ckotzbauer / helm-charts Goto Github PK
View Code? Open in Web Editor NEWHelm Charts
License: MIT License
Helm Charts
License: MIT License
I did the following:
kind create cluster
helm install monitoring prometheus-community/kube-prometheus-stack
helm install cadvisor ckotzbauer/cadvisor --set metrics.enabled=true
# 4. Wait for all pods to be running and healthy
# 5. Port forward prometheus-pod to localhost
# 6. Go to http://localhost:9090/targets?search=
but I didn't see any targets for cadvisor. Did I do something in the wrong order?
I ran into an issue with vulnerability-operator and sbom-operator deployments where I needed to add a CA for our privately hosted git repository. The helm deployment source code allowed extraVolumes, but not extraVolumeMounts. I modified the deployment yaml to take extraVolumeMounts from a my-values.yaml values file, and I added my CA through this method. It works and I have the solution in my local repository. I will fork this repo on GitHub and post a solution shortly.
the original helm chart will be going soon, so im hoping to use this as a base for the nfs-client helm chart
could you maybe ask them to take over that chart for the nfs-client anyways?
can you update your chart to include the accessmode that they have included in there chart?
https://github.com/helm/charts/tree/master/stable/nfs-client-provisioner
helm/charts@a4a35c3#diff-ec531825a9cf4a43add171082b59e73dff020a2e22bc911fb2b8f66005370226
When I first tried helm deploy vulnerability operator, it failed at the stage where it tried to create the /reports
directory and save the report.json
. There is no volume for the /reports
directory created in the helm deployment yaml. The out-of-the-box deployment gives an error that says that the root directory is read-only, which is expected since the default config is set as:
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Setting readOnlyRootFilesystem
to false
was not enough, because then a permissions error occurred during the creation of the /reports
directory. The configuration required to make it work was:
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
Obviously this is not ideal. The solution I came up with utilized the same solution as #174. This is also not ideal because the user should be able to set the reports-dir
argument and just expect it to work. I am currently working on an alternative solution which will add the /reports
volume and volumeMount in the deployment yaml code, and it will attempt to read from the user's custom-values.yaml file (or whatever it's called) for the name of the volume mount, and otherwise use the default value of /reports
Steps to reproduce:
helm repo add ckotzbauer https://ckotzbauer.github.io/helm-charts && \
helm repo update && \
helm upgrade --install cadvisor ckotzbauer/cadvisor \
--namespace monitoring \
--create-namespace \
--set metrics.enabled=true \
--version v2.2.4
I get the same error with 2.2.3/2.2.2
Daemonset is deployed with the error on all worker nodes:
Error: container create failed: time="2023-04-15T14:58:20+10:00" level=error msg="runc create failed: unable to start container process: error during container init: error mounting \"/run/containers/storage/overlay-containers/5e99476e2d47dc1d78f6c6de64793a6b7d0651780a21ce8802b20827da85b40c/userdata/run/secrets\" to rootfs at \"/run/secrets\": mkdir /var/lib/containers/storage/overlay/15210da1c05500b6f951ba387c617dcf88d74133bf9bb1d6abe93ffe2f2d54f3/merged/run/secrets: read-only file system"
I think I'm missing something in the set up. CRIO is read_only = false
in the config.
Hi!
Thanks for the project.
I've tried installing cadvisor and found an issue with oom metrics being not available due to permission issue:
❯ kl cadvisor-ktblb
W0910 14:59:26.756250 1 machine_libipmctl.go:62] There are no NVM devices!
W0910 14:59:26.805682 1 manager.go:289] Could not configure a source for OOM detection, disabling OOM events: open /dev/kmsg: operation not permitted
It can be fixed by adding the following settings to the daemonset:
securityContext:
privileged: true
Do you have plans to add this to the chart? Or there is another option to enable oom detection?
v0.44.1
is renamed to v0.44.1-test
link . Current chart will be stuck forever with ErrImagePull
. Use latest tag perhaps?
I recently modified the housekeeping interval of the values.yaml to increase the scraping rate with the following additional args. But it seems the housekeeping interval is still using the default, 10s and 15s. Does it means these two args is not working (given that this issue or I just didn't configure it correcly?
additionalArgs:
- --allow_dynamic_housekeeping=false
- --housekeeping_interval=2s
- --max_housekeeping_interval=2s
- --event_storage_event_limit=default=0
- --event_storage_age_limit=default=0
- --disable_metrics=percpu,process,sched,tcp,udp # enable only diskIO, cpu, memory, network, disk
- --docker_only
When providing additional environment variables via the envVars
section, the indentation of the template is broken.
