aleeve.dev / ott
Scalable and distributed custom feed generator, ott - on that topic
fork atom

Add metrics to k8s cluster during setup

aleeve.dev 27b43f9a 6f7d972b

+1461 -2
+5 -2
helm/system-setup/Chart.lock
··· 2 - name: cloudnative-pg 3 repository: file://charts/cloudnative-pg 4 version: 0.26.0 5 - digest: sha256:d46807e0d885c76d3a39b218b34bef29e881a17ca47924f65020ae3616b22e3b 6 - generated: "2025-09-27T00:29:50.760394+02:00"
··· 2 - name: cloudnative-pg 3 repository: file://charts/cloudnative-pg 4 version: 0.26.0 5 + - name: metrics-server 6 + repository: file://charts/metrics-server 7 + version: 3.13.0 8 + digest: sha256:a5b5d0681369d13bd43df164d0825e596f20f470055b010604efa81fc383ccb5 9 + generated: "2025-10-07T14:14:51.577283+02:00"
+3
helm/system-setup/Chart.yaml
··· 11 version: "0.26.0" 12 repository: "file://charts/cloudnative-pg" 13 condition: postgresql.enabled
··· 11 version: "0.26.0" 12 repository: "file://charts/cloudnative-pg" 13 condition: postgresql.enabled 14 + - name: metrics-server 15 + version: "3.x.x" 16 + repository: "file://charts/metrics-server"
+23
helm/system-setup/charts/metrics-server/.helmignore
···
··· 1 + # Patterns to ignore when building packages. 2 + # This supports shell glob matching, relative path matching, and 3 + # negation (prefixed with !). Only one pattern per line. 4 + .DS_Store 5 + # Common VCS dirs 6 + .git/ 7 + .gitignore 8 + .bzr/ 9 + .bzrignore 10 + .hg/ 11 + .hgignore 12 + .svn/ 13 + # Common backup files 14 + *.swp 15 + *.bak 16 + *.tmp 17 + *.orig 18 + *~ 19 + # Various IDEs 20 + .project 21 + .idea/ 22 + *.tmproj 23 + .vscode/
+181
helm/system-setup/charts/metrics-server/CHANGELOG.md
···
··· 1 + # Metrics Server Helm Chart Changelog 2 + 3 + > [!NOTE] 4 + > All notable changes to this project will be documented in this file; the format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 5 + 6 + <!-- 7 + ### Added - For new features. 8 + ### Changed - For changes in existing functionality. 9 + ### Deprecated - For soon-to-be removed features. 10 + ### Removed - For now removed features. 11 + ### Fixed - For any bug fixes. 12 + ### Security - In case of vulnerabilities. 13 + --> 14 + 15 + ## [UNRELEASED] 16 + 17 + ## [3.13.0] - TBC 18 + 19 + ### Added 20 + 21 + - Add chart options to secure the connection between Metrics Server and the Kubernetes API Server. ([#1288](https://github.com/kubernetes-sigs/metrics-server/pull/1288)) _@mkilchhofer_ 22 + - Add `unhealthyPodEvictionPolicy` to the Metrics Server PDB as a user enabled feature. ([#1574](https://github.com/kubernetes-sigs/metrics-server/pull/1574)) @peterabarr 23 + 24 + ### Changed 25 + 26 + - Update the _Addon Resizer_ OCI image to [`1.8.23`](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.23). ([#1626](https://github.com/kubernetes-sigs/metrics-server/pull/1626)) _@stevehipwell_ 27 + - Update the _Metrics Server_ OCI image to [`0.8.0`](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.8.0). ([#1683](https://github.com/kubernetes-sigs/metrics-server/pull/1683)) _@stevehipwell_ 28 + 29 + ## [3.12.2] - 2024-10-07 30 + 31 + ### Added 32 + 33 + - Explicitly added the app protocol to the service. ([#1540](https://github.com/kubernetes-sigs/metrics-server/pull/1540)) _@ 34 + seankhliao_ 35 + 36 + ### Changed 37 + 38 + - Updated the _Metrics Server_ OCI image to [v0.7.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.2). ([#1568](https://github.com/kubernetes-sigs/metrics-server/pull/1568)) _@stevehipwell_ 39 + - Updated the _addonResizer_ OCI image to [1.8.21](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.21). ([#1504](https://github.com/kubernetes-sigs/metrics-server/pull/1504)) _@jimmy-ungerman_ 40 + 41 + ### Fixed 42 + 43 + - Fixed nanny's RoleBinding which contained a hard-coded namespace instead of the Helm's release namespace. ([#1479](https://github.com/kubernetes-sigs/metrics-server/pull/1479)) _@the-technat_ 44 + - Fixed the `ServiceMonitor` job label. ([#1568](https://github.com/kubernetes-sigs/metrics-server/pull/1568)) _@stevehipwell_ 45 + 46 + ## [3.12.1] - 2024-04-05 47 + 48 + ### Changed 49 + 50 + - Updated the _Metrics Server_ OCI image to [v0.7.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1). ([#1461](https://github.com/kubernetes-sigs/metrics-server/pull/1461)) _@stevehipwell_ 51 + - Changed `Deployment` templating to ignore `schedulerName` when value is empty. ([#1475](https://github.com/kubernetes-sigs/metrics-server/pull/1475)) _@senges_ 52 + 53 + ## [3.12.0] - 2024-02-07 54 + 55 + ### Changed 56 + 57 + - Updated the _Metrics Server_ OCI image to [v0.7.0](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0). ([#1414](https://github.com/kubernetes-sigs/metrics-server/pull/1414)) [@stevehipwell](https://github.com/stevehipwell) 58 + - Updated the _addon-resizer_ OCI image to [v1.8.20](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.20). ([#1414](https://github.com/kubernetes-sigs/metrics-server/pull/1414)) [@stevehipwell](https://github.com/stevehipwell) 59 + 60 + ## [3.11.0] - 2023-08-03 61 + 62 + ### Added 63 + 64 + - Added default _Metrics Server_ resource requests. 65 + 66 + ### Changed 67 + 68 + - Updated the _Metrics Server_ OCI image to [v0.6.4](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.4). 69 + - Updated the _addon-resizer_ OCI image to [v1.8.19](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.19). 70 + 71 + ## [3.10.0] - 2023-04-12 72 + 73 + ### Added 74 + 75 + - Added support for running under PodSecurity restricted. 76 + 77 + ### Fixed 78 + 79 + - Fixed `auth-reader` role binding namespace to always use `kube-system`. 80 + - Fixed addon-resizer configuration. 81 + - Fixed container port default not having been updated to `10250`. 82 + 83 + ## [3.9.0] - 2023-03-28 84 + 85 + ### Added 86 + 87 + - Added autoscaling support via the addon-resizer. 88 + 89 + ### Changed 90 + 91 + - Updated the _Metrics Server_ OCI image to [v0.6.3](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3). 92 + 93 + ### Fixed 94 + 95 + - Fixed service labels/annotations. 96 + 97 + ## [3.8.4] - 2023-03-06 98 + 99 + ### Changed 100 + 101 + - Changed the image registry location to `registry.k8s.io`. 102 + 103 + ## [3.8.3] - 2022-12-08 104 + 105 + ### Added 106 + 107 + - Added support for topologySpreadConstraints. 108 + - Always set resource namespaces explicitly. 109 + - Allow configuring TLS on the APIService. 110 + - Enabled service monitor relabelling. 111 + - Added ability to set the scheduler name. 112 + - Added support for common labels. 113 + 114 + ### Changed 115 + 116 + - Updated the _Metrics Server_ OCI image to [v0.6.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2). 117 + 118 + ## [3.8.2] - 2022-02-23 119 + 120 + ### Changed 121 + 122 + - Changed chart to allow probes to be turned off completely (this is not advised unless you know what you're doing). 123 + 124 + ## [3.8.1] - 2022-02-09 125 + 126 + ### Changed 127 + 128 + - Updated the _Metrics Server_ OCI image to [v0.6.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1). 129 + 130 + ## [3.8.0] - 2022-02-08 131 + 132 + ### Added 133 + 134 + - Added support for unauthenticated access to the /metrics endpoint. 