# Overview

In this notebook we will explore the options for installing pachyderm locally (i.e. in a self-hosted format). This means no commercial requirements like a cloud provider or any manages service or applicance.

Currently the latest stable version is [2.5.5](https://github.com/pachyderm/pachyderm/releases/tag/v2.5.5) which was released 4/27/2023.

# Installation Options

Looking through the documentation we see several options for installing pachyderm: locally or in the cloud. We then see that these two opions break down further. The table below tries to enumerate the options presented or implied in the documentation.

- [Local Installation](https://docs.pachyderm.com/2.3.x/getting-started/local-installation/)
    - [Docker Desktop](https://docs.pachyderm.com/latest/getting-started/local-deploy/docker/) - A commercial application that allows running containers as well as a single node kubernetes cluster
    - [Minikube](https://docs.pachyderm.com/latest/getting-started/local-deploy/minikube/) - An open source tool that allows running a single node kubernetes cluster locally
- [On-premisis Installation](https://docs.pachyderm.com/latest/deploy-manage/deploy/on-premises/)
    - kubernetes cluster
- Cloud Installation
    - AWS
    - Azure
    - GCP

In this guide, I will be installing to a self-hosted kubernetes cluster. Additionally, this will NOT be a production deployment. Instead it will be a bare bones spin-up to evaluate the pachyderm features. If I like the solution I will update the instructions for a proper production worthy install.

# Install Prerequisites

## Install Helm (full kuberentes only)

We can think of helm as a package and deployment manager for kubernetes. Helm automates the creation, packaging, configuration, and deployment of Kubernetes applications. It does this through a packaging structure that combines your configuration files into a single reusable format that can be understood and managed by the utility.

### Helm Compatibility

In order to install helm, we need to figure out which version is comptible with the version of our kubernetes cluster. The helm documentation lists the [compatibility matrix](https://helm.sh/docs/topics/version_skew/) as seen below:


|Helm Version|Supported Kubernetes Versions|
|------------|-----------------------------|
|3.11.x |1.26.x - 1.23.x|
|3.10.x|1.25.x - 1.22.x|
|3.9.x|1.24.x - 1.21.x|
|3.8.x|1.23.x - 1.20.x|
|3.7.x|1.22.x - 1.19.x|
|3.6.x|1.21.x - 1.18.x|
|3.5.x|1.20.x - 1.17.x|
|3.4.x|1.19.x - 1.16.x|


In my case my case my kubernetes cluster was running version 1.21.14:
```
[root@os004k8-master001 ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.9", GitCommit:"b631974d68ac5045e076c86a5c66fba6f128dc72", GitTreeState:"clean", BuildDate:"2022-01-19T17:51:12Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.14", GitCommit:"0f77da5bd4809927e15d1658fb4aa8f13ad890a5", GitTreeState:"clean", BuildDate:"2022-06-15T14:11:36Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}

```

So this means I can run helm 3.6 to 3.9. I will go with 3.9 as it's the newest version which has had the most burn in time with my version of k8.

### Download Binaries
The official installation instructions can be found [here](https://helm.sh/docs/intro/install/). Every version of helm is distributed as a binary built for x64 arhchitectures. The binaries can be doenloaded from the [github releases page](https://github.com/helm/helm/releases).

In my case, [3.9.4](https://github.com/helm/helm/releases/tag/v3.9.4) is the latest version available.


```
[root@os004k8-master001 ~]# curl -O https://get.helm.sh/helm-v3.9.4-linux-amd64.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 13.3M  100 13.3M    0     0  20.1M      0 --:--:-- --:--:-- --:--:-- 20.1M

[root@os004k8-master001 ~]# tar -zxvf helm-v3.9.4-linux-amd64.tar.gz
linux-amd64/
linux-amd64/helm
linux-amd64/LICENSE
linux-amd64/README.md

[root@os004k8-master001 ~]# linux-amd64/helm version
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
version.BuildInfo{Version:"v3.9.4", GitCommit:"dbc6d8e20fe1d58d50e6ed30f09a04a77e4c68db", GitTreeState:"clean", GoVersion:"go1.17.13"}

[root@os004k8-master001 ~]# cp linux-amd64/helm /usr/bin/
[root@os004k8-master001 ~]# helm version
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
version.BuildInfo{Version:"v3.9.4", GitCommit:"dbc6d8e20fe1d58d50e6ed30f09a04a77e4c68db", GitTreeState:"clean", GoVersion:"go1.17.13"}