values.yaml
envVars:
- name: TEST_VAR
value: TEST
Command:
helm template ./charts/sbom-operator --dry-run --debug --generate-name -f values.yaml
Error: YAML parse error on sbom-operator/templates/deployment.yaml: error converting YAML to JSON: yaml: line 33: did not find expected key
template.yaml
# Source: sbom-operator/templates/deployment.yaml
# Document has been shortened for clarity!
apiVersion: apps/v1
kind: Deployment
metadata:
name: sbom-operator
# Document shrinked for better understandability
spec:
spec:
containers:
- name: sbom-operator
image: "ghcr.io/ckotzbauer/sbom-operator:0.13.0"
imagePullPolicy: IfNotPresent
args:
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# ---> Indentation of 10 expected but 12 is rendered
- name: TEST_VAR
value: TEST
$ curl -IL https://ckotzbauer.github.io/helm-charts
HTTP/2 301
server: GitHub.com
content-type: text/html
permissions-policy: interest-cohort=()
location: https://www.ckotzbauer.de/helm-charts
x-github-request-id: 8E54:2DB5:8AAC3C:A2DD14:62226A36
accept-ranges: bytes
date: Fri, 04 Mar 2022 19:38:25 GMT
via: 1.1 varnish
age: 123
x-served-by: cache-bfi-krnt7300106-BFI
x-cache: HIT
x-cache-hits: 1
x-timer: S1646422705.136698,VS0,VE1
vary: Accept-Encoding
x-fastly-request-id: 71177e2d015b1237b47b33a74745639cf707bdc1
content-length: 162
HTTP/2 301
server: GitHub.com
content-type: text/html
location: https://www.ckotzbauer.de/helm-charts/
x-github-request-id: CCC4:4853:19AD1C:20F2D8:62226A39
accept-ranges: bytes
date: Fri, 04 Mar 2022 19:38:25 GMT
via: 1.1 varnish
age: 120
x-served-by: cache-bfi-krnt7300053-BFI
x-cache: HIT
x-cache-hits: 1
x-timer: S1646422705.198529,VS0,VE0
vary: Accept-Encoding
x-fastly-request-id: 192b999fdfce3dc839b84a49abb17072ce791eda
content-length: 162
HTTP/2 404
server: GitHub.com
content-type: text/html; charset=utf-8
access-control-allow-origin: *
etag: "61ba6cb3-247b"
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'
x-proxy-cache: MISS
x-github-request-id: 487A:82BE:569B28:64541F:62226A39
accept-ranges: bytes
date: Fri, 04 Mar 2022 19:38:25 GMT
via: 1.1 varnish
age: 120
x-served-by: cache-bfi-krnt7300053-BFI
x-cache: HIT
x-cache-hits: 1
x-timer: S1646422705.217036,VS0,VE1
vary: Accept-Encoding
x-fastly-request-id: 2f92153c24a7a522e0e59825258e1519c438915e
content-length: 9339
Hi there! I noticed that metrics like container_spec_cpu_quota
and container_spec_cpu_period
are not provided when installing this helm-chart.
When searching for the issue online I found this: google/cadvisor#3154 maybe it is related? OP said, that cadvisor doesn't construct the listed metrics, if
cpu soft quota is enabled
but I don't know cadvisor well enough to see, whether this is the cause for the issue when using this helm-chart or how I could alter the current behavior. Any idea on your part?
Please add the possibility to add securityContext from values both on pod and container level, and remove the hardcoded
seccomp annotation. This way we can set more than just privilged true/false which are required by podSecurityAdmission (PSA)
Hi,
I would like to publish the metrics on the node port.
But there doesn't seem to be a setting for that in the values.yaml.
With kind regards,
Gerben Immeker.
Deprecate the chart here at the end of Q2 in favor of the official chart if prometheus-msteams/helm-chart#1 is merged
Given a chart deployment
When I set custom labels for the pods using `Values.podLabels`
Then the pods should contain the labels in `metadata.labels`
Example: bitnami/nginx
https://github.com/bitnami/charts/blob/main/bitnami/nginx/templates/deployment.yaml#LL25C28-L25C30
https://github.com/bitnami/charts/blob/main/bitnami/nginx/values.yaml#L128
Hi,
the k8s clusterRole assigned to the sbom-operator service account includes permissions to create
get
delete
list
configMaps at the cluster scope. I know that this is needed in case the operator stores the SBOMs as configMaps (target: configmap).
The above mentioned permissions are included in the c-role regardless of whether the target includes configmap or not. If the sbom-operator is configured to just push SBOMs to Git or Dependencytrack, the service does not need those permissions.
My Idea is to wrap something like {{- if contains "configmap" .Values.args.targets }}
around the configmap permissions in the template, so that they are only included when really needed.
Just wanted to confirm that my idea is valid and I did not miss anything. If you think that it makes sense, let me know and I can provide a PR!
Most of the templates in the chart are missing following key:
namespace: {{ .Release.Namespace}}
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.