existingSecretKey: redis-password ## @param cachingRedis.existingSecretPasswordKey Pasword key name inside the existing secret @@ -2110,14 +2105,14 @@ externalRedis: ## port: 6379 ## Redis password for authentication - ## Ignored if existingSecret is set + ## Ignored if existingSecretName is set ## @param externalRedis.password External Redis password ## password: "" ## Name of existing secret object containing the password - ## @param externalRedis.existingSecret Existing secret for the external redis + ## @param externalRedis.existingSecretName Existing secret for the external redis ## - existingSecret: "" + existingSecretName: "" ## Password key to be retrieved from Redis secret ## @param externalRedis.existingSecretPasswordKey Password key for the existing secret containing the external redis password ## From 9a7f181f85683fb34b0ac29531ff7304c0b54afb Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 18:51:52 +0700 Subject: [PATCH 103/110] Cleanup typo --- charts/netbox/templates/Secret/external-db.yaml | 2 +- charts/netbox/templates/Secret/netbox.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/netbox/templates/Secret/external-db.yaml b/charts/netbox/templates/Secret/external-db.yaml index 68fc9792..c7ee559a 100644 --- a/charts/netbox/templates/Secret/external-db.yaml +++ b/charts/netbox/templates/Secret/external-db.yaml @@ -10,5 +10,5 @@ metadata: {{- end }} type: Opaque data: - db-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-externaldb" .Release.Name) "key" "db-password" "length" 30 "providedValues" (list "externalDatabase.password") "context" $) }} + db-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-externaldb" .Release.Name) "key" "db-password" "length" 32 "providedValues" (list "externalDatabase.password") "context" $) }} {{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/Secret/netbox.yaml b/charts/netbox/templates/Secret/netbox.yaml index 955b4071..3e99cec1 100644 --- a/charts/netbox/templates/Secret/netbox.yaml +++ b/charts/netbox/templates/Secret/netbox.yaml @@ -10,7 +10,7 @@ metadata: type: Opaque data: {{ if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecretName) -}} - db_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.postgresql.fullname" .)) "key" "password" "length" 12 "providedValues" (list "externalDatabase.password") "context" $) }} + db_password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "netbox.postgresql.fullname" .)) "key" "password" "length" 32 "providedValues" (list "externalDatabase.password") "context" $) }} {{ end -}} {{ if (not .Values.email.existingSecretName) -}} # email_password: {{ .Values.email.password | b64enc | quote }} From 2ca2fae01ce3806698964484ec12373b897510b2 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 18:55:17 +0700 Subject: [PATCH 104/110] Fix helper --- charts/netbox/templates/_helpers.tpl | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl index 017c5f1b..60623291 100644 --- a/charts/netbox/templates/_helpers.tpl +++ b/charts/netbox/templates/_helpers.tpl @@ -444,19 +444,7 @@ Return the Database encrypted password */}} {{- define "netbox.databaseSecretName" -}} {{- if .Values.postgresql.enabled -}} - {{- if .Values.global.postgresql -}} - {{- if .Values.global.postgresql.auth -}} - {{- if .Values.global.postgresql.auth.existingSecret -}} - {{- tpl .Values.global.postgresql.auth.existingSecret $ -}} - {{- else -}} - {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecretName $) -}} - {{- end -}} - {{- else -}} - {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecretName $) -}} - {{- end -}} - {{- else -}} - {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecretName $) -}} - {{- end -}} + {{- default (include "netbox.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}} {{- else -}} {{- default (printf "%s-externaldb" .Release.Name) (tpl .Values.externalDatabase.existingSecretName $) -}} {{- end -}} From 8cbfbbb96ec286ec84f7743956b261f00d938813 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 19:03:19 +0700 Subject: [PATCH 105/110] Change postgresql user and password --- charts/netbox/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index fb380ca1..1bf09cd7 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1953,8 +1953,8 @@ postgresql: enabled: true auth: postgresPassword: "" - username: netbox - password: "" + username: netbox_user + password: netbox database: netbox existingSecret: "" ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. From 9e1223703ee8dab8fe48c994c4d20d410017e582 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 19:37:03 +0700 Subject: [PATCH 106/110] Add NetworkPolicy --- .../{templates => archive}/ingress.yaml | 2 +- charts/netbox/templates/ConfigMap/netbox.yaml | 10 ++- charts/netbox/templates/Ingress.yaml | 54 +++++++++++++++ charts/netbox/templates/PrometheusRule.yaml | 2 +- charts/netbox/templates/Role.yaml | 2 +- charts/netbox/templates/RoleBinding.yaml | 4 +- .../templates/gatewayApi/HTTPRoute.yaml | 7 +- .../templates/worker/NetworkPolicy.yaml | 64 ++++++++++++++++++ charts/netbox/values-test.yaml | 2 +- charts/netbox/values.yaml | 66 ++++++++++++------- 10 files changed, 173 insertions(+), 40 deletions(-) rename charts/netbox/{templates => archive}/ingress.yaml (94%) create mode 100644 charts/netbox/templates/Ingress.yaml create mode 100644 charts/netbox/templates/worker/NetworkPolicy.yaml diff --git a/charts/netbox/templates/ingress.yaml b/charts/netbox/archive/ingress.yaml similarity index 94% rename from charts/netbox/templates/ingress.yaml rename to charts/netbox/archive/ingress.yaml index f22206ce..bdde477f 100644 --- a/charts/netbox/templates/ingress.yaml +++ b/charts/netbox/archive/ingress.yaml @@ -1,6 +1,6 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "netbox.fullname" . -}} -apiVersion: networking.k8s.io/v1 +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ $fullName }} diff --git a/charts/netbox/templates/ConfigMap/netbox.yaml b/charts/netbox/templates/ConfigMap/netbox.yaml index a077e8a7..91f613fc 100644 --- a/charts/netbox/templates/ConfigMap/netbox.yaml +++ b/charts/netbox/templates/ConfigMap/netbox.yaml @@ -1,13 +1,11 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "netbox.fullname" . }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} + name: {{ printf "%s" (include "netbox.fullname" .) }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} - labels: - {{- include "netbox.labels" . | nindent 4 }} + labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }} data: configuration.py: |- import re diff --git a/charts/netbox/templates/Ingress.yaml b/charts/netbox/templates/Ingress.yaml new file mode 100644 index 00000000..362db928 --- /dev/null +++ b/charts/netbox/templates/Ingress.yaml @@ -0,0 +1,54 @@ +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ include "netbox.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ include "common.tplvalues.render" ( dict "value" .Values.ingress.hostname "context" $ ) }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ include "common.tplvalues.render" ( dict "value" .name "context" $ ) }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned)) .Values.ingress.extraTls }} + tls: + {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned) }} + - hosts: + - {{ .Values.ingress.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.ingress.hostname }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/netbox/templates/PrometheusRule.yaml b/charts/netbox/templates/PrometheusRule.yaml index 18935ed1..29370cd7 100644 --- a/charts/netbox/templates/PrometheusRule.yaml +++ b/charts/netbox/templates/PrometheusRule.yaml @@ -3,7 +3,7 @@ apiVersion: {{ include "common.capabilities.coreosMonitoring.apiVersion" . }} kind: PrometheusRule metadata: - name: {{ template "common.names.fullname" . }} + name: {{ template "netbox.fullname" . }} namespace: {{ default (include "common.names.namespace" .) .Values.metrics.prometheusRule.namespace }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.prometheusRule.labels .Values.commonLabels ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/charts/netbox/templates/Role.yaml b/charts/netbox/templates/Role.yaml index 98caaa47..cdd8c16b 100644 --- a/charts/netbox/templates/Role.yaml +++ b/charts/netbox/templates/Role.yaml @@ -2,7 +2,7 @@ kind: Role apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} metadata: - name: {{ template "common.names.fullname" . }} + name: {{ template "netbox.fullname" . }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: netbox diff --git a/charts/netbox/templates/RoleBinding.yaml b/charts/netbox/templates/RoleBinding.yaml index 4737928f..23c75e9d 100644 --- a/charts/netbox/templates/RoleBinding.yaml +++ b/charts/netbox/templates/RoleBinding.yaml @@ -2,7 +2,7 @@ kind: RoleBinding apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} metadata: - name: {{ template "common.names.fullname" . }} + name: {{ template "netbox.fullname" . }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: netbox @@ -12,7 +12,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "common.names.fullname" . }} + name: {{ template "netbox.fullname" . }} subjects: - kind: ServiceAccount name: {{ template "netbox.serviceAccountName" . }} diff --git a/charts/netbox/templates/gatewayApi/HTTPRoute.yaml b/charts/netbox/templates/gatewayApi/HTTPRoute.yaml index 6a0be86f..0e5c5596 100644 --- a/charts/netbox/templates/gatewayApi/HTTPRoute.yaml +++ b/charts/netbox/templates/gatewayApi/HTTPRoute.yaml @@ -5,11 +5,8 @@ kind: HTTPRoute metadata: name: {{ include "netbox.fullname" . }} namespace: {{ include "common.names.namespace" . }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: adminer - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }} + app.kubernetes.io/component: netbox spec: parentRefs: - name: {{ default "ingressgateway" .Values.gateway.name }} diff --git a/charts/netbox/templates/worker/NetworkPolicy.yaml b/charts/netbox/templates/worker/NetworkPolicy.yaml new file mode 100644 index 00000000..11f12602 --- /dev/null +++ b/charts/netbox/templates/worker/NetworkPolicy.yaml @@ -0,0 +1,64 @@ +{{- if .Values.worker.networkPolicy.enabled }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "netbox.worker.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: worker + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.worker.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: worker + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.service.ports.http }} + - port: {{ .Values.worker.containerPorts.http }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.worker.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.worker.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.service.ports.http }} + - port: {{ .Values.worker.containerPorts.http }} + {{- if not .Values.worker.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "netbox.worker.fullname" . }}-client: "true" + {{- if .Values.worker.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.worker.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.worker.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.worker.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.worker.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.worker.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/netbox/values-test.yaml b/charts/netbox/values-test.yaml index c967b5d2..67caef0f 100644 --- a/charts/netbox/values-test.yaml +++ b/charts/netbox/values-test.yaml @@ -3,4 +3,4 @@ netbox: enabled: true auth: username: netbox_user - password: mRY5pxyx1aiDZPKHSCcdjXqSXLSYkA \ No newline at end of file + password: "mRY5pxyx1aiDZPKHSCcdjXqSXLSYkA" \ No newline at end of file diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 1bf09cd7..9cfdec34 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -162,8 +162,8 @@ containerPorts: ## @param startupProbe.successThreshold Success threshold for startupProbe ## startupProbe: - enabled: false - initialDelaySeconds: 30 + enabled: true + initialDelaySeconds: 120 periodSeconds: 5 timeoutSeconds: 1 successThreshold: 1 @@ -882,6 +882,10 @@ persistence: ## @param persistence.existingClaim Use a existing PVC which must be created manually before bound ## existingClaim: "" + ## @param persistence.path The path the volume will be mounted at on Redis master containers + ## NOTE: Useful when using different Redis images + ## + path: /opt/netbox/netbox/reports ## @param persistence.subPath Existing claim's subPath to use, e.g. "media" (optional) ## subPath: "" @@ -1062,7 +1066,6 @@ revisionHistoryLimitCount: 10 ## extraContainerPorts: [] - ## @section Exposure parameters ## @@ -1079,12 +1082,14 @@ service: ## @param service.ports.http Netbox service HTTP port ## @param service.ports.https Netbox service HTTPS port ## + port: 80 ports: http: 80 https: 443 ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types. ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport ## + nodePort: "" nodePorts: http: "" https: "" @@ -1093,10 +1098,28 @@ service: ## clusterIP: None ## clusterIP: "" + clusterIPs: [] + externalIPs: [] + ## @param service.allocateLoadBalancerNodePorts Allow users to disable node ports for Service Type=LoadBalancer. This is useful for + ## bare metal / on-prem environments that rely on VIP based LB implementations. + ## ref https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: "false" + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.ipFamilyPolicy Kubernetes service ipFamilyPolicy policy + ## + ipFamilyPolicy: SingleStack ## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific) ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer ## loadBalancerIP: "" + ## @param service.loadBalancerClass Enables to use a load balancer implementation other than the cloud provider default. + ## https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + ## + loadBalancerClass: "" ## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## Example: @@ -1104,10 +1127,6 @@ service: ## - 10.10.10.0/24 ## loadBalancerSourceRanges: [] - ## @param service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster ## @param service.annotations