Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

241015 main from release ( v3.2.1 ) #328

Merged
merged 39 commits into from
Oct 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
f9b2e30
tks-cluster: aws: update capa chart to v0.10.0
zugwan Nov 14, 2023
039bcf4
Merge pull request #291 from openinfradev/update_capa_v0.10.0
ktkfree Nov 15, 2023
8e1e38b
Merge pull request #294 from openinfradev/main
ktkfree Nov 17, 2023
978dbc2
lma: fix etcd servicemonitor
zugwan Nov 24, 2023
7e07078
Merge pull request #295 from openinfradev/fix_etcd_servicemonitor
seungkyua Nov 24, 2023
900a81b
resolve conflict
ktkfree Jan 15, 2024
e84fb6d
Merge pull request #307 from openinfradev/resolve_conflict
ktkfree Jan 15, 2024
ca0a970
Merge pull request #306 from openinfradev/main
ktkfree Jan 15, 2024
d0c6926
fluent-operator: bump up operator to support more input methods
Feb 21, 2024
73453b8
Merge pull request #309 from openinfradev/fluent-opeartor
ktkfree Apr 16, 2024
44bc957
fluentbit: does not support alert anymore
Apr 16, 2024
dcaca82
Merge pull request #310 from openinfradev/fluentbit-alert
bluejayA Apr 22, 2024
87d01b4
opa-exporter: add exporter for opa
Apr 24, 2024
e14345a
Merge pull request #311 from openinfradev/opa-exporter
ktkfree Apr 24, 2024
1652477
trivial. fix typo
ktkfree Apr 25, 2024
2882277
Merge pull request #312 from openinfradev/fix_opa
ktkfree Apr 25, 2024
9e0ee92
policy-serving: change the namespace for decapod randering
Apr 26, 2024
daa9070
Merge pull request #313 from openinfradev/opa-exporter
intelliguy Apr 26, 2024
dc5af5c
typo-fix: policy-serving: change the namespace for decapod randering
May 2, 2024
3a2a557
Merge pull request #314 from openinfradev/opa-exporter
intelliguy May 2, 2024
e2a4fe3
policy-serving: enable to log denies
May 6, 2024
9983c16
Merge pull request #315 from openinfradev/policy-serving
ktkfree May 16, 2024
0c4e04a
Merge pull request #316 from openinfradev/develop
ktkfree May 17, 2024
218e33c
tks-cluster: aws: use external cloud provider
zugwan May 21, 2024
597fb19
tks-cluster: aws: use gp3 volume type
zugwan May 21, 2024
344627b
tks-cluster: aws: fix indent
zugwan May 21, 2024
03ebf80
Merge pull request #317 from openinfradev/add_external_cloud_provider
ktkfree May 21, 2024
99f74ca
Merge pull request #318 from openinfradev/develop
ktkfree May 21, 2024
a75b941
fluentbit: use upgraded version from 2.2 to 3.0
Jun 3, 2024
28c51af
Merge pull request #319 from openinfradev/fluentbit
seungkyua Jun 3, 2024
04f0a47
Merge pull request #320 from openinfradev/develop
ktkfree Jun 4, 2024
f5eb46b
Merge pull request #321 from openinfradev/release
ktkfree Jun 4, 2024
6cb8aea
tks-policy: add ratify for supporting valication upon SBOM.
Jun 17, 2024
966d132
Merge pull request #322 from openinfradev/ratify
ktkfree Jun 18, 2024
b059b02
user-logging: add loki for non-platform-logs as loki-user
Jun 24, 2024
5b4eb98
Merge pull request #323 from openinfradev/user-logging
intelliguy Jun 25, 2024
9fbdebc
update cluster-api-aws chart & k8s version
robertchoi80 Aug 22, 2024
28be039
Merge pull request #326 from openinfradev/update-cluster-api-chart-ver
ktkfree Aug 22, 2024
2a8f99c
Merge pull request #327 from openinfradev/develop
ktkfree Oct 2, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 114 additions & 14 deletions lma/base/resources.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -621,7 +621,7 @@ spec:
type: helmrepo
repository: https://harbor.taco-cat.xyz/chartrepo/tks
name: fluent-operator
version: 1.7.0
