name: x509-certificate-exporter
version: 1.14.1

The value.yaml does include a resources definition for hostPathsExporter daemonsets but those values are not reflected in the resulting pods.
Am I missing something in the configuration?

As it is not clear (#35)
Add some link of upstream documentation, like
https://github.com/netbox-community/netbox-docker/blob/release/initializers/
https://github.com/netbox-community/netbox-docker/blob/release/initializers/custom_fields.yml

Hi,

I have installed the helm with:

helm repo add enix https://charts.enix.io
helm repo update

NAMESPACE="x509-certificate-exporter"

helm upgrade x509-certificate-exporter enix/x509-certificate-exporter -f monitor-host-values.yaml \
    --install \
    --create-namespace \
    --namespace ${NAMESPACE}

The monitor-host-values.yaml contains:

hostPathsExporter:
  daemonSets:
    cp:
      nodeSelector:
        node-role.kubernetes.io/master: ""
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
      watchFiles:
      - /var/lib/kubelet/pki/kubelet-client-current.pem
      - /etc/kubernetes/pki/apiserver.crt
      - /etc/kubernetes/pki/apiserver-etcd-client.crt
      - /etc/kubernetes/pki/apiserver-kubelet-client.crt
      - /etc/kubernetes/pki/ca.crt
      - /etc/kubernetes/pki/front-proxy-ca.crt
      - /etc/kubernetes/pki/front-proxy-client.crt
      - /etc/kubernetes/pki/etcd/ca.crt
      - /etc/kubernetes/pki/etcd/healthcheck-client.crt
      - /etc/kubernetes/pki/etcd/peer.crt
      - /etc/kubernetes/pki/etcd/server.crt
      watchKubeconfFiles:
      - /etc/kubernetes/admin.conf
      - /etc/kubernetes/controller-manager.conf
      - /etc/kubernetes/scheduler.conf
    nodes:
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/ingress
        operator: Exists
      watchFiles:
      - /var/lib/kubelet/pki/kubelet-client-current.pem
      - /etc/kubernetes/pki/ca.crt

But I am unable to find the Prometheus rules. there is nothing in Prometheus (rules or alerts) with x509. I am running Kube-Prometheus-Stack 20.0.1 (Helm) with K8s 1.22.2

Can you help me out with this? Thanks!

What I mean by this:

the values.yaml files in the charts are not something like:

---
x509-exporter:
  imagePullSecrets: []
  image:
    repository: enix/x509-exporter
  [...]

and

---
netbox:
  kind: StatefulSet
  statefulSet:

but they just simply contain the key:values without any scope.

Why is this a problem? For example we maintain a common values.yaml structure for all our Helm charts, so that the prometheus rules and the cert-manager configuration is in one common file; one can then use this single file with Helm and not dozens of values.yaml files for all the Helm charts.

Not limiting the chart's values to a scope means that it's not possible to have more than one chart's key:value pairs in one values.yaml file. We can't use something like repository: enix/x509-exporter in this common values.yaml file since it would affect all similarly non-scoped charts' repository key.

I hope I was able to describe the problem. I'd argue it's very common to use a scope for a chart, actually I know only one single chart which has the same issue (velero from vmware-tanzu) and every other chart I've ever seen has this main scope.

It'd be nice to adjust the charts like this if you're open for it.

I'd like to use the chart to deploy Netbox with some new custom fields using the initializers. Would you have an example the most efficient way to do this?

initializers -- Netbox initializer file content (mounted in /opt/netbox/initializers/)

initializers: {}

Thank you for the chart, could you add support for LDAP image for netbox?

It seems that there is a bug in the DaemonSet template :

        {{- if .bgpGracefulRestartDeferralTime }}
        - "--bgp-graceful-restart-deferral-time={{ .bgpGracefulRestartDeferralTime }}"
        {{- end }}
        {{- if .bgpGracefulRestartDeferralTime }}
        - "--bgp-graceful-restart={{ .bgpGracefulRestart }}"
        {{- end }}

the bgpGracefulRestart is not used

How to upgrade netbox chart ?

I tried:

helm repo update
helm upgrade netbox-enix enix/netbox

got the following error:

$ helm upgrade netbox-enix enix/netbox
Error: UPGRADE FAILED: cannot patch "netbox-enix-postgresql" with kind StatefulSet: StatefulSet.apps "netbox-enix-postgresql" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden. && cannot patch "netbox-enix" with kind StatefulSet: StatefulSet.apps "netbox-enix" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden. 

On k8s cluster upgrade, when kubeadm rotate certificates, it keeps expired ones in /etc/kubernetes/pki/expired.

So the x509-exporter, having /etc/kubernetes/pki configured as watch-folder, will keep raising alarms on expired certificates in /etc/kubernetes/pki/expired.

Maybe we can add some way to exclude or ignore certains folders in the configured watchfolder.

Replacing extensions/v1beta1 with networking.k8s.io/v1
`
diff -r netbox/templates/ingress.yaml netbox.orig/templates/ingress.yaml
4c4
< apiVersion: networking.k8s.io/v1

apiVersion: extensions/v1beta1
37d36
< pathType: ImplementationSpecific
39,42c38,39
< service:
< name: {{ $fullName }}
< port:
< name: http

          serviceName: {{ $fullName }}
          servicePort: http

`
patch attached (thanks to stupid filter: ingress.txt instead of ingress.patch
ingress.txt
)

We are considering deprecating netbox chart in favor of https://github.com/bootc/netbox-chart

Due to the lack of testing with ldap and other feature, and that our user base is less important than the one of bootc, we will face difficulties to provide full fledged chart as originally intended.