135 + - Added optional _Prometheus Operator_ `ServiceMonitor`. 136 + 137 + ### Changed 138 + 139 + - Updated the _Metrics Server_ OCI image to [v0.6.0](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.0). 140 + 141 + ## [3.7.0] - 2021-11-18 142 + 143 + ### Changed 144 + 145 + - Updated the _Metrics Server_ OCI image to [v0.5.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2). 146 + 147 + ## [3.6.0] - 2021-10-18 148 + 149 + ### Added 150 + 151 + - Added new `defaultArgs`` value to enable overriding the default arguments. 152 + 153 + ### Changed 154 + 155 + - Updated the _Metrics Server_ OCI image to [v0.5.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.1). 156 + 157 + ## [3.5.0] - 2021-10-07 158 + 159 + ### Added 160 + 161 + - Added initial Helm chart release from official repo. 162 + 163 + <!-- 164 + RELEASE LINKS 165 + --> 166 + [UNRELEASED]: https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server 167 + [3.13.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.13.0 168 + [3.12.2]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.2 169 + [3.12.1]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.1 170 + [3.12.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.0 171 + [3.11.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.11.0 172 + [3.10.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.10.0 173 + [3.9.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.9.0 174 + [3.8.4]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.4 175 + [3.8.3]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.3 176 + [3.8.2]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.2 177 + [3.8.1]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.1 178 + [3.8.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.0 179 + [3.7.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.7.0 180 + [3.6.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.6.0 181 + [3.5.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.5.0
+32
helm/system-setup/charts/metrics-server/Chart.yaml
···
··· 1 + annotations: 2 + artifacthub.io/changes: | 3 + - kind: added 4 + description: "Add chart options to secure the connection between Metrics Server and the Kubernetes API Server." 5 + - kind: added 6 + description: "Add `unhealthyPodEvictionPolicy` to the Metrics Server PDB as a user enabled feature." 7 + - kind: changed 8 + description: "Update the _Addon Resizer_ OCI image to [`1.8.23`](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.23)." 9 + - kind: changed 10 + description: "Update the _Metrics Server_ OCI image to [`0.8.0`](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.8.0)." 11 + apiVersion: v2 12 + appVersion: 0.8.0 13 + description: Metrics Server is a scalable, efficient source of container resource 14 + metrics for Kubernetes built-in autoscaling pipelines. 15 + home: https://github.com/kubernetes-sigs/metrics-server 16 + icon: https://avatars.githubusercontent.com/u/36015203?s=400&v=4 17 + keywords: 18 + - kubernetes 19 + - metrics-server 20 + - metrics 21 + maintainers: 22 + - name: stevehipwell 23 + url: https://github.com/stevehipwell 24 + - name: krmichel 25 + url: https://github.com/krmichel 26 + - name: endrec 27 + url: https://github.com/endrec 28 + name: metrics-server 29 + sources: 30 + - https://github.com/kubernetes-sigs/metrics-server 31 + type: application 32 + version: 3.13.0
+190
helm/system-setup/charts/metrics-server/README.md
···
··· 1 + # Kubernetes Metrics Server 2 + 3 + [Metrics Server](https://github.com/kubernetes-sigs/metrics-server/) is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. 4 + 5 + ## Installing the Chart 6 + 7 + Before you can install the chart you will need to add the `metrics-server` repo to [Helm](https://helm.sh/). 8 + 9 + ```shell 10 + helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server/ 11 + ``` 12 + 13 + After you've installed the repo you can install the chart. 14 + 15 + ```shell 16 + helm upgrade --install metrics-server metrics-server/metrics-server 17 + ``` 18 + 19 + ## Configuration 20 + 21 + The following table lists the configurable parameters of the _Metrics Server_ chart and their default values. 22 + 23 + | Parameter | Description | Default | 24 + | ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ | 25 + | `image.repository` | Image repository. | `registry.k8s.io/metrics-server/metrics-server` | 26 + | `image.tag` | Image tag, will override the default tag derived from the chart app version. | `""` | 27 + | `image.pullPolicy` | Image pull policy. | `IfNotPresent` | 28 + | `imagePullSecrets` | Image pull secrets. | `[]` | 29 + | `nameOverride` | Override the `name` of the chart. | `nil` | 30 + | `fullnameOverride` | Override the `fullname` of the chart. | `nil` | 31 + | `serviceAccount.create` | If `true`, create a new service account. | `true` | 32 + | `serviceAccount.annotations` | Annotations to add to the service account. | `{}` | 33 + | `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the full name template. | `nil` | 34 + | `serviceAccount.secrets` | The list of secrets mountable by this service account. See <https://kubernetes.io/docs/reference/labels-annotations-taints/#enforce-mountable-secrets> | `[]` | 35 + | `rbac.create` | If `true`, create the RBAC resources. | `true` | 36 + | `rbac.pspEnabled` | If `true`, create a pod security policy resource, unless Kubernetes version is 1.25 or later. | `false` | 37 + | `apiService.create` | If `true`, create the `v1beta1.metrics.k8s.io` API service. You typically want this enabled! If you disable API service creation you have to manage it outside of this chart for e.g horizontal pod autoscaling to work with this release. | `true` | 38 + | `apiService.annotations` | Annotations to add to the API service | `{}` | 39 + | `apiService.insecureSkipTLSVerify` | Specifies whether to skip TLS verification (NOTE: this setting is not a proxy for the `--kubelet-insecure-tls` metrics-server flag) | `true` | 40 + | `apiService.caBundle` | The PEM encoded CA bundle for TLS verification | `""` | 41 + | `commonLabels` | Labels to add to each object of the chart. | `{}` | 42 + | `podLabels` | Labels to add to the pod. | `{}` | 43 + | `podAnnotations` | Annotations to add to the pod. | `{}` | 44 + | `podSecurityContext` | Security context for the pod. | `{}` | 45 + | `securityContext` | Security context for the _metrics-server_ container. | _See values.yaml_ | 46 + | `priorityClassName` | Priority class name to use. | `system-cluster-critical` | 47 + | `containerPort` | port for the _metrics-server_ container. | `10250` | 48 + | `hostNetwork.enabled` | If `true`, start _metric-server_ in hostNetwork mode. You would require this enabled if you use alternate overlay networking for pods and API server unable to communicate with metrics-server. As an example, this is required if you use Weave network on EKS. | `false` | 49 + | `replicas` | Number of replicas to run. | `1` | 50 + | `revisionHistoryLimit` | Number of revisions to keep. | `nil` | 51 + | `updateStrategy` | Customise the default update strategy. | `{}` | 52 + | `podDisruptionBudget.enabled` | If `true`, create `PodDisruptionBudget` resource. | `{}` | 53 + | `podDisruptionBudget.minAvailable` | Set the `PodDisruptionBudget` minimum available pods. | `nil` | 54 + | `podDisruptionBudget.maxUnavailable` | Set the `PodDisruptionBudget` maximum unavailable pods. | `nil` | 55 + | `podDisruptionBudget.maxUnavailable` | Set the `PodDisruptionBudget` maximum unavailable pods. | `nil` | 56 + | `podDisruptionBudget.unhealthyPodEvictionPolicy` | Unhealthy pod eviction policy for the PDB. | `nil` | 57 + | `defaultArgs` | Default arguments to pass to the _metrics-server_ command. | See _values.yaml_ | 58 + | `args` | Additional arguments to pass to the _metrics-server_ command. | `[]` | 59 + | `livenessProbe` | Liveness probe. | See _values.yaml_ | 60 + | `readinessProbe` | Readiness probe. | See _values.yaml_ | 61 + | `service.type` | Service type. | `ClusterIP` | 62 + | `service.port` | Service port. | `443` | 63 + | `service.annotations` | Annotations to add to the service. | `{}` | 64 + | `service.labels` | Labels to add to the service. | `{}` | 65 + | `addonResizer.enabled` | If `true`, run the addon-resizer as a sidecar to automatically scale resource requests with cluster size. | `false` | 66 + | `addonResizer.securityContext` | Security context for the _metrics_server_container. | _See values.yaml | 67 + | `addonResizer.image.repository` | addon-resizer image repository | `registry.k8s.io/autoscaling/addon-resizer` | 68 + | `addonResizer.image.tag` | addon-resizer image tag | `1.8.23` | 69 + | `addonResizer.resources` | Resource requests and limits for the _nanny_ container. | `{ requests: { cpu: 40m, memory: 25Mi }, limits: { cpu: 40m, memory: 25Mi } }` | 70 + | `addonResizer.nanny.cpu` | The base CPU requirement. | `0m` | 71 + | `addonResizer.nanny.extraCPU` | The amount of CPU to add per node. | `1m` | 72 + | `addonResizer.nanny.memory` | The base memory requirement. | `0Mi` | 73 + | `addonResizer.nanny.extraMemory` | The amount of memory to add per node. | `2Mi` | 74 + | `addonResizer.nanny.minClusterSize` | Specifies the smallest number of nodes resources will be scaled to. | `100` | 75 + | `addonResizer.nanny.pollPeriod` | The time, in milliseconds, to poll the dependent container. | `300000` | 76 + | `addonResizer.nanny.threshold` | A number between 0-100. The dependent's resources are rewritten when they deviate from expected by more than threshold. | `5` | 77 + | `metrics.enabled` | If `true`, allow unauthenticated access to `/metrics`. | `false` | 78 + | `serviceMonitor.enabled` | If `true`, create a _Prometheus_ service monitor. This needs `metrics.enabled` to be `true`. | `false` | 79 + | `serviceMonitor.additionalLabels` | Additional labels to be set on the ServiceMonitor. | `{}` | 80 + | `serviceMonitor.metricRelabelings` | _Prometheus_ metric relabeling. | `[]` | 81 + | `serviceMonitor.relabelings` | _Prometheus_ relabeling. | `[]` | 82 + | `serviceMonitor.interval` | _Prometheus_ scrape frequency. | `1m` | 83 + | `serviceMonitor.scrapeTimeout` | _Prometheus_ scrape timeout. | `10s` | 84 + | `resources` | Resource requests and limits for the _metrics-server_ container. See <https://github.com/kubernetes-sigs/metrics-server#scaling> | `{ requests: { cpu: 100m, memory: 200Mi }}` | 85 + | `extraVolumeMounts` | Additional volume mounts for the _metrics-server_ container. | `[]` | 86 + | `extraVolumes` | Additional volumes for the pod. | `[]` | 87 + | `nodeSelector` | Node labels for pod assignment. | `{}` | 88 + | `tolerations` | Tolerations for pod assignment. | `[]` | 89 + | `affinity` | Affinity for pod assignment. | `{}` | 90 + | `topologySpreadConstraints` | Pod Topology Spread Constraints. | `[]` | 91 + | `deploymentAnnotations` | Annotations to add to the deployment. | `{}` | 92 + | `schedulerName` | scheduler to set to the deployment. | `""` | 93 + | `dnsConfig` | Set the dns configuration options for the deployment. | `{}` | 94 + | `tmpVolume` | Volume to be mounted in Pods for temporary files. | `{"emptyDir":{}}` | 95 + | `tls.type` | TLS option to use. Either use `metrics-server` for self-signed certificates, `helm`, `cert-manager` or `existingSecret`. | `"metrics-server"` | 96 + | `tls.clusterDomain` | Kubernetes cluster domain. Used to configure Subject Alt Names for the certificate when using `tls.type` `helm` or `cert-manager`. | `"cluster.local"` | 97 + | `tls.certManager.addInjectorAnnotations` | Automatically add the cert-manager.io/inject-ca-from annotation to the APIService resource. | `true` | 98 + | `tls.certManager.existingIssuer.enabled` | Use an existing cert-manager issuer | `false` | 99 + | `tls.certManager.existingIssuer.kind` | Kind of the existing cert-manager issuer | `"Issuer"` | 100 + | `tls.certManager.existingIssuer.name` | Name of the existing cert-manager issuer | `"my-issuer"` | 101 + | `tls.certManager.duration` | Set the requested duration (i.e. lifetime) of the Certificate. | `""` | 102 + | `tls.certManager.renewBefore` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. | `""` | 103 + | `tls.certManager.annotations` | Add extra annotations to the Certificate resource | `{}` | 104 + | `tls.certManager.labels` | Add extra labels to the Certificate resource | `{}` | 105 + | `tls.helm.certDurationDays` | Cert validity duration in days | `365` | 106 + | `tls.helm.lookup` | Use helm lookup function to reuse Secret created in previous helm install | `true` | 107 + | `tls.existingSecret.lookup` | Use helm lookup function to provision `apiService.caBundle` | `true` | 108 + | `tls.existingSecret.name` | Name of the existing Secret to use for TLS | `""` | 109 + 110 + ## Hardening metrics-server 111 + 112 + By default, metrics-server is using a self-signed certificate which is generated during startup. The `APIservice` resource is registered with `.spec.insecureSkipTLSVerify` set to `true` as you can see here: 113 + 114 + ```yaml 115 + apiVersion: apiregistration.k8s.io/v1 116 + kind: APIService 117 + metadata: 118 + name: v1beta1.metrics.k8s.io 119 + spec: 120 + #.. 121 + insecureSkipTLSVerify: true # <-- see here 122 + service: 123 + name: metrics-server 124 + #.. 125 + ``` 126 + 127 + To harden metrics-server, you have these options described in the following section. 128 + 129 + ### Option 1: Let helm generate a self-signed certificate 130 + 131 + This option is probably the easiest solution for you. We delegate the process to generate a self-signed certificate to helm. 132 + As helm generates them during deploy time, helm can also inject the `apiService.caBundle` for you. 133 + 134 + **The only disadvantage of using this method is that it is not GitOps friendly** (e.g. Argo CD). If you are using one of these 135 + GitOps tools with drift detection, it will always detect changes. However if you are deploying the helm chart via Terraform 136 + for example (or maybe even Flux), this method is perfectly fine. 137 + 138 + To use this method, please setup your values file like this: 139 + 140 + ```yaml 141 + apiService: 142 + insecureSkipTLSVerify: false 143 + tls: 144 + type: helm 145 + ``` 146 + 147 + ### Option 2: Use cert-manager 148 + 149 + > **Requirement:** cert-manager needs to be installed before you install metrics-server 150 + 151 + To use this method, please setup your values file like this: 152 + 153 + ```yaml 154 + apiService: 155 + insecureSkipTLSVerify: false 156 + tls: 157 + type: cert-manager 158 + ``` 159 + 160 + There are other optional parameters, if you want to customize the behavior of the certificate even more. 161 + 162 + ### Option 3: Use existing Secret 163 + 164 + This option allows you to reuse an existing Secret. This Secrets can have an arbitrary origin, e.g. 165 + 166 + - Created via kubectl / Terraform / etc. 167 + - Synced from a secret management solution like AWS Secrets Manager, HashiCorp Vault, etc. 168 + 169 + When using this type of TLS option, the keys `tls.key` and the `tls.crt` key must be provided in the data field of the 170 + existing Secret. 