Additional custom annotations for Keycloak service ## Example: ## annotations: @@ -1131,12 +1150,6 @@ service: ## sessionAffinityConfig: {} - port: 80 - nodePort: "" - clusterIPs: [] - externalIPs: [] - ipFamilyPolicy: "" - ## Netbox ingress parameters ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## @@ -1372,16 +1385,21 @@ housekeeping: # Set this to true to automatically mount the service account token in the housekeeping container automountServiceAccountToken: false - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + ## Netbox housekeeping resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param housekeeping.resources.limits The resources limits for the Netbox housekeeping containers + ## @param housekeeping.resources.requests The requested resources for the Netbox housekeeping containers + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## limits: + ## cpu: 100m + ## memory: 128Mi + ## requests: + ## cpu: 100m + ## memory: 128Mi + ## resources: {} nodeSelector: {} @@ -1774,6 +1792,8 @@ worker: ## Netbox worker Service configuration ## service: + ## @param worker.service.enabled Enable Netbox worker service + ## enabled: false ## @param worker.service.type Kubernetes service type ## From 1dc4af9fa355be6ad1f5605799e436d3efaa19ea Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 19:40:56 +0700 Subject: [PATCH 107/110] Add networkPolicy --- charts/netbox/values.yaml | 53 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 9cfdec34..07d00920 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -1778,6 +1778,59 @@ worker: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 + ## Netbox worker Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param worker.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param worker.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports Worker is listening + ## on. When true, Worker will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param worker.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param worker.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param worker.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param worker.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## Additional containers to be added to the NetBox pod. extraContainers: [] # - name: my-sidecar From 566389d13c888caed1377a9a89e371cf6af3e756 Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 19:46:04 +0700 Subject: [PATCH 108/110] Remove postgresql user --- charts/netbox/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 07d00920..e2772f65 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -2026,7 +2026,7 @@ postgresql: enabled: true auth: postgresPassword: "" - username: netbox_user + username: netbox password: netbox database: netbox existingSecret: "" From d534400637c80aff6fbc2fe6fe816040580ced8a Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 19:47:26 +0700 Subject: [PATCH 109/110] Remove obsolete ingress --- charts/netbox/archive/ingress.yaml | 49 ------------------------------ 1 file changed, 49 deletions(-) delete mode 100644 charts/netbox/archive/ingress.yaml diff --git a/charts/netbox/archive/ingress.yaml b/charts/netbox/archive/ingress.yaml deleted file mode 100644 index bdde477f..00000000 --- a/charts/netbox/archive/ingress.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "netbox.fullname" . -}} -apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "netbox.labels" . | nindent 4 }} - {{- if or .Values.commonAnnotations .Values.ingress.annotations }} - annotations: - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} -spec: - ingressClassName: {{ .Values.ingress.className }} - {{- with .Values.ingress.tls }} - tls: - {{- range . }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - {{- if kindIs "string" . }} - - path: {{ . }} - pathType: Prefix - backend: - service: - name: {{ $fullName }} - port: - name: http - {{- else }} - {{- (list .) | toYaml | nindent 6 }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} From 2a5794cca4f4f9afc4f71030576c452db6d03ffd Mon Sep 17 00:00:00 2001 From: firmansyahn <80936459+firmansyahn@users.noreply.github.com> Date: Wed, 31 Jan 2024 19:48:12 +0700 Subject: [PATCH 110/110] Bump version to 5.0.2 --- charts/netbox/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/Chart.yaml b/charts/netbox/Chart.yaml index e42f138e..b72c3eb7 100644 --- a/charts/netbox/Chart.yaml +++ b/charts/netbox/Chart.yaml @@ -5,7 +5,7 @@ annotations: image: docker.io/netboxcommunity/netbox:v3.7-2.8.0 apiVersion: v2 name: netbox -version: 5.0.1 +version: 5.0.2 appVersion: v3.7.1 kubeVersion: ">=1.25.0" description: IP address management (IPAM) and data center infrastructure management (DCIM) tool