version: 2.7.0
skipDepUpdate: true
origin: https://openinfradev.github.io/helm-repo
releaseName: fluent-operator-crds
Expand All @@ -641,18 +641,18 @@ spec:
origin: https://openinfradev.github.io/helm-repo
repository: https://harbor.taco-cat.xyz/chartrepo/tks
name: fluent-operator
version: 1.7.0
version: 2.7.0
skipDepUpdate: true
releaseName: fluent-operator
targetNamespace: lma
values:
operator:
initcontainer:
repository: harbor.taco-cat.xyz/tks/docker
tag: 19.03
tag: "20.10"
container:
repository: harbor.taco-cat.xyz/tks/fluent-operator
tag: v1.5.0
tag: "v2.7.0"
# FluentBit operator resources. Usually user needn't to adjust these.
resources:
limits:
Expand All @@ -662,9 +662,10 @@ spec:
cpu: 100m
memory: 20Mi
fluentbit:
enable: false
image:
repository: harbor.taco-cat.xyz/tks/fluent-bit
tag: v1.9.7-debug
tag: v2.2.0
wait: true
---
apiVersion: helm.fluxcd.io/v1
Expand Down Expand Up @@ -692,7 +693,7 @@ spec:
tag: v0.1.1
fluentbit:
repository: harbor.taco-cat.xyz/tks/fluent-bit
tag: v2.1.4
tag: v3.0.4
elasticsearchTemplates:
repository: harbor.taco-cat.xyz/tks/curl
tag: latest
Expand Down Expand Up @@ -721,13 +722,7 @@ spec:
outputs: { }
targetLogs: [ ]
alerts:
enabled: true
namespace: taco-system
message: |-
{{ $labels.container }} in {{ $labels.pod }} ({{ $labels.taco_cluster }}/{{ $labels.namespace }} ) generate a error due to log = {{ $labels.log }}
summary: |-
{{ $labels.container }} in {{ $labels.pod }} ({{ $labels.taco_cluster }}/{{ $labels.namespace }} ) generate a error
rules: [ ]
enabled: false
clusterName: TO_BE_FIXED
exclude:
- key: $kubernetes['container_name']
Expand All @@ -753,7 +748,7 @@ spec:
type: helmrepo
repository: https://harbor.taco-cat.xyz/chartrepo/tks
name: lma-addons
version: 1.8.7
version: 1.9.0
origin: https://openinfradev.github.io/helm-repo
releaseName: addons
targetNamespace: lma
Expand All @@ -767,6 +762,9 @@ spec:
loki:
enabled: true
url: "loki-loki-distributed-gateway.lma"
lokiuser:
enabled: true
url: "loki-user-loki-distributed-gateway.lma"
grafanaDashboard:
include:
- kubernetes
Expand Down Expand Up @@ -1230,6 +1228,85 @@ spec:
---
apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
labels:
name: loki-user
name: loki-user
spec:
helmVersion: v3
chart:
type: helmrepo
repository: https://harbor.taco-cat.xyz/chartrepo/tks
name: loki-distributed
version: 0.58.0
origin: https://grafana.github.io/helm-charts
releaseName: loki-user
targetNamespace: lma
values:
global:
clusterDomain: cluster.local # TO_BE_FIXED
dnsService: coredns
loki:
image:
registry: harbor.taco-cat.xyz
repository: tks/loki
tag: null
schemaConfig:
configs:
- from: "2020-09-07"
store: boltdb-shipper
object_store: s3
schema: v11
index:
prefix: loki_index_
period: 24h
storageConfig:
boltdb_shipper:
active_index_directory: /var/loki/index
cache_location: /var/loki/cache
cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space
shared_store: s3
aws:
s3: TO_BE_FIXED
bucketnames: tks-loki-user
s3forcepathstyle: true
structuredConfig:
limits_config:
ingestion_rate_mb: 25
ingestion_burst_size_mb: 50
max_streams_per_user: 0
max_global_streams_per_user: 0
table_manager:
retention_deletes_enabled: true
retention_period: TO_BE_FIXED
serviceMonitor.enabled: true
prometheusRule.enabled: true
ingester:
resources:
limits:
cpu: '4'
memory: 4Gi
requests:
cpu: 100m
memory: 250Mi
persistence:
enabled: true
inMemory: false
size: 100Gi
memcachedExporter.enabled: true
gateway:
image:
registry: harbor.taco-cat.xyz
repository: tks/nginx-unprivileged