```


### Connect helm to kubernetes cluster
In order to allow helm to install packages on kuernetes, it needs to be able to access information about the cluster. This is typically done via the kube config file. A plain text file that contains the configurations and secrets necessary for a cli to connect and authenticate against a kubernetes cluster. For example, the kubectl and kubeadm programs use this file.

Helm will default to using whatever your current Kubernetes context is, as specified in the $HOME/. kube/config file. 

## Setup Load Balancer

The purpose of a Load Balancer is to configure the networking so people outside the cluster can reliably connect to services hosted inside the cluster. In kubernetes this is done through a [Service](https://kubernetes.io/docs/concepts/services-networking/service/). There are [several types of services](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) provided by kubernetes: ClusterIP, NodePort, LoadBalancer, ExternalName. We will be using a [LoadBalancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) for our purposes. 

Reading through the documentation we infer that the LoadBalancer implimentation varies with each cloud provider. From experience I can say that the LoadBalancer can be thought of as a plugin. Each cloud provider hosts their own flavor of kubernetes which integrates, through a load balancer plugin, with their back end infrastructure. For example, AWS offers the [AWS Load Balancer Controller add-on](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html). 

As my kubernetes cluster is running "on-prem" or "bare-metal" I cannot leverage any of these cloud native LB options. Instead I must look for a 3rd party solution that will provde the features I need. Enter MetalLB.

**Note** If a LoadBalancer Service is deployed on a bare-metal kubernetes cluster withouth a LoadBallancer being installed in the system, the services will start, but they will not be allocated an externally facing IP address. For example, in the case of Pachyderm, we would see something like this:

```
[root@os004k8-master001 pachyderm]# kubectl get service pachyderm-proxy
NAME              TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
pachyderm-proxy   LoadBalancer   10.107.34.238   <pending>     80:31201/TCP   20m
```

### MetalLB Overview
As the name suggests, MetalLB is a load-balancer implementation for bare metal Kubernetes clusters. It uses standard routing protocols and can be run on any OSS implimentation.

The current version is v0.13.9 which is labeled as a beta despite the offering being used and reccomended for production.

#### Why?
Kubernetes does not offer an implementation of network load balancers (Services of type LoadBalancer) for bare-metal clusters. The implementations of network load balancers that Kubernetes does ship with are all glue code that calls out to various IaaS platforms (GCP, AWS, Azure…). If you’re not running on a supported IaaS platform (GCP, AWS, Azure…), LoadBalancers will remain in the “pending” state indefinitely when created.

Bare-metal cluster operators are left with two lesser tools to bring user traffic into their clusters, “NodePort” and “externalIPs” services. Both of these options have significant downsides for production use, which makes bare-metal clusters second-class citizens in the Kubernetes ecosystem.

MetalLB aims to redress this imbalance by offering a network load balancer implementation that integrates with standard network equipment, so that external services on bare-metal clusters also “just work” as much as possible.

#### Requirements

MetalLB requires the following to function:

- A Kubernetes cluster, running Kubernetes 1.13.0 or later, that does not already have network load-balancing functionality.
- A cluster network configuration that can coexist with MetalLB. The following network addons are [supported](https://metallb.universe.tf/installation/network-addons/):

|Network addon|Compatible|
|-------------|----------|
|Antrea|Yes (Tested on version 1.4 and 1.5)|
|Calico|Mostly (see known issues)|
|Canal|Yes|
|Cilium|Yes|
|Flannel|Yes|
|Kube-ovn|Yes|
|Kube-router|Mostly (see known issues)|
|Weave Net|Mostly (see known issues)|

- Some IPv4 addresses for MetalLB to hand out.
- When using the BGP operating mode, you will need one or more routers capable of speaking BGP.
- When using the L2 operating mode, traffic on port 7946 (TCP & UDP, other port can be configured) must be allowed between nodes, as required by memberlist.