171 + 172 + You need to pass the certificate of the issuing CA (or the certificate itself) via `apiService.caBundle` to ensure 173 + proper configuration of the `APIservice` resource. Otherwise you cannot set `apiService.insecureSkipTLSVerify` to 174 + `false`. 175 + 176 + To use this method, please setup your values file like this: 177 + 178 + ```yaml 179 + apiService: 180 + insecureSkipTLSVerify: false 181 + caBundle: | 182 + -----BEGIN CERTIFICATE----- 183 + ... 184 + -----END CERTIFICATE----- 185 + 186 + tls: 187 + type: existingSecret 188 + existingSecret: 189 + name: metrics-server-existing 190 + ```
+9
helm/system-setup/charts/metrics-server/RELEASE.md
···
··· 1 + ### Added 2 + 3 + - Add chart options to secure the connection between Metrics Server and the Kubernetes API Server. ([#1288](https://github.com/kubernetes-sigs/metrics-server/pull/1288)) _@mkilchhofer_ 4 + - Add `unhealthyPodEvictionPolicy` to the Metrics Server PDB as a user enabled feature. ([#1574](https://github.com/kubernetes-sigs/metrics-server/pull/1574)) @peterabarr 5 + 6 + ### Changed 7 + 8 + - Update the _Addon Resizer_ OCI image to [`1.8.23`](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.23). ([#1626](https://github.com/kubernetes-sigs/metrics-server/pull/1626)) _@stevehipwell_ 9 + - Update the _Metrics Server_ OCI image to [`0.8.0`](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.8.0). ([#1683](https://github.com/kubernetes-sigs/metrics-server/pull/1683)) _@stevehipwell_
+2
helm/system-setup/charts/metrics-server/ci/ci-values.yaml
···
··· 1 + args: 2 + - --kubelet-insecure-tls
+8
helm/system-setup/charts/metrics-server/ci/tls-certManager-values.yaml
···
··· 1 + args: 2 + - --kubelet-insecure-tls 3 + 4 + apiService: 5 + insecureSkipTLSVerify: false 6 + 7 + tls: 8 + type: cert-manager
+12
helm/system-setup/charts/metrics-server/ci/tls-existingSecret-values.yaml
···
··· 1 + args: 2 + - --kubelet-insecure-tls 3 + 4 + ## Set via GH action (step "Prepare existing secret test scenario") 5 + # apiService: 6 + # insecureSkipTLSVerify: false 7 + # caBundle: | 8 + 9 + tls: 10 + type: existingSecret 11 + existingSecret: 12 + name: metrics-server-existing
+8
helm/system-setup/charts/metrics-server/ci/tls-helm-values.yaml
···
··· 1 + args: 2 + - --kubelet-insecure-tls 3 + 4 + apiService: 5 + insecureSkipTLSVerify: false 6 + 7 + tls: 8 + type: helm
+7
helm/system-setup/charts/metrics-server/templates/NOTES.txt
···
··· 1 + *********************************************************************** 2 + * Metrics Server * 3 + *********************************************************************** 4 + Chart version: {{ .Chart.Version }} 5 + App version: {{ .Chart.AppVersion }} 6 + Image tag: {{ include "metrics-server.image" . }} 7 + ***********************************************************************
+102
helm/system-setup/charts/metrics-server/templates/_helpers.tpl
···
··· 1 + {{/* 2 + Expand the name of the chart. 3 + */}} 4 + {{- define "metrics-server.name" -}} 5 + {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 + {{- end }} 7 + 8 + {{/* 9 + Create a default fully qualified app name. 10 + We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 + If release name contains chart name it will be used as a full name. 12 + */}} 13 + {{- define "metrics-server.fullname" -}} 14 + {{- if .Values.fullnameOverride }} 15 + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 + {{- else }} 17 + {{- $name := default .Chart.Name .Values.nameOverride }} 18 + {{- if contains $name .Release.Name }} 19 + {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 + {{- else }} 21 + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 + {{- end }} 23 + {{- end }} 24 + {{- end }} 25 + 26 + {{/* 27 + Create chart name and version as used by the chart label. 28 + */}} 29 + {{- define "metrics-server.chart" -}} 30 + {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 + {{- end }} 32 + 33 + {{/* 34 + Common labels 35 + */}} 36 + {{- define "metrics-server.labels" -}} 37 + helm.sh/chart: {{ include "metrics-server.chart" . }} 38 + {{ include "metrics-server.selectorLabels" . }} 39 + {{- if .Chart.AppVersion }} 40 + app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 + {{- end }} 42 + app.kubernetes.io/managed-by: {{ .Release.Service }} 43 + {{- if .Values.commonLabels }} 44 + {{ toYaml .Values.commonLabels }} 45 + {{- end }} 46 + {{- end }} 47 + 48 + {{/* 49 + Selector labels 50 + */}} 51 + {{- define "metrics-server.selectorLabels" -}} 52 + app.kubernetes.io/name: {{ include "metrics-server.name" . }} 53 + app.kubernetes.io/instance: {{ .Release.Name }} 54 + {{- end }} 55 + 56 + {{/* 57 + Create the name of the service account to use 58 + */}} 59 + {{- define "metrics-server.serviceAccountName" -}} 60 + {{- if .Values.serviceAccount.create }} 61 + {{- default (include "metrics-server.fullname" .) .Values.serviceAccount.name }} 62 + {{- else }} 63 + {{- default "default" .Values.serviceAccount.name }} 64 + {{- end }} 65 + {{- end }} 66 + 67 + {{/* 68 + The image to use 69 + */}} 70 + {{- define "metrics-server.image" -}} 71 + {{- printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} 72 + {{- end }} 73 + 74 + {{/* 75 + The image to use for the addon resizer 76 + */}} 77 + {{- define "metrics-server.addonResizer.image" -}} 78 + {{- printf "%s:%s" .Values.addonResizer.image.repository .Values.addonResizer.image.tag }} 79 + {{- end }} 80 + 81 + {{/* 82 + ConfigMap name of addon resizer 83 + */}} 84 + {{- define "metrics-server.addonResizer.configMap" -}} 85 + {{- printf "%s-%s" (include "metrics-server.fullname" .) "nanny-config" }} 86 + {{- end }} 87 + 88 + {{/* 89 + Role name of addon resizer 90 + */}} 91 + {{- define "metrics-server.addonResizer.role" -}} 92 + {{ printf "system:%s-nanny" (include "metrics-server.fullname" .) }} 93 + {{- end }} 94 + 95 + {{/* Get PodDisruptionBudget API Version */}} 96 + {{- define "metrics-server.pdb.apiVersion" -}} 97 + {{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">= 1.21-0" .Capabilities.KubeVersion.Version) -}} 98 + {{- print "policy/v1" -}} 99 + {{- else -}} 100 + {{- print "policy/v1beta1" -}} 101 + {{- end -}} 102 + {{- end -}}
+71
helm/system-setup/charts/metrics-server/templates/apiservice.yaml
···