nginxConfig:
httpSnippet: |-
client_max_body_size 50M;
serverSnippet: |-
client_max_body_size 50M;
---
apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
labels:
name: lma-bucket
Expand All @@ -1250,3 +1327,26 @@ spec:
s3:
enabled: true
buckets: [ ]
---
apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
labels:
name: opa-exporter
name: opa-exporter
spec:
helmVersion: v3
chart:
type: helmrepo
repository: https://harbor.taco-cat.xyz/chartrepo/tks
name: opa-scorecard
version: 0.1.0
releaseName: opa-exporter
targetNamespace: lma
values:
gatekeeper:
namespace: gatekeeper-system
metrics:
podmonitor: true
servicemonitor:
enabled: true
16 changes: 16 additions & 0 deletions lma/base/site-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ global:

lokiHost: loki-loki-distributed-gateway
lokiPort: 80
lokiuserHost: loki-user-loki-distributed-gateway
lokiuserPort: 80
grafanaDatasourceMetric: lma-prometheus.lma:9090

charts:
Expand Down Expand Up @@ -147,6 +149,7 @@ charts:
grafanaDatasource.prometheus.url: $(grafanaDatasourceMetric)
# grafanaDatasource.prometheus.url: "thanos-query.lma:9090"
grafanaDatasource.loki.url: $(lokiHost):$(lokiPort)
grafanaDatasource.lokiuser.url: $(lokiuserHost):$(lokiuserPort)

- name: prometheus-adapter
override:
Expand All @@ -173,11 +176,18 @@ charts:
purge: false
versioning: true
objectlocking: false
- name: loki-user
policy: public
purge: false
versioning: true
objectlocking: false
customCommands:
- command: ilm rule add --expire-days 90 myminio/tks-thanos
- command: ilm rule add --expire-days 15 myminio/tks-loki
- command: ilm rule add --expire-days 15 myminio/tks-loki-user
- command: ilm ls myminio/tks-thanos
- command: ilm ls myminio/tks-loki
- command: ilm ls myminio/tks-loki-user
persistence.storageClass: $(storageClassName)
persistence.accessMode: ReadWriteOnce
persistence.size: 20Gi
Expand Down Expand Up @@ -260,10 +270,16 @@ charts:
loki.storageConfig.aws.s3: http://$(defaultUser):$(defaultPassword)@minio.lma.svc:9000/minio
loki.structuredConfig.table_manager.retention_period: 672h # delete logs after 672h = 28 days

- name: loki-user
override:
loki.storageConfig.aws.s3: http://$(defaultUser):$(defaultPassword)@minio.lma.svc:9000/minio
loki.structuredConfig.table_manager.retention_period: 72h # delete logs after 72h = 3 days