### MetalLB Installation Overview

The basic process required to setup MetalLB is to install the solution and then configure it.

#### Installation Options

According to the [documentation](https://metallb.universe.tf/installation/), there are three supported ways to install MetalLB: 
- using plain Kubernetes manifests
- using Kustomize
- using Helm

**Note**: The installation comes in two flavors: Regular and FRR; FRRouting (FRR) is a set of open source internet routing protocols, including the Border Gateway Protocol (BGP).

The installation will deploy MetalLB under the `metallb-system` namespace. The high-level components that make up the MetalLB solution are:
- The `metallb-system/controller` deployment. This is the cluster-wide controller that handles IP address assignments.
- The `metallb-system/speaker` daemonset. This is the component that speaks the protocol(s) of your choice to make the services reachable.
- Service accounts for the controller and speaker, along with the RBAC permissions that the components need to function.

While looking at the kubernetes manifest I saw declarations for the following types of kubernetes resources:
- Namespace
- CustomResourceDefinition
- ServiceAccount
- Role
- ClusterRole
- RoleBinding
- ClusterRoleBinding
- Secret
- Service
- Deployment
- DaemonSet
- ValidatingWebhookConfiguration

#### Configuration

Once deployed, MetalLB remains idle until configured. [Configuration](https://metallb.universe.tf/configuration/) of the MetalLB solution occurs through the depoyment of resources into the MetalLB namesapce (metallb-system). These resources articulate and impliment the various load balancer configurations that a user requires.

Typically, these resources are ultimatly Custom Resources (CRs) which are defined as part of the project.

For more information on the configuration options see the [official documentation](https://metallb.universe.tf/configuration/).

##### Custom Resources

**Custom Resources** (CRs) are extensions of the Kubernetes API. A resource is an endpoint in the Kubernetes API that stores a collection of API objects of a certain kind; for example, the built-in pods resource contains a collection of Pod objects.

A custom resource is an extension of the Kubernetes API that is not necessarily available in a default Kubernetes installation. It represents a customization of a particular Kubernetes installation. However, many core Kubernetes functions are now built using custom resources, making Kubernetes more modular.

For more information see the [official documentation](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/).


A **Custom Resource Definition** (CRD) file defines your custom resource. The definition enables Kubernetes to handle the entire lifecycle of the custome resource. The Kubernetes API serves and handles the storage of your custom resource.

For more information see the [official documentation](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions).

An **Operator** is a software extensions to Kubernetes that manages or "operates" custom resources and their components. The operator is what plugs into the kubernetes API / CLI and makes the magic happen by watching a CR type and taking application-specific actions to make the current state match the desired state in that resource. We can interract with the operator to edit the configurations or change the state (eg. stop or delete) a resource.

For more information see the [official documentation](https://kubernetes.io/docs/concepts/extend-kubernetes/operator) or the (RedHat Documentation](https://www.redhat.com/en/topics/containers/what-is-a-kubernetes-operator).

##### Key Concepts: Address Allocation and External Announcement

MetalLB relies on [two main features](https://metallb.universe.tf/concepts/) which work together to provide it's load balancer functionality: address allocation, and external announcement.

**Address Allocation**

When a load balancer is created, it needs an IP Address in order to communicate with other machines on the network and thus provide load balancing. Traditionally there are two patterns which a load balancer uses to obtain an IP address: static and automatic via DHCP. Through the static pattern, a host "hard codes" it's IP information. Through DHCP a host can instead reach out to a centralized server to obtain its IP information.

Currently MetalLB only supports assigning static IPs or allocating IPs from static pools of IPs. There is an [open enhancement request](https://github.com/metallb/metallb/issues/157) to support dhcp but it is not close to being complete.

