honestica / lifen-charts Goto Github PK

Currently there is no option in the helm chart to add label to the deployment (or rather to the pods of the deployment), and it is needed in some cases.

I suggest to add the following:
values.yaml:
.
.
.

podLabels:
  some-label-name-1: some-label-value-1
  some-label-name-2: some-label-value-2

deployment.yaml:

spec:
.
.
.
  template:
    metadata:
      labels:
        app: {{ template "squid.name" . }}
        release: {{ .Release.Name }}
        **{{- if .Values.podLabels }}
          {{ toYaml .Values.podLabels | indent 8 }}
        {{- end }}**

Hello,

Using chart version 12.1. I am attempting to deploy the AWX chart. I am using rancher's app catalog (though I do not think that is an issue).

The deployment for awx-web applies labels

  app.kubernetes.io/instance: awx
  app.kubernetes.io/name: awx

# kubectl get po --show-labels | grep web
awx-web-75769fb64-vr97f    1/1     Running   1          2m32s   app.kubernetes.io/instance=awx,app.kubernetes.io/name=awx,pod-template-hash=75769fb64

But the service awx has selector includes:

app.kubernetes.io/component: web
app.kubernetes.io/instance: awx
app.kubernetes.io/name: awx

With the difference of the component:web. As a result the endpoint doesn't get an IP:

# kubectl get endpoints awx
NAME   ENDPOINTS   AGE
awx    <none>      3m13s

If I add app.kubernetes.io/component: web to the deployment spec I get an endpoint IP so I believe this needs to be updated in the deployment template, but I may also be completely off base.

Thanks

Usefull when combining your release with tools like reloader, we missed annotations placeholder for the squid Deployment

The labels block is not correctly indented, should be:

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ template "squid.fullname" . }}-conf
  labels:
    app: {{ template "squid.name" . }}
    chart: {{ template "squid.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
data:
  squid.conf: |
{{ .Values.config | indent 4 }}

PodSecurityPolicy will be removed in Kubernetes 1.25.

I just installed this chart and found that netpol applied is blocking all communication in the cluster. This includes kube-iptables-tailer communications to DNS and Kubernetes API.

According to the blog https://monzo.com/blog/we-built-network-isolation-for-1-500-services the logging network policy may be defined like this https://images.ctfassets.net/ro61k101ee59/58MFyU3MhVfHkyzhtHFBUG/674d381610a1f69a47b397659e956391/Screenshot_2019-11-04_at_14.09.57.png?w=656&q=90

We should add action: Allow and order: xxxx, greater than the default value for native netpols(networking.k8s.io/v1) to not block any traffic by this rule. I personally would like to remove TCP/UDP specification either, because I think this should be define with native k8s netpols.

Would you accept PR which resolves this?

After installing the chart with the configuration of ingress.hosts, I got 404 and the following error message when accessing the http://www.bing.com with the proxy：

{
    "message": "no Route matched with those values"
}

I guess the Ingress withnin the chart only support getting homepage of the squid.

Am I right?
Thanks in advance!

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update docker.io/honestica/squid docker tag to v4.71
• chore(deps): update helm release redis to v17.17.1
• chore(deps): update helm release redis to v20
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

This is less of an "issue" than a request for thoughts/advice:

My company is adopting Looker and must self-host it. We'd ideally like to do it on Kubernetes if possible. We've started playing with https://github.com/honestica/lifen-charts/tree/master/looker and https://github.com/honestica/docker-looker.

But it is not clear to me whether Kuberbetes is viable for Looker especially in production. I am curious to hear how far the authors of this chart (e.g. @mtparet ) and other users have taken Looker on Kubernetes? Do any do it in production? Or is the chart just used for development purposes?

One thing I specifically noticed seems missing from the Helm chart was any support for clustering which appears to require a shared filesystem per https://docs.looker.com/setup-and-management/tutorials/clustering#required_components. Is this something you’ve thought about adding? We use AWS/EKS, and I was thinking of taking a stab at it using https://github.com/kubernetes-sigs/aws-efs-csi-driver. Any thoughts or recommendations?