- name: lma-bucket
override:
s3.enabled: true
s3.buckets:
- name: $(clusterName)-tks-thanos
- name: $(clusterName)-tks-loki
- name: $(clusterName)-tks-loki-user
# tks.iamRoles: arn:aws:iam::12345678:role/control-plane.cluster-api-provider-aws.sigs.k8s.io
31 changes: 30 additions & 1 deletion policy/base/resources.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ spec:
releaseName: opa-gatekeeper
targetNamespace: gatekeeper-system
values:
logDenies: true
enableDeleteOperations: true
---
apiVersion: helm.fluxcd.io/v1
Expand All @@ -34,4 +35,32 @@ spec:
helmVersion: v3
releaseName: policy-resources
targetNamespace: gatekeeper-system
values: {}
values: {}
---
apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
labels:
name: ratify
name: ratify
spec:
chart:
type: helmrepo
repository: https://harbor.taco-cat.xyz/chartrepo/tks
name: ratify
version: 1.13.0
origin: https://github.com/ratify-project/ratify/tree/v1.2.0/charts/ratify
helmVersion: v3
releaseName: ratify
targetNamespace: gatekeeper-system
values:
oras:
useHttp: true
provider:
tls:
skipVerify: true
featureFlags:
RATIFY_CERT_ROTATION: true
sbom:
enabled: true
---
33 changes: 33 additions & 0 deletions policy/base/site-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,36 @@ charts:
enableDeleteOperations: true

- name: policy-resources

- name: ratify
override:
sbom:
disallowedLicenses:
- "GPL-2.0-only"
- "MPL"
disallowedPackages:
- name: "busybox"
version: "1.36.1-r28"
notationCerts:
# https://github.com/ratify-project/ratify/blob/dev/test/testdata/notation.crt
- |-
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgIUDxHQ9JxxmnrLWTA5rAtIZCzY8mMwDQYJKoZIhvcNAQEL
BQAwKTEPMA0GA1UECgwGUmF0aWZ5MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMB4X
DTIzMDYyOTA1MjgzMloXDTMzMDYyNjA1MjgzMlowKTEPMA0GA1UECgwGUmF0aWZ5
MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAshmsL2VM9ojhgTVUUuEsZro9jfI27VKZJ4naWSHJihmOki7IoZS8
3/3ATpkE1lGbduJ77M9UxQbEW1PnESB0bWtMQtjIbser3mFCn15yz4nBXiTIu/K4
FYv6HVdc6/cds3jgfEFNw/8RVMBUGNUiSEWa1lV1zDM2v/8GekUr6SNvMyqtY8oo
ItwxfUvlhgMNlLgd96mVnnPVLmPkCmXFN9iBMhSce6sn6P9oDIB+pr1ZpE4F5bwa
gRBg2tWN3Tz9H/z2a51Xbn7hCT5OLBRlkorHJl2HKKRoXz1hBgR8xOL+zRySH9Qo
3yx6WvluYDNfVbCREzKJf9fFiQeVe0EJOwIDAQABo2MwYTAdBgNVHQ4EFgQUKzci
EKCDwPBn4I1YZ+sDdnxEir4wHwYDVR0jBBgwFoAUKzciEKCDwPBn4I1YZ+sDdnxE
ir4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEL
BQADggEBAGh6duwc1MvV+PUYvIkDfgj158KtYX+bv4PmcV/aemQUoArqM1ECYFjt
BlBVmTRJA0lijU5I0oZje80zW7P8M8pra0BM6x3cPnh/oZGrsuMizd4h5b5TnwuJ
hRvKFFUVeHn9kORbyQwRQ5SpL8cRGyYp+T6ncEmo0jdIOM5dgfdhwHgb+i3TejcF
90sUs65zovUjv1wa11SqOdu12cCj/MYp+H8j2lpaLL2t0cbFJlBY6DNJgxr5qync
cz8gbXrZmNbzC7W5QK5J7fcx6tlffOpt5cm427f9NiK2tira50HU7gC3HJkbiSTp
Xw10iXXMZzSbQ0/Hj2BF4B40WfAkgRg=
-----END CERTIFICATE-----
Loading
Loading