··· 1 + {{- $altNames := list }} 2 + {{- $certs := dict }} 3 + {{- $previous := dict }} 4 + 5 + {{- if eq .Values.tls.type "helm" }} 6 + {{- $previous = lookup "v1" "Secret" .Release.Namespace (include "metrics-server.fullname" .) }} 7 + {{- $commonName := include "metrics-server.fullname" . }} 8 + {{- $ns := .Release.Namespace }} 9 + {{- $altNames = append $altNames (printf "%s.%s" $commonName $ns) }} 10 + {{- $altNames = append $altNames (printf "%s.%s.svc" $commonName $ns) }} 11 + {{- $altNames = append $altNames (printf "%s.%s.svc.%s" $commonName $ns .Values.tls.clusterDomain) }} 12 + {{- $certs = genSelfSignedCert $commonName nil $altNames (int .Values.tls.helm.certDurationDays) }} 13 + apiVersion: v1 14 + kind: Secret 15 + metadata: 16 + name: {{ include "metrics-server.fullname" . }} 17 + labels: 18 + {{- include "metrics-server.labels" . | nindent 4 }} 19 + type: Opaque 20 + data: 21 + {{- if and $previous .Values.tls.helm.lookup }} 22 + tls.crt: {{ index $previous.data "tls.crt" }} 23 + tls.key: {{ index $previous.data "tls.key" }} 24 + {{- else }} 25 + tls.crt: {{ $certs.Cert| b64enc | quote }} 26 + tls.key: {{ $certs.Key | b64enc | quote }} 27 + {{- end }} 28 + {{- end }} 29 + --- 30 + {{- $existing := dict }} 31 + {{- if .Values.apiService.create }} 32 + {{- if and (eq .Values.tls.type "existingSecret") .Values.tls.existingSecret.lookup }} 33 + {{- $existing := lookup "v1" "Secret" .Release.Namespace .Values.tls.existingSecret.name }} 34 + {{- end }} 35 + apiVersion: apiregistration.k8s.io/v1 36 + kind: APIService 37 + metadata: 38 + name: v1beta1.metrics.k8s.io 39 + labels: 40 + {{- include "metrics-server.labels" . | nindent 4 }} 41 + {{- if or .Values.apiService.annotations .Values.tls.certManager.addInjectorAnnotations }} 42 + annotations: 43 + {{- if and (eq .Values.tls.type "cert-manager") .Values.tls.certManager.addInjectorAnnotations }} 44 + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metrics-server.fullname" . }} 45 + {{- end }} 46 + {{- with .Values.apiService.annotations }} 47 + {{- toYaml . | nindent 4 }} 48 + {{- end }} 49 + {{- end }} 50 + spec: 51 + {{- if eq .Values.tls.type "helm" }} 52 + {{- if and $previous .Values.tls.helm.lookup }} 53 + caBundle: {{ index $previous.data "tls.crt" }} 54 + {{- else }} 55 + caBundle: {{ $certs.Cert | b64enc }} 56 + {{- end }} 57 + {{- else if $existing }} 58 + caBundle: {{ index $existing.data "tls.crt" }} 59 + {{- else if and .Values.apiService.caBundle (ne .Values.tls.type "cert-manager") }} 60 + caBundle: {{ .Values.apiService.caBundle | b64enc }} 61 + {{- end }} 62 + group: metrics.k8s.io 63 + groupPriorityMinimum: 100 64 + insecureSkipTLSVerify: {{ .Values.apiService.insecureSkipTLSVerify }} 65 + service: 66 + name: {{ include "metrics-server.fullname" . }} 67 + namespace: {{ .Release.Namespace }} 68 + port: {{ .Values.service.port }} 69 + version: v1beta1 70 + versionPriority: 100 71 + {{- end }}
+47
helm/system-setup/charts/metrics-server/templates/certificate.yaml
···
··· 1 + {{- if eq .Values.tls.type "cert-manager" }} 2 + {{- if not .Values.tls.certManager.existingIssuer.enabled }} 3 + apiVersion: cert-manager.io/v1 4 + kind: Issuer 5 + metadata: 6 + annotations: 7 + {{- toYaml .Values.additionalAnnotations | nindent 4 }} 8 + name: {{ include "metrics-server.fullname" . }}-issuer 9 + namespace: {{ .Release.Namespace }} 10 + spec: 11 + selfSigned: {} 12 + {{- end }} 13 + --- 14 + apiVersion: cert-manager.io/v1 15 + kind: Certificate 16 + metadata: 17 + name: {{ include "metrics-server.fullname" . }} 18 + namespace: {{ .Release.Namespace }} 19 + spec: 20 + commonName: {{ include "metrics-server.fullname" . }} 21 + dnsNames: 22 + - {{ include "metrics-server.fullname" . }}.{{ .Release.Namespace }} 23 + - {{ include "metrics-server.fullname" . }}.{{ .Release.Namespace }}.svc 24 + - {{ include "metrics-server.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.tls.clusterDomain }} 25 + secretName: {{ include "metrics-server.fullname" . }} 26 + usages: 27 + - server auth 28 + - client auth 29 + privateKey: 30 + algorithm: RSA 31 + size: 2048 32 + {{- with .Values.tls.certManager.duration }} 33 + duration: {{ . }} 34 + {{- end }} 35 + {{- with .Values.tls.certManager.renewBefore }} 36 + renewBefore: {{ . }} 37 + {{- end }} 38 + issuerRef: 39 + {{- if .Values.tls.certManager.existingIssuer.enabled }} 40 + name: {{ .Values.tls.certManager.existingIssuer.name }} 41 + kind: {{ .Values.tls.certManager.existingIssuer.kind }} 42 + {{- else }} 43 + name: {{ include "metrics-server.fullname" . }}-issuer 44 + kind: Issuer 45 + {{- end }} 46 + group: cert-manager.io 47 + {{- end }}
+21
helm/system-setup/charts/metrics-server/templates/clusterrole-aggregated-reader.yaml
···
··· 1 + {{- if .Values.rbac.create -}} 2 + apiVersion: rbac.authorization.k8s.io/v1 3 + kind: ClusterRole 4 + metadata: 5 + name: {{ printf "system:%s-aggregated-reader" (include "metrics-server.name" .) }} 6 + labels: 7 + {{- include "metrics-server.labels" . | nindent 4 }} 8 + rbac.authorization.k8s.io/aggregate-to-admin: "true" 9 + rbac.authorization.k8s.io/aggregate-to-edit: "true" 10 + rbac.authorization.k8s.io/aggregate-to-view: "true" 11 + rules: 12 + - apiGroups: 13 + - metrics.k8s.io 14 + resources: 15 + - pods 16 + - nodes 17 + verbs: 18 + - get 19 + - list 20 + - watch 21 + {{- end -}}
+13
helm/system-setup/charts/metrics-server/templates/clusterrole-nanny.yaml
···
··· 1 + {{- if and .Values.rbac.create .Values.addonResizer.enabled -}} 2 + apiVersion: rbac.authorization.k8s.io/v1 3 + kind: ClusterRole 4 + metadata: 5 + name: {{ printf "system:%s-nanny" (include "metrics-server.fullname" .) }} 6 + labels: 7 + {{- include "metrics-server.labels" . | nindent 4 }} 8 + rules: 9 + - nonResourceURLs: 10 + - /metrics 11 + verbs: 12 + - get 13 + {{- end -}}
+37
helm/system-setup/charts/metrics-server/templates/clusterrole.yaml
···
··· 1 + {{- if .Values.rbac.create -}} 2 + apiVersion: rbac.authorization.k8s.io/v1 3 + kind: ClusterRole 4 + metadata: 5 + name: {{ printf "system:%s" (include "metrics-server.fullname" .) }} 6 + labels: 7 + {{- include "metrics-server.labels" . | nindent 4 }} 8 + rules: 9 + - apiGroups: 10 + - "" 11 + resources: 12 + - nodes/metrics 13 + verbs: 14 + - get 15 + - apiGroups: 16 + - "" 17 + resources: 18 + - pods 19 + - nodes 20 + - namespaces 21 + - configmaps 22 + verbs: 23 + - get 24 + - list 25 + - watch 26 + {{- if .Values.rbac.pspEnabled }} 27 + - apiGroups: 28 + - extensions 29 + - policy 30 + resources: 31 + - podsecuritypolicies 32 + resourceNames: 33 + - {{ printf "privileged-%s" (include "metrics-server.fullname" .) }} 34 + verbs: 35 + - use 36 + {{- end -}} 37 + {{- end -}}
+16
helm/system-setup/charts/metrics-server/templates/clusterrolebinding-auth-delegator.yaml
···
··· 1 + {{- if .Values.rbac.create -}} 2 + apiVersion: rbac.authorization.k8s.io/v1 3 + kind: ClusterRoleBinding 4 + metadata: 5 + name: {{ printf "%s:system:auth-delegator" (include "metrics-server.fullname" .) }} 6 + labels: 7 + {{- include "metrics-server.labels" . | nindent 4 }} 8 + roleRef: 9 + apiGroup: rbac.authorization.k8s.io 10 + kind: ClusterRole 11 + name: system:auth-delegator 12 + subjects: 13 + - kind: ServiceAccount 14 + name: {{ include "metrics-server.serviceAccountName" . }} 15 + namespace: {{ .Release.Namespace }} 16 + {{- end -}}