If you are using the netbox chart and see problem using the one of bootc, let us know in this issue

cc #40

A working LDAP configuration with Active Directory does not work anymore when upgrading to 1.2.9

Rollback to 1.2.8 and it works again.

Per kubectl warning:

Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+;

The RBAC (ClusterRole and ClusterRoleBinding) in kube-router is using these deprecated APIs, should change to rbac.authorization.k8s.io/v1b in order to support new cluster versions.

Currently we can't release a chart if an other from the repository fails to build or wasn't pushed. Usually because files were altered and the version not bumped yet.

Perhaps we could use a matrix and run a job for each one. But also there's no need to trigger a workflow acting on all charts, so events would have to be filtered in some way. I don't like the idea of having multiple workflows but it would surely fix the situation for now.

kubeRouter:
  router:
    routesSyncPeriod: 1m0s
  metrics:
    port: "9999"

does not change anything to the resulting resource

while enable hairpinMode, a field must be added to the cni-conf.json :

  cni-conf.json: |
    {
       "cniVersion":"0.3.0",
       "name":"mynet",
       "plugins":[
          {
             "name":"kubernetes",
             "type":"bridge",
             "bridge":"kube-bridge",
             "isDefaultGateway":true,
             "hairpinMode":true,
             "ipam":{
                "type":"host-local"
             }
          }
       ]
    }

I tried to install your Helm chart into my on-prem kubernetes cluster by

$ helm -n monitoring install x509-certificate-exporter enix/x509-certificate-exporter -f ./x509-exporter.values.yml

The values.yml is still the default from your git repo.

My enabled admission plugins are

• NodeRestriction
• NamespaceLifecycle
• LimitRanger
• ServiceAccount
• DefaultStorageClass
• DefaultTolerationSeconds
• MutatingAdmissionWebhook
• ValidatingAdmissionWebhook
• Priority
• ResourceQuota
• PodSecurityPolicy

I installed also a webhook:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: prometheus-operator-rulesvalidation
webhooks:
  - clientConfig:
      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjekNDQVJtZ0F3SUJBZ0lRZEtYaWh3Yk53UWpXWXdFVTJ6d3hvakFLQmdncWhrak9QUVFEQWpBT01Rd3cKQ2dZRFZRUUtFd051YVd3d0lCY05NakV3TXpJMU1ERXhOVEU0V2hnUE1qRXlNVEF6TURFd01URTFNVGhhTUE0eApEREFLQmdOV>
      service:
        name: prometheus-kube-prometheus-operator
        namespace: monitoring
        path: /admission-prometheusrules/mutate
    failurePolicy: Fail
    name: prometheusrulemutate.monitoring.coreos.com
    namespaceSelector: {}
    rules:
      - apiGroups:
          - monitoring.coreos.com
        apiVersions:
          - '*'
        operations:
          - CREATE
          - UPDATE
        resources:
          - prometheusrules
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None

But I get all the time the follwoing error:

$ helm -n monitoring upgrade -i x509-certificate-exporter enix/x509-certificate-exporter -f ./x509-exporter.values.yml 
Error: UPGRADE FAILED: failed to create resource: Internal error occurred: failed calling webhook "prometheusrulemutate.monitoring.coreos.com": Post "https://prometheus-kube-prometheus-operator.monitoring.svc:443/admission-prometheusrules/mutate?timeout=10s": dial tcp 172.20.151.210:443: i/o timeout

The Service as well as the Pod for prometheus operator is installed, working and reachable inside monitoring namespace at 172.20.151.210:443.

See $subject :-)

Pretty sure one might find it useful.

Hi,

It could be cool to specify or not bgp peer passwords and port. We can put a default value if they are not provided.
If we don't specify theses values, kube-router refuse to start.

It is quite handy to have full path of certificates in the label.
Although I understand the motivation to manage complex scenarios, I think that we should have an option to keep full paths (maybe only in simple scenarios).

What I tried:

helm install netbox-enix enix/netbox

BUG 1: postgresql image could not be pulled
Solution replace container location from docker.io/bitnami/postgresql:11.8.0-debian-10-r14 to bitnami/postgresql:11.8.0-debian-10-r14

BUG 2: redis image could not be pulled
Solution replace container location from docker.io/bitnami/redis:6.0.4-debian-10-r0 to bitnami/redis:6.0.4-debian-10-r0

BUG 3: netbox configuration error: REDIS_PORT enviroment variable was being set with: "tcp://x.x.x.x:6379"
Solution set REDIS_PORT= 6379 in netbox ConfigMap

BUG 4:
I am new to Helm, but I couldn't make Chart Values to work. I tried:

config.yaml

persistence:
  storageClassName: stage-nas-nfs-noresize

helm install -f config.yaml netbox-enix enix/netbox

and the PVC's did not add storageClassName config ...

Suggestion
Maybe you should put configuration.py in a configMap parameter.

Questions
a) Is it safe to apply netbox version upgrades with this helm chart ?
b) How can I use plugins with this helm chart ? I want to try https://github.com/iDebugAll/nextbox-ui-plugin