**External Announcement**

After MetalLB has assigned an external IP address to a service, it needs to make the network beyond the cluster aware that the IP “lives” in the cluster. MetalLB uses standard networking or routing protocols to achieve this, depending on which mode is used: ARP, NDP, or BGP.

The specific configuration depends on the protocol(s) you want to use to announce service IPs. More information can be found [here](https://metallb.universe.tf/configuration/#announce-the-service-ips).

### Installation

#### Check kube-proxy Config Map For IPVS Settings

If you’re using kube-proxy in IPVS mode, since Kubernetes v1.14.2 you have to enable strict ARP mode.

Note, you don’t need this if you’re using kube-router as service-proxy because it is enabling strict ARP by default.

We can check if we are using IPVS as follows:

```
[root@os004k8-master001 pachyderm]# kubectl get configmap -n kube-system kube-proxy
NAME         DATA   AGE
kube-proxy   2      2d16h

[root@os004k8-master001 pachyderm]# kubectl get configmap -n kube-system kube-proxy -o yaml
apiVersion: v1
data:
  config.conf: |-
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    bindAddress: 0.0.0.0
    bindAddressHardFail: false
    clientConnection:
      acceptContentTypes: ""
      burst: 0
      contentType: ""
      kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
      qps: 0
    clusterCIDR: 192.168.0.0/16
    configSyncPeriod: 0s
    conntrack:
      maxPerCore: null
      min: null
      tcpCloseWaitTimeout: null
      tcpEstablishedTimeout: null
    detectLocalMode: ""
    enableProfiling: false
    healthzBindAddress: ""
    hostnameOverride: ""
    iptables:
      masqueradeAll: false
      masqueradeBit: null
      minSyncPeriod: 0s
      syncPeriod: 0s
    ipvs:
      excludeCIDRs: null
      minSyncPeriod: 0s
      scheduler: ""
      strictARP: false
      syncPeriod: 0s
      tcpFinTimeout: 0s
      tcpTimeout: 0s
      udpTimeout: 0s
    kind: KubeProxyConfiguration
    metricsBindAddress: ""
    mode: ""
    nodePortAddresses: null
    oomScoreAdj: null
    portRange: ""
    showHiddenMetricsForVersion: ""
    udpIdleTimeout: 0s
    winkernel:
      enableDSR: false
      networkName: ""
      sourceVip: ""
  kubeconfig.conf: |-
    apiVersion: v1
    kind: Config
    clusters:
    - cluster:
        certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        server: https://15.4.7.11:6443
      name: default
    contexts:
    - context:
        cluster: default
        namespace: default
        user: default
      name: default
    current-context: default
    users:
    - name: default
      user:
        tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
kind: ConfigMap
metadata:
  annotations:
    kubeadm.kubernetes.io/component-config.hash: sha256:725d9006cdf16469bef2e8434e5225a49b721dd71843dfd2431b55bad0eb3701
  creationTimestamp: "2023-04-30T22:58:20Z"
  labels:
    app: kube-proxy
  name: kube-proxy
  namespace: kube-system
  resourceVersion: "300"
  uid: e93d3967-bf4e-42bc-b5c9-f0c546ad2276
  
[root@os004k8-master001 pachyderm]# kubectl get configmap -n kube-system kube-proxy -o yaml | grep mode -C 3
      udpTimeout: 0s
    kind: KubeProxyConfiguration
    metricsBindAddress: ""
    mode: ""
    nodePortAddresses: null
    oomScoreAdj: null
    portRange: ""

```

We can see that no mode is set (i.e. we are not using ipvs). Thus we do not need to do anything further.

#### Download The MetalLB Manifest
I have decided to go with installation from the manifes.

As mentioned earlier, there are two versions of MetalLB that can be deployed. The standard version and the FRR version. As I do not need any of the functionality of the FRR mode, I will do a standard deployment.