+18
helm/system-setup/charts/metrics-server/templates/clusterrolebinding-nanny.yaml
···
··· 1 + {{- if .Values.rbac.create -}} 2 + {{- if .Values.addonResizer.enabled -}} 3 + apiVersion: rbac.authorization.k8s.io/v1 4 + kind: ClusterRoleBinding 5 + metadata: 6 + name: {{ printf "system:%s-nanny" (include "metrics-server.fullname" .) }} 7 + labels: 8 + {{- include "metrics-server.labels" . | nindent 4 }} 9 + roleRef: 10 + apiGroup: rbac.authorization.k8s.io 11 + kind: ClusterRole 12 + name: system:{{ template "metrics-server.fullname" . }}-nanny 13 + subjects: 14 + - kind: ServiceAccount 15 + name: {{ include "metrics-server.serviceAccountName" . }} 16 + namespace: {{ .Release.Namespace }} 17 + {{- end -}} 18 + {{- end -}}
+16
helm/system-setup/charts/metrics-server/templates/clusterrolebinding.yaml
···
··· 1 + {{- if .Values.rbac.create -}} 2 + apiVersion: rbac.authorization.k8s.io/v1 3 + kind: ClusterRoleBinding 4 + metadata: 5 + name: {{ printf "system:%s" (include "metrics-server.fullname" .) }} 6 + labels: 7 + {{- include "metrics-server.labels" . | nindent 4 }} 8 + roleRef: 9 + apiGroup: rbac.authorization.k8s.io 10 + kind: ClusterRole 11 + name: system:{{ template "metrics-server.fullname" . }} 12 + subjects: 13 + - kind: ServiceAccount 14 + name: {{ include "metrics-server.serviceAccountName" . }} 15 + namespace: {{ .Release.Namespace }} 16 + {{- end -}}
+17
helm/system-setup/charts/metrics-server/templates/configmaps-nanny.yaml
···
··· 1 + {{- if .Values.addonResizer.enabled -}} 2 + apiVersion: v1 3 + kind: ConfigMap 4 + metadata: 5 + name: {{ include "metrics-server.addonResizer.configMap" . }} 6 + namespace: {{ .Release.Namespace }} 7 + labels: 8 + {{- include "metrics-server.labels" . | nindent 4 }} 9 + data: 10 + NannyConfiguration: |- 11 + apiVersion: nannyconfig/v1alpha1 12 + kind: NannyConfiguration 13 + baseCPU: {{ .Values.addonResizer.nanny.cpu }} 14 + cpuPerNode: {{ .Values.addonResizer.nanny.extraCpu }} 15 + baseMemory: {{ .Values.addonResizer.nanny.memory }} 16 + memoryPerNode: {{ .Values.addonResizer.nanny.extraMemory }} 17 + {{- end -}}
+177
helm/system-setup/charts/metrics-server/templates/deployment.yaml
···
··· 1 + apiVersion: apps/v1 2 + kind: Deployment 3 + metadata: 4 + name: {{ include "metrics-server.fullname" . }} 5 + namespace: {{ .Release.Namespace }} 6 + labels: 7 + {{- include "metrics-server.labels" . | nindent 4 }} 8 + {{- with .Values.deploymentAnnotations }} 9 + annotations: 10 + {{- toYaml . | nindent 4 }} 11 + {{- end }} 12 + spec: 13 + replicas: {{ .Values.replicas }} 14 + {{- if not (has (quote .Values.revisionHistoryLimit) (list "" (quote ""))) }} 15 + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} 16 + {{- end }} 17 + {{- with .Values.updateStrategy }} 18 + strategy: 19 + {{- toYaml . | nindent 4 }} 20 + {{- end }} 21 + selector: 22 + matchLabels: 23 + {{- include "metrics-server.selectorLabels" . | nindent 6 }} 24 + template: 25 + metadata: 26 + labels: 27 + {{- include "metrics-server.selectorLabels" . | nindent 8 }} 28 + {{- with .Values.podLabels }} 29 + {{- toYaml . | nindent 8 }} 30 + {{- end }} 31 + {{- with .Values.podAnnotations }} 32 + annotations: 33 + {{- toYaml . | nindent 8 }} 34 + {{- end }} 35 + spec: 36 + {{- with .Values.schedulerName }} 37 + schedulerName: {{ . }} 38 + {{- end }} 39 + {{- with .Values.imagePullSecrets }} 40 + imagePullSecrets: 41 + {{- toYaml . | nindent 8 }} 42 + {{- end }} 43 + serviceAccountName: {{ include "metrics-server.serviceAccountName" . }} 44 + {{- with .Values.podSecurityContext }} 45 + securityContext: 46 + {{- toYaml . | nindent 8 }} 47 + {{- end }} 48 + {{- with .Values.priorityClassName }} 49 + priorityClassName: {{ . | quote }} 50 + {{- end }} 51 + {{- if .Values.hostNetwork.enabled }} 52 + hostNetwork: true 53 + {{- end }} 54 + {{- with .Values.dnsConfig }} 55 + dnsConfig: 56 + {{- toYaml . | nindent 8 }} 57 + {{- end }} 58 + containers: 59 + - name: metrics-server 60 + {{- with .Values.securityContext }} 61 + securityContext: 62 + {{- toYaml . | nindent 12 }} 63 + {{- end }} 64 + image: {{ include "metrics-server.image" . }} 65 + imagePullPolicy: {{ .Values.image.pullPolicy }} 66 + args: 67 + - {{ printf "--secure-port=%d" (int .Values.containerPort) }} 68 + {{- range .Values.defaultArgs }} 69 + - {{ . }} 70 + {{- end }} 71 + {{- if .Values.metrics.enabled }} 72 + - --authorization-always-allow-paths=/metrics 73 + {{- end }} 74 + {{- if ne .Values.tls.type "metrics-server" }} 75 + - --tls-cert-file=/tmp/tls-certs/tls.crt 76 + - --tls-private-key-file=/tmp/tls-certs/tls.key 77 + {{- end }} 78 + {{- range .Values.args }} 79 + - {{ . }} 80 + {{- end }} 81 + ports: 82 + - name: https 83 + protocol: TCP 84 + containerPort: {{ .Values.containerPort }} 85 + {{- with .Values.livenessProbe }} 86 + livenessProbe: 87 + {{- toYaml . | nindent 12 }} 88 + {{- end }} 89 + {{- with .Values.readinessProbe }} 90 + readinessProbe: 91 + {{- toYaml . | nindent 12 }} 92 + {{- end }} 93 + volumeMounts: 94 + - name: tmp 95 + mountPath: /tmp 96 + {{- if ne .Values.tls.type "metrics-server" }} 97 + - mountPath: /tmp/tls-certs 98 + name: certs 99 + readOnly: true 100 + {{- end }} 101 + {{- with .Values.extraVolumeMounts }} 102 + {{- toYaml . | nindent 12 }} 103 + {{- end }} 104 + {{- with .Values.resources }} 105 + resources: 106 + {{- toYaml . | nindent 12 }} 107 + {{- end }} 108 + {{- if .Values.addonResizer.enabled }} 109 + - name: metrics-server-nanny 110 + {{- with .Values.addonResizer.securityContext }} 111 + securityContext: 112 + {{- toYaml . | nindent 12 }} 113 + {{- end }} 114 + image: {{ include "metrics-server.addonResizer.image" . }} 115 + env: 116 + - name: MY_POD_NAME 117 + valueFrom: 118 + fieldRef: 119 + fieldPath: metadata.name 120 + - name: MY_POD_NAMESPACE 121 + valueFrom: 122 + fieldRef: 123 + fieldPath: metadata.namespace 124 + command: 125 + - /pod_nanny 126 + - --config-dir=/etc/config 127 + - --deployment={{ include "metrics-server.fullname" . }} 128 + - --container=metrics-server 129 + - --threshold={{ .Values.addonResizer.nanny.threshold }} 130 + - --poll-period={{ .Values.addonResizer.nanny.pollPeriod }} 131 + - --estimator=exponential 132 + - --minClusterSize={{ .Values.addonResizer.nanny.minClusterSize }} 133 + - --use-metrics=true 134 + volumeMounts: 135 + - name: nanny-config-volume 136 + mountPath: /etc/config 137 + {{- with .Values.addonResizer.resources }} 138 + resources: 139 + {{- toYaml . | nindent 12 }} 140 + {{- end }} 141 + {{- end }} 142 + volumes: 143 + - name: tmp 144 + {{- toYaml .Values.tmpVolume | nindent 10 }} 145 + {{- if .Values.addonResizer.enabled }} 146 + - name: nanny-config-volume 147 + configMap: 148 + name: {{ include "metrics-server.addonResizer.configMap" . }} 149 + {{- end }} 150 + {{- if ne .Values.tls.type "metrics-server" }} 151 + - name: certs 152 + secret: 153 + {{- if and (eq .Values.tls.type "existingSecret") .Values.tls.existingSecret.name }} 154 + secretName: {{ .Values.tls.existingSecret.name }} 155 + {{- else }} 156 + secretName: {{ include "metrics-server.fullname" . }} 157 + {{- end }} 158 + {{- end }} 159 + {{- with .Values.extraVolumes }} 160 + {{- toYaml . | nindent 8 }} 161 + {{- end }} 162 + {{- with .Values.nodeSelector }} 163 + nodeSelector: 164 + {{- toYaml . | nindent 8 }} 165 + {{- end }} 166 + {{- with .Values.affinity }} 167 + affinity: 168 + {{- toYaml . | nindent 8 }} 169 + {{- end }} 170 + {{- with .Values.tolerations }} 171 + tolerations: 172 + {{- toYaml . | nindent 8 }} 173 + {{- end }} 174 + {{- with .Values.topologySpreadConstraints }} 175 + topologySpreadConstraints: 176 + {{- toYaml . | nindent 8 }} 177 + {{- end }}