The last PR appears to have an error with tag:
web: ansible/awx_web:10-71
Is this correct? if not can you please provide the correct tag.

awx overview

→ kubectl get all -n awx -o wide
NAME                            READY   STATUS    RESTARTS   AGE     IP          NODE      NOMINATED NODE   READINESS GATES
pod/awx-memcached-0             1/1     Running   0          8m10s   10.47.0.1   eye0210   <none>           <none>
pod/awx-memcached-1             1/1     Running   0          8m2s    10.39.0.2   eye0301   <none>           <none>
pod/awx-memcached-2             1/1     Running   0          7m53s   10.37.0.4   eye0309   <none>           <none>
pod/awx-postgresql-0            1/1     Running   0          8m10s   10.37.0.3   eye0309   <none>           <none>
pod/awx-rabbitmq-0              1/1     Running   0          8m10s   10.39.0.3   eye0301   <none>           <none>
pod/awx-task-5f697fccb6-j8qpm   1/1     Running   0          8m10s   10.47.0.2   eye0210   <none>           <none>
pod/awx-task-5f697fccb6-zpsq2   1/1     Running   0          8m10s   10.47.0.3   eye0210   <none>           <none>
pod/awx-web-7666f56494-j2j6x    0/1     Running   2          71s     10.39.0.4   eye0301   <none>           <none>

awx-web events

Events:
  Type     Reason     Age                 From               Message
  ----     ------     ----                ----               -------
  Normal   Scheduled  2m                  default-scheduler  Successfully assigned awx/awx-web-7666f56494-j2j6x to eye0301
  Normal   Killing    60s (x2 over 90s)   kubelet, eye0301   Container web failed liveness probe, will be restarted
  Normal   Pulled     59s (x3 over 119s)  kubelet, eye0301   Container image "ansible/awx_web:10.0.0" already present on machine
  Normal   Created    59s (x3 over 119s)  kubelet, eye0301   Created container web
  Normal   Started    59s (x3 over 119s)  kubelet, eye0301   Started container web
  Warning  Unhealthy  55s (x7 over 115s)  kubelet, eye0301   Readiness probe failed: Get http://10.39.0.4:8052/: dial tcp 10.39.0.4:8052: connect: connection refused
  Warning  Unhealthy  50s (x7 over 110s)  kubelet, eye0301   Liveness probe failed: Get http://10.39.0.4:8052/: dial tcp 10.39.0.4:8052: connect: connection refused

Other comments

I tried to curl to pod's 8052 port does not work.

I installed kube-iptables-tailer via its chart and synced on argocd but sync failed with the message
server cannot find the resource projectcalico.org/v3/GlobalNetworkPolicy

we have calico 3.22 - installed by tigera-operator - and can only see CRDs with v1 - so how come docs say v3 ?

Hey everyone, I am getting this error: chown: changing ownership of '/var/cache/squid': Operation not permitted when running helm chart in my AKS. I have another team that changed their init container create-cache-dir args to:

      args:
            - |
              set -e
              squid -z 2>&1

vs what is currently being set:

        args:
            - |
              set -e
              chown -R squid.squid /var/cache/squid
              chmod 770 /var/cache/squid
              squid -z --foreground 2>&1
``

Would it be possible to either update this helm chart to have these args, provide a solution for why my stuff is failing, or allow the args to be a templated input where I can pass my own args?

Hiya there,

Thanks for the greate chart collection.

While testing kube-iptables-tailer chart with calico I noticed that GlobalNetworkPolicy with a second action of "allow" for all protocols completely overrides already existing K8S network policies thus making Calico accept all the traffic. This seems to contradict the idea of the service as it is intended to generate events on iptables drop actions. Is it an intended behaviour?

Hey @mtparet

thanks so much for the helm chart on kube-iptables-tailer. I found it through box's issue where you left a comment with your chart. I wanted to clear some questions if you don't mind? Stuff I couldn't figure out when trying to deploy it.

in the values.yaml file you have

calico.loggingEnable
calico.apiVersion

I'm using calico as a CNI plugin but not calico network policies. Does this do anything if I set this to false, as I'm using networking.k8s.io/v1 api?

secondly on setting up iptables log prefix in the readme of the official kube-iptables-tailer of Box it's written:

"kube-iptables-tailer uses log-prefix defined in your iptables chains to parse the corresponding packet dropped logs. You can set up the log-prefix by executing the following command:"

$ iptables -A CHAIN_NAME -j LOG --log-prefix "EXAMPLE_LOG_PREFIX: "

Do I still have to set it? I'd guess yes. I'm checking my Kubernetes worker node with iptables -L -n | less and there's about 50+ chains in there. How do I know which chain I have to set this log-prefix? I'd like to see all packet drops of any pod in a namespace as the example shows.

Sorry if these are rather stupid questions or please let me know if I should directly engage with box for this.

Thank you,
Carlos