We can use curl to download a local copy of the manifest.
```
[root@os004k8-master001 pachyderm]# curl -O https://raw.githubusercontent.com/metallb/metallb/v0.13.9/config/manifests/metallb-native.yaml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 75270  100 75270    0     0   244k      0 --:--:-- --:--:-- --:--:--  245k
```

We will see that this manifest is very large and has declarations for the following types of kubernetes resources:
- Namespace
- CustomResourceDefinition
- ServiceAccount
- Role
- ClusterRole
- RoleBinding
- ClusterRoleBinding
- Secret
- Service
- Deployment
- DaemonSet
- ValidatingWebhookConfiguration

```
[root@os004k8-master001 pachyderm]# cat metallb-native.yaml
apiVersion: v1
kind: Namespace
metadata:
  labels:
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
  name: metallb-system
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  name: addresspools.metallb.io
spec:
  conversion:
    strategy: Webhook
    webhook:
      clientConfig:
        caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGWlRDQ0EwMmdBd0lCQWdJVU5GRW1XcTM3MVpKdGkrMmlSQzk1WmpBV1MxZ3dEUVlKS29aSWh2Y05BUUVMDQpCUUF3UWpFTE1Ba0dBMVVFQmhNQ1dGZ3hGVEFUQmdOVkJBY01ERVJsWm1GMWJIUWdRMmwwZVRFY01Cb0dBMVVFDQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlNakEzTVRrd09UTXlNek5hRncweU1qQTRNVGd3DQpPVE15TXpOYU1FSXhDekFKQmdOVkJBWVRBbGhZTVJVd0V3WURWUVFIREF4RVpXWmhkV3gwSUVOcGRIa3hIREFhDQpCZ05WQkFvTUUwUmxabUYxYkhRZ1EyOXRjR0Z1ZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDDQpEd0F3Z2dJS0FvSUNBUUNxVFpxMWZRcC9vYkdlenhES0o3OVB3Ny94azJwellualNzMlkzb1ZYSm5sRmM4YjVlDQpma2ZZQnY2bndscW1keW5PL2phWFBaQmRQSS82aFdOUDBkdVhadEtWU0NCUUpyZzEyOGNXb3F0MGNTN3pLb1VpDQpvcU1tQ0QvRXVBeFFNZjhRZDF2c1gvVllkZ0poVTZBRXJLZEpIaXpFOUJtUkNkTDBGMW1OVW55Rk82UnRtWFZUDQpidkxsTDVYeTc2R0FaQVBLOFB4aVlDa0NtbDdxN0VnTWNiOXlLWldCYmlxQ3VkTXE5TGJLNmdKNzF6YkZnSXV4DQo1L1pXK2JraTB2RlplWk9ZODUxb1psckFUNzJvMDI4NHNTWW9uN0pHZVZkY3NoUnh5R1VpSFpSTzdkaXZVTDVTDQpmM2JmSDFYbWY1ZDQzT0NWTWRuUUV2NWVaOG8zeWVLa3ZrbkZQUGVJMU9BbjdGbDlFRVNNR2dhOGFaSG1URSttDQpsLzlMSmdDYjBnQmtPT0M0WnV4bWh2aERKV1EzWnJCS3pMQlNUZXN0NWlLNVlwcXRWVVk2THRyRW9FelVTK1lsDQpwWndXY2VQWHlHeHM5ZURsR3lNVmQraW15Y3NTU1UvVno2Mmx6MnZCS21NTXBkYldDQWhud0RsRTVqU2dyMjRRDQp0eGNXLys2N3d5KzhuQlI3UXdqVTFITndVRjBzeERWdEwrZ1NHVERnSEVZSlhZelYvT05zMy94TkpoVFNPSkxNDQpoeXNVdyttaGdackdhbUdXcHVIVU1DUitvTWJzMTc1UkcrQjJnUFFHVytPTjJnUTRyOXN2b0ZBNHBBQm8xd1dLDQpRYjRhY3pmeVVscElBOVFoSmFsZEY3S3dPSHVlV3gwRUNrNXg0T2tvVDBvWVp0dzFiR0JjRGtaSmF3SURBUUFCDQpvMU13VVRBZEJnTlZIUTRFRmdRVW90UlNIUm9IWTEyRFZ4R0NCdEhpb1g2ZmVFQXdId1lEVlIwakJCZ3dGb0FVDQpvdFJTSFJvSFkxMkRWeEdDQnRIaW9YNmZlRUF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCDQpBUXNGQUFPQ0FnRUFSbkpsWWRjMTFHd0VxWnh6RDF2R3BDR2pDN2VWTlQ3aVY1d3IybXlybHdPYi9aUWFEa0xYDQpvVStaOVVXT1VlSXJTdzUydDdmQUpvVVAwSm5iYkMveVIrU1lqUGhvUXNiVHduOTc2ZldBWTduM3FMOXhCd1Y0DQphek41OXNjeUp0dlhMeUtOL2N5ak1ReDRLajBIMFg0bWJ6bzVZNUtzWWtYVU0vOEFPdWZMcEd0S1NGVGgrSEFDDQpab1Q5YnZHS25adnNHd0tYZFF0Wnh0akhaUjVqK3U3ZGtQOTJBT051RFNabS8rWVV4b2tBK09JbzdSR3BwSHNXDQo1ZTdNY0FTVXRtb1FORXd6dVFoVkJaRWQ1OGtKYjUrV0VWbGNzanlXNnRTbzErZ25tTWNqR1BsMWgxR2hVbjV4DQpFY0lWRnBIWXM5YWo1NmpBSjk1MVQvZjhMaWxmTlVnanBLQ0c1bnl0SUt3emxhOHNtdGlPdm1UNEpYbXBwSkI2DQo4bmdHRVluVjUrUTYwWFJ2OEhSSGp1VG9CRHVhaERrVDA2R1JGODU1d09FR2V4bkZpMXZYWUxLVllWb1V2MXRKDQo4dVdUR1pwNllDSVJldlBqbzg5ZytWTlJSaVFYUThJd0dybXE5c0RoVTlqTjA0SjdVL1RvRDFpNHE3VnlsRUc5DQorV1VGNkNLaEdBeTJIaEhwVncyTGFoOS9lUzdZMUZ1YURrWmhPZG1laG1BOCtqdHNZamJadnR5Mm1SWlF0UUZzDQpUU1VUUjREbUR2bVVPRVRmeStpRHdzK2RkWXVNTnJGeVVYV2dkMnpBQU4ydVl1UHFGY2pRcFNPODFzVTJTU3R3DQoxVzAyeUtYOGJEYmZFdjBzbUh3UzliQnFlSGo5NEM1Mjg0YXpsdTBmaUdpTm1OUEM4ckJLRmhBPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
        service:
          name: webhook-service
          namespace: metallb-system
          path: /convert
      conversionReviewVersions:
      - v1alpha1
      - v1beta1
  group: metallb.io
  names:
    kind: AddressPool
    listKind: AddressPoolList
    plural: addresspools
    singular: addresspool
  scope: Namespaced
  versions:
  - deprecated: true
    deprecationWarning: metallb.io v1alpha1 AddressPool is deprecated
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: AddressPool is the Schema for the addresspools API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: AddressPoolSpec defines the desired state of AddressPool.
            properties:
              addresses:
                description: A list of IP address ranges over which MetalLB has authority.