+25
helm/system-setup/charts/metrics-server/templates/pdb.yaml
···
··· 1 + {{- if .Values.podDisruptionBudget.enabled -}} 2 + apiVersion: {{ include "metrics-server.pdb.apiVersion" . }} 3 + kind: PodDisruptionBudget 4 + metadata: 5 + name: {{ include "metrics-server.fullname" . }} 6 + namespace: {{ .Release.Namespace }} 7 + labels: 8 + {{- include "metrics-server.labels" . | nindent 4 }} 9 + spec: 10 + {{- if .Values.podDisruptionBudget.minAvailable }} 11 + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} 12 + {{- end }} 13 + {{- if .Values.podDisruptionBudget.maxUnavailable }} 14 + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} 15 + {{- end }} 16 + {{- if (semverCompare ">= 1.27-0" .Capabilities.KubeVersion.Version) }} 17 + {{- with .Values.podDisruptionBudget.unhealthyPodEvictionPolicy }} 18 + unhealthyPodEvictionPolicy: {{ . }} 19 + {{- end }} 20 + {{- end }} 21 + 22 + selector: 23 + matchLabels: 24 + {{- include "metrics-server.selectorLabels" . | nindent 6 }} 25 + {{- end -}}
+28
helm/system-setup/charts/metrics-server/templates/psp.yaml
···
··· 1 + {{- if and (.Values.rbac.pspEnabled) (semverCompare "<1.25-0" .Capabilities.KubeVersion.GitVersion) }} 2 + apiVersion: policy/v1beta1 3 + kind: PodSecurityPolicy 4 + metadata: 5 + name: {{ printf "privileged-%s" (include "metrics-server.fullname" .) }} 6 + labels: 7 + {{- include "metrics-server.labels" . | nindent 4 }} 8 + spec: 9 + allowedCapabilities: 10 + - '*' 11 + fsGroup: 12 + rule: RunAsAny 13 + privileged: true 14 + runAsUser: 15 + rule: RunAsAny 16 + seLinux: 17 + rule: RunAsAny 18 + supplementalGroups: 19 + rule: RunAsAny 20 + volumes: 21 + - '*' 22 + hostPID: true 23 + hostIPC: true 24 + hostNetwork: true 25 + hostPorts: 26 + - min: 1 27 + max: 65536 28 + {{- end }}
+27
helm/system-setup/charts/metrics-server/templates/role-nanny.yaml
···
··· 1 + {{- if .Values.rbac.create -}} 2 + {{- if .Values.addonResizer.enabled -}} 3 + apiVersion: rbac.authorization.k8s.io/v1 4 + kind: Role 5 + metadata: 6 + name: {{ include "metrics-server.addonResizer.role" . }} 7 + namespace: {{ .Release.Namespace }} 8 + labels: 9 + {{- include "metrics-server.labels" . | nindent 4 }} 10 + rules: 11 + - apiGroups: 12 + - "" 13 + resources: 14 + - pods 15 + verbs: 16 + - get 17 + - apiGroups: 18 + - apps 19 + resources: 20 + - deployments 21 + resourceNames: 22 + - {{ include "metrics-server.fullname" . }} 23 + verbs: 24 + - get 25 + - patch 26 + {{- end -}} 27 + {{- end -}}
+19
helm/system-setup/charts/metrics-server/templates/rolebinding-nanny.yaml
···
··· 1 + {{- if .Values.rbac.create -}} 2 + {{- if .Values.addonResizer.enabled -}} 3 + apiVersion: rbac.authorization.k8s.io/v1 4 + kind: RoleBinding 5 + metadata: 6 + name: {{ printf "%s-nanny" (include "metrics-server.fullname" .) }} 7 + namespace: {{ .Release.Namespace }} 8 + labels: 9 + {{- include "metrics-server.labels" . | nindent 4 }} 10 + roleRef: 11 + apiGroup: rbac.authorization.k8s.io 12 + kind: Role 13 + name: {{ include "metrics-server.addonResizer.role" . }} 14 + subjects: 15 + - kind: ServiceAccount 16 + name: {{ include "metrics-server.serviceAccountName" . }} 17 + namespace: {{ .Release.Namespace }} 18 + {{- end -}} 19 + {{- end -}}
+17
helm/system-setup/charts/metrics-server/templates/rolebinding.yaml
···
··· 1 + {{- if .Values.rbac.create -}} 2 + apiVersion: rbac.authorization.k8s.io/v1 3 + kind: RoleBinding 4 + metadata: 5 + name: {{ printf "%s-auth-reader" (include "metrics-server.fullname" .) }} 6 + namespace: kube-system 7 + labels: 8 + {{- include "metrics-server.labels" . | nindent 4 }} 9 + roleRef: 10 + apiGroup: rbac.authorization.k8s.io 11 + kind: Role 12 + name: extension-apiserver-authentication-reader 13 + subjects: 14 + - kind: ServiceAccount 15 + name: {{ include "metrics-server.serviceAccountName" . }} 16 + namespace: {{ .Release.Namespace }} 17 + {{- end -}}
+24
helm/system-setup/charts/metrics-server/templates/service.yaml
···
··· 1 + apiVersion: v1 2 + kind: Service 3 + metadata: 4 + name: {{ include "metrics-server.fullname" . }} 5 + namespace: {{ .Release.Namespace }} 6 + labels: 7 + {{- include "metrics-server.labels" . | nindent 4 }} 8 + {{- with .Values.service.labels -}} 9 + {{- toYaml . | nindent 4 }} 10 + {{- end }} 11 + {{- with .Values.service.annotations }} 12 + annotations: 13 + {{- toYaml . | nindent 4 }} 14 + {{- end }} 15 + spec: 16 + type: {{ .Values.service.type }} 17 + ports: 18 + - name: https 19 + port: {{ .Values.service.port }} 20 + protocol: TCP 21 + targetPort: https 22 + appProtocol: https 23 + selector: 24 + {{- include "metrics-server.selectorLabels" . | nindent 4 }}
+17
helm/system-setup/charts/metrics-server/templates/serviceaccount.yaml
···
··· 1 + {{- if .Values.serviceAccount.create -}} 2 + apiVersion: v1 3 + kind: ServiceAccount 4 + metadata: 5 + name: {{ template "metrics-server.serviceAccountName" . }} 6 + namespace: {{ .Release.Namespace }} 7 + labels: 8 + {{- include "metrics-server.labels" . | nindent 4 }} 9 + {{- with .Values.serviceAccount.annotations }} 10 + annotations: 11 + {{- toYaml . | nindent 4 }} 12 + {{- end }} 13 + {{- with .Values.serviceAccount.secrets }} 14 + secrets: 15 + {{- toYaml . | nindent 2 }} 16 + {{- end }} 17 + {{- end -}}
+40
helm/system-setup/charts/metrics-server/templates/servicemonitor.yaml
···
··· 1 + {{- if and .Values.serviceMonitor.enabled .Values.metrics.enabled -}} 2 + apiVersion: monitoring.coreos.com/v1 3 + kind: ServiceMonitor 4 + metadata: 5 + name: {{ include "metrics-server.fullname" . }} 6 + namespace: {{ .Release.Namespace }} 7 + labels: 8 + {{- include "metrics-server.labels" . | nindent 4 }} 9 + {{- with .Values.serviceMonitor.additionalLabels }} 10 + {{- toYaml . | nindent 4 }} 11 + {{- end }} 12 + spec: 13 + jobLabel: app.kubernetes.io/instance 14 + namespaceSelector: 15 + matchNames: 16 + - {{ .Release.Namespace }} 17 + selector: 18 + matchLabels: 19 + {{- include "metrics-server.selectorLabels" . | nindent 6 }} 20 + endpoints: 21 + - port: https 22 + path: /metrics 23 + scheme: https 24 + tlsConfig: 25 + insecureSkipVerify: true 26 + {{- with .Values.serviceMonitor.interval }} 27 + interval: {{ . }} 28 + {{- end }} 29 + {{- with .Values.serviceMonitor.scrapeTimeout }} 30 + scrapeTimeout: {{ . }} 31 + {{- end }} 32 + {{- with .Values.serviceMonitor.metricRelabelings }} 33 + metricRelabelings: 34 + {{- toYaml . | nindent 8 }} 35 + {{- end }} 36 + {{- with .Values.serviceMonitor.relabelings }} 37 + relabelings: 38 + {{- toYaml . | nindent 8 }} 39 + {{- end }} 40 + {{- end -}}
+245
helm/system-setup/charts/metrics-server/values.yaml
