Skip to content

Commit

Permalink
Fix security context issue for Metal3 in upstream Sylva (#68)
Browse files Browse the repository at this point in the history
* Move 0.2.0 to 0.2.1

* Use non-root security context for ironic, bmo and mariadb

* make charts
  • Loading branch information
ipetrov117 authored Dec 19, 2023
1 parent 1ecfaaf commit deaac1e
Show file tree
Hide file tree
Showing 82 changed files with 4,947 additions and 0 deletions.
Binary file added assets/metal3/metal3-0.2.1.tgz
Binary file not shown.
23 changes: 23 additions & 0 deletions charts/metal3/0.2.1/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
25 changes: 25 additions & 0 deletions charts/metal3/0.2.1/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: v2
appVersion: 1.16.0
dependencies:
- alias: metal3-baremetal-operator
name: baremetal-operator
repository: file://./charts/baremetal-operator
version: 0.2.1
- alias: metal3-ironic
name: ironic
repository: file://./charts/ironic
version: 0.2.1
- alias: metal3-mariadb
name: mariadb
repository: file://./charts/mariadb
version: 0.2.1
- alias: metal3-media
condition: global.enable_metal3_media_server
name: media
repository: file://./charts/media
version: 0.2.0
description: A Helm chart that installs all of the dependencies needed for Metal3
icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
name: metal3
type: application
version: 0.2.1
101 changes: 101 additions & 0 deletions charts/metal3/0.2.1/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
# Prerequisites
There are two dependencies that are not managed through the metal3 chart because are related to applications that have a cluster-wide scope: `cert-manager` and a LoadBalancer Service provider such as `metallb` or `kube-vip`.

## Cert Manager
In order to successfully deploy metal3 the cluster must have already installed the `cert-manager`.

You can install it through `helm` with:
```bash
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.11.1 \
--set installCRDs=true
```
, or via `kubectl` with:
```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.yaml
```

## MetalLB (Optional)
Ironic currently requires a staticIP address and MetalLB is one option to achieve that.

1. If K3s is used as Kubernetes distribution, then it should be started with `--disable=servicelb` flag. Ref https://metallb.universe.tf/configuration/k3s/
2. Find 1 free IP address in the network.
3. Install `MetalLB` through `helm` with:

```bash
helm repo add suse-edge https://suse-edge.github.io/charts
helm install \
metallb suse-edge/metallb \
--namespace metallb-system \
--create-namespace
```

4. Provide the IP pool configuration with:

```bash
export STATIC_IRONIC_IP=<STATIC_IRONIC_IP>

cat <<-EOF | kubectl apply -f -
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: ironic-ip-pool
namespace: metallb-system
spec:
addresses:
- ${STATIC_IRONIC_IP}/32
serviceAllocation:
priority: 100
serviceSelectors:
- matchExpressions:
- {key: app.kubernetes.io/name, operator: In, values: [metal3-ironic]}
EOF

cat <<-EOF | kubectl apply -f -
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: ironic-ip-pool-l2-adv
namespace: metallb-system
spec:
ipAddressPools:
- ironic-ip-pool
EOF
```

5. Create new values.yaml file that will override some of the default properties:

```bash
TMP_DIR=$(mktemp -d)
cat > ${TMP_DIR}/values.yaml << EOF
global:
ironicIP: "<STATIC_IRONIC_IP>"
EOF
```

# Install

```bash
helm install \
metal3 suse-edge/metal3 \
--namespace metal3-system \
--create-namespace
-f ${TMP_DIR}/values.yaml
```

# How to upgrade the chart
1. Run `helm dependency update .` in this chart to download/update the dependent charts.

2. Identify the appropriate subchart values settings and create an appropriate override values YAML file.
* Ensure that the relevant ironic and baremetal-operator settings match.

3. Install the chart using a command like the following:

```console
$ helm upgrade heavy-metal . --namespace metal-cubed --create-namespace --install --values ~/overrides.yaml
```
1 change: 1 addition & 0 deletions charts/metal3/0.2.1/app-readme.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
The metal3 chart is a parent chart that installs all of the other charts that a metal3 deployment needs, but doesn't actually deploy any services itself.
23 changes: 23 additions & 0 deletions charts/metal3/0.2.1/charts/baremetal-operator/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
6 changes: 6 additions & 0 deletions charts/metal3/0.2.1/charts/baremetal-operator/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
appVersion: 1.16.0
description: A Helm chart for baremetal-operator, used by Metal3
name: baremetal-operator
type: application
version: 0.2.1
Loading

0 comments on commit deaac1e

Please sign in to comment.