                  You can list multiple ranges in a single pool, they will all share
                  the same settings. Each range can be either a CIDR prefix, or an
                  explicit start-end range of IPs.
                items:
                  type: string
                type: array
              autoAssign:
                default: true
                description: AutoAssign flag used to prevent MetallB from automatic
                  allocation for a pool.
                type: boolean
              bgpAdvertisements:
                description: When an IP is allocated from this pool, how should it
                  be translated into BGP announcements?
                items:
                  properties:
                    aggregationLength:
                      default: 32
                      description: The aggregation-length advertisement option lets
                        you “roll up” the /32s into a larger prefix.
                      format: int32
                      minimum: 1
                      type: integer
                    aggregationLengthV6:
                      default: 128
                      description: Optional, defaults to 128 (i.e. no aggregation)
                        if not specified.
                      format: int32
                      type: integer
                    communities:
                      description: BGP communities
                      items:
                        type: string
                      type: array
                    localPref:
                      description: BGP LOCAL_PREF attribute which is used by BGP best
                        path algorithm, Path with higher localpref is preferred over
                        one with lower localpref.
                      format: int32
                      type: integer
                  type: object
                type: array
              protocol:
                description: Protocol can be used to select how the announcement is
                  done.
                enum:
                - layer2
                - bgp
                type: string
            required:
            - addresses
            - protocol
            type: object
          status:
            description: AddressPoolStatus defines the observed state of AddressPool.
            type: object
        required:
        - spec
        type: object
    served: true
    storage: false
    subresources:
      status: {}
  - deprecated: true
    deprecationWarning: metallb.io v1beta1 AddressPool is deprecated, consider using
      IPAddressPool
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: AddressPool represents a pool of IP addresses that can be allocated
          to LoadBalancer services. AddressPool is deprecated and being replaced by
          IPAddressPool.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: AddressPoolSpec defines the desired state of AddressPool.
            properties:
              addresses:
                description: A list of IP address ranges over which MetalLB has authority.
                  You can list multiple ranges in a single pool, they will all share
                  the same settings. Each range can be either a CIDR prefix, or an
                  explicit start-end range of IPs.
                items:
                  type: string
                type: array
              autoAssign:
                default: true
                description: AutoAssign flag used to prevent MetallB from automatic
                  allocation for a pool.
                type: boolean
              bgpAdvertisements:
                description: Drives how an IP allocated from this pool should translated
                  into BGP announcements.
                items:
                  properties:
                    aggregationLength:
                      default: 32
                      description: The aggregation-length advertisement option lets
                        you “roll up” the /32s into a larger prefix.
                      format: int32
                      minimum: 1
                      type: integer
                    aggregationLengthV6:
                      default: 128
                      description: Optional, defaults to 128 (i.e. no aggregation)
                        if not specified.
                      format: int32