···
··· 1 + # Default values for metrics-server. 2 + # This is a YAML-formatted file. 3 + # Declare variables to be passed into your templates. 4 + 5 + image: 6 + repository: registry.k8s.io/metrics-server/metrics-server 7 + # Overrides the image tag whose default is v{{ .Chart.AppVersion }} 8 + tag: "" 9 + pullPolicy: IfNotPresent 10 + 11 + imagePullSecrets: [] 12 + # - name: registrySecretName 13 + 14 + nameOverride: "" 15 + fullnameOverride: "" 16 + 17 + serviceAccount: 18 + # Specifies whether a service account should be created 19 + create: true 20 + # Annotations to add to the service account 21 + annotations: {} 22 + # The name of the service account to use. 23 + # If not set and create is true, a name is generated using the fullname template 24 + name: "" 25 + # The list of secrets mountable by this service account. 26 + # See https://kubernetes.io/docs/reference/labels-annotations-taints/#enforce-mountable-secrets 27 + secrets: [] 28 + 29 + rbac: 30 + # Specifies whether RBAC resources should be created 31 + create: true 32 + # Note: PodSecurityPolicy will not be created when Kubernetes version is 1.25 or later. 33 + pspEnabled: false 34 + 35 + apiService: 36 + # Specifies if the v1beta1.metrics.k8s.io API service should be created. 37 + # 38 + # You typically want this enabled! If you disable API service creation you have to 39 + # manage it outside of this chart for e.g horizontal pod autoscaling to 40 + # work with this release. 41 + create: true 42 + # Annotations to add to the API service 43 + annotations: {} 44 + # Specifies whether to skip TLS verification 45 + insecureSkipTLSVerify: true 46 + # The PEM encoded CA bundle for TLS verification 47 + caBundle: "" 48 + 49 + commonLabels: {} 50 + podLabels: {} 51 + podAnnotations: {} 52 + 53 + podSecurityContext: {} 54 + 55 + securityContext: 56 + allowPrivilegeEscalation: false 57 + readOnlyRootFilesystem: true 58 + runAsNonRoot: true 59 + runAsUser: 1000 60 + seccompProfile: 61 + type: RuntimeDefault 62 + capabilities: 63 + drop: 64 + - ALL 65 + 66 + priorityClassName: system-cluster-critical 67 + 68 + containerPort: 10250 69 + 70 + hostNetwork: 71 + # Specifies if metrics-server should be started in hostNetwork mode. 72 + # 73 + # You would require this enabled if you use alternate overlay networking for pods and 74 + # API server unable to communicate with metrics-server. As an example, this is required 75 + # if you use Weave network on EKS 76 + enabled: false 77 + 78 + replicas: 1 79 + 80 + revisionHistoryLimit: 81 + 82 + updateStrategy: {} 83 + # type: RollingUpdate 84 + # rollingUpdate: 85 + # maxSurge: 0 86 + # maxUnavailable: 1 87 + 88 + podDisruptionBudget: 89 + # https://kubernetes.io/docs/tasks/run-application/configure-pdb/ 90 + enabled: false 91 + minAvailable: 92 + maxUnavailable: 93 + unhealthyPodEvictionPolicy: 94 + 95 + defaultArgs: 96 + - --cert-dir=/tmp 97 + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 98 + - --kubelet-use-node-status-port 99 + - --metric-resolution=15s 100 + 101 + args: [] 102 + 103 + livenessProbe: 104 + httpGet: 105 + path: /livez 106 + port: https 107 + scheme: HTTPS 108 + initialDelaySeconds: 0 109 + periodSeconds: 10 110 + failureThreshold: 3 111 + 112 + readinessProbe: 113 + httpGet: 114 + path: /readyz 115 + port: https 116 + scheme: HTTPS 117 + initialDelaySeconds: 20 118 + periodSeconds: 10 119 + failureThreshold: 3 120 + 121 + service: 122 + type: ClusterIP 123 + port: 443 124 + annotations: {} 125 + labels: {} 126 + # Add these labels to have metrics-server show up in `kubectl cluster-info` 127 + # kubernetes.io/cluster-service: "true" 128 + # kubernetes.io/name: "Metrics-server" 129 + 130 + addonResizer: 131 + enabled: false 132 + image: 133 + repository: registry.k8s.io/autoscaling/addon-resizer 134 + tag: 1.8.23 135 + securityContext: 136 + allowPrivilegeEscalation: false 137 + readOnlyRootFilesystem: true 138 + runAsNonRoot: true 139 + runAsUser: 1000 140 + seccompProfile: 141 + type: RuntimeDefault 142 + capabilities: 143 + drop: 144 + - ALL 145 + resources: 146 + requests: 147 + cpu: 40m 148 + memory: 25Mi 149 + limits: 150 + cpu: 40m 151 + memory: 25Mi 152 + nanny: 153 + cpu: 0m 154 + extraCpu: 1m 155 + memory: 0Mi 156 + extraMemory: 2Mi 157 + minClusterSize: 100 158 + pollPeriod: 300000 159 + threshold: 5 160 + 161 + metrics: 162 + enabled: false 163 + 164 + serviceMonitor: 165 + enabled: false 166 + additionalLabels: {} 167 + interval: 1m 168 + scrapeTimeout: 10s 169 + metricRelabelings: [] 170 + relabelings: [] 171 + 172 + # See https://github.com/kubernetes-sigs/metrics-server#scaling 173 + resources: 174 + requests: 175 + cpu: 100m 176 + memory: 200Mi 177 + # limits: 178 + # cpu: 179 + # memory: 180 + 181 + extraVolumeMounts: [] 182 + 183 + extraVolumes: [] 184 + 185 + nodeSelector: {} 186 + 187 + tolerations: [] 188 + 189 + affinity: {} 190 + 191 + topologySpreadConstraints: [] 192 + 193 + dnsConfig: {} 194 + 195 + # Annotations to add to the deployment 196 + deploymentAnnotations: {} 197 + 198 + schedulerName: "" 199 + 200 + tmpVolume: 201 + emptyDir: {} 202 + 203 + tls: 204 + # Set the TLS method to use. Supported values: 205 + # - `metrics-server` : Metrics-server will generate a self-signed certificate 206 + # - `helm` : Helm will generate a self-signed certificate 207 + # - `cert-manager` : Use cert-manager.io to create and maintain the certificate 208 + # - `existingSecret` : Reuse an existing secret. No new secret will be created 209 + type: "metrics-server" 210 + # Kubernetes cluster domain. Used to configure Subject Alt Names for the certificate 211 + clusterDomain: cluster.local 212 + 213 + certManager: 214 + # Automatically add the cert-manager.io/inject-ca-from annotation to the APIService resource. 215 + # See https://cert-manager.io/docs/concepts/ca-injector 216 + addInjectorAnnotations: true 217 + existingIssuer: 218 + # Use an existing cert-manager issuer 219 + enabled: false 220 + # Kind of the existing cert-manager issuer 221 + kind: "Issuer" 222 + # Name of the existing cert-manager issuer 223 + name: "my-issuer" 224 + # Set the requested duration (i.e. lifetime) of the Certificate. 225 + # See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec 226 + duration: "" 227 + # How long before the currently issued certificate’s expiry cert-manager should renew the certificate. 228 + # See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec 229 + renewBefore: "" 230 + # Add extra annotations to the Certificate resource 231 + annotations: {} 232 + # Add extra labels to the Certificate resource 233 + labels: {} 234 + 235 + helm: 236 + # Use helm lookup function to reuse Secret created in previous helm install 237 + lookup: true 238 + # Cert validity duration in days 239 + certDurationDays: 365 240 + 241 + existingSecret: 242 + # Name of the existing Secret to use for TLS 243 + name: "" 244 + # Use helm lookup function to provision `apiService.caBundle` 245 + lookup: true
+4
helm/system-setup/values.yaml
··· 2 enabled: true 3 fluvio: 4 enabled: true
··· 2 enabled: true 3 fluvio: 4 enabled: true 5 + 6 + metrics-server: 7 + args: 8 + - --kubelet-insecure-tls