                      type: integer
                    communities:
                      description: BGP communities to be associated with the given
                        advertisement.
                      items:
                        type: string
                      type: array
                    localPref:
                      description: BGP LOCAL_PREF attribute which is used by BGP best
                        path algorithm, Path with higher localpref is preferred over
                        one with lower localpref.
                      format: int32
                      type: integer
                  type: object
                type: array
              protocol:
                description: Protocol can be used to select how the announcement is
                  done.
                enum:
                - layer2
                - bgp
                type: string
            required:
            - addresses
            - protocol
            type: object
          status:
            description: AddressPoolStatus defines the observed state of AddressPool.
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  creationTimestamp: null
  name: bfdprofiles.metallb.io
spec:
  group: metallb.io
  names:
    kind: BFDProfile
    listKind: BFDProfileList
    plural: bfdprofiles
    singular: bfdprofile
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.passiveMode
      name: Passive Mode
      type: boolean
    - jsonPath: .spec.transmitInterval
      name: Transmit Interval
      type: integer
    - jsonPath: .spec.receiveInterval
      name: Receive Interval
      type: integer
    - jsonPath: .spec.detectMultiplier
      name: Multiplier
      type: integer
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: BFDProfile represents the settings of the bfd session that can
          be optionally associated with a BGP session.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: BFDProfileSpec defines the desired state of BFDProfile.
            properties:
              detectMultiplier:
                description: Configures the detection multiplier to determine packet
                  loss. The remote transmission interval will be multiplied by this
                  value to determine the connection loss detection timer.
                format: int32
                maximum: 255
                minimum: 2
                type: integer
              echoInterval:
                description: Configures the minimal echo receive transmission interval
                  that this system is capable of handling in milliseconds. Defaults
                  to 50ms
                format: int32
                maximum: 60000
                minimum: 10
                type: integer
              echoMode:
                description: Enables or disables the echo transmission mode. This
                  mode is disabled by default, and not supported on multi hops setups.
                type: boolean
              minimumTtl:
                description: 'For multi hop sessions only: configure the minimum expected
                  TTL for an incoming BFD control packet.'
                format: int32
                maximum: 254
                minimum: 1
                type: integer
              passiveMode:
                description: 'Mark session as passive: a passive session will not
                  attempt to start the connection and will wait for control packets
                  from peer before it begins replying.'
                type: boolean
              receiveInterval:
                description: The minimum interval that this system is capable of receiving
                  control packets in milliseconds. Defaults to 300ms.
                format: int32
                maximum: 60000
                minimum: 10
                type: integer
              transmitInterval:
                description: The minimum transmission interval (less jitter) that
                  this system wants to use to send BFD control packets in milliseconds.
                  Defaults to 300ms
                format: int32
                maximum: 60000
                minimum: 10
                type: integer
            type: object
          status:
            description: BFDProfileStatus defines the observed state of BFDProfile.
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  creationTimestamp: null
  name: bgpadvertisements.metallb.io
spec:
  group: metallb.io
  names:
    kind: BGPAdvertisement
    listKind: BGPAdvertisementList
    plural: bgpadvertisements
    singular: bgpadvertisement
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.ipAddressPools
      name: IPAddressPools
      type: string
    - jsonPath: .spec.ipAddressPoolSelectors
      name: IPAddressPool Selectors
      type: string
    - jsonPath: .spec.peers
      name: Peers
      type: string
    - jsonPath: .spec.nodeSelectors
      name: Node Selectors
      priority: 10
      type: string
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: BGPAdvertisement allows to advertise the IPs coming from the
          selected IPAddressPools via BGP, setting the parameters of the BGP Advertisement.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: BGPAdvertisementSpec defines the desired state of BGPAdvertisement.
            properties:
              aggregationLength:
                default: 32
                description: The aggregation-length advertisement option lets you
                  “roll up” the /32s into a larger prefix. Defaults to 32. Works for
                  IPv4 addresses.
                format: int32
                minimum: 1
                type: integer
              aggregationLengthV6:
                default: 128
                description: The aggregation-length advertisement option lets you
                  “roll up” the /128s into a larger prefix. Defaults to 128. Works
                  for IPv6 addresses.
                format: int32
                type: integer
              communities:
                description: The BGP communities to be associated with the announcement.
                  Each item can be a community of the form 1234:1234 or the name of
                  an alias defined in the Community CRD.
                items:
                  type: string
                type: array
              ipAddressPoolSelectors:
                description: A selector for the IPAddressPools which would get advertised
                  via this advertisement. If no IPAddressPool is selected by this
                  or by the list, the advertisement is applied to all the IPAddressPools.
                items:
                  description: A label selector is a label query over a set of resources.
                    The result of matchLabels and matchExpressions are ANDed. An empty
                    label selector matches all objects. A null label selector matches
                    no objects.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: A label selector requirement is a selector that
                          contains values, a key, and an operator that relates the
                          key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: operator represents a key's relationship
                              to a set of values. Valid operators are In, NotIn, Exists
                              and DoesNotExist.
                            type: string
                          values:
                            description: values is an array of string values. If the
                              operator is In or NotIn, the values array must be non-empty.
                              If the operator is Exists or DoesNotExist, the values
                              array must be empty. This array is replaced during a
                              strategic merge patch.
                            items:
                              type: string
                            type: array
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: matchLabels is a map of {key,value} pairs. A single
                        {key,value} in the matchLabels map is equivalent to an element
                        of matchExpressions, whose key field is "key", the operator
                        is "In", and the values array contains only "value". The requirements
                        are ANDed.
                      type: object
                  type: object
                  x-kubernetes-map-type: atomic
                type: array
              ipAddressPools:
                description: The list of IPAddressPools to advertise via this advertisement,
                  selected by name.
                items:
                  type: string
                type: array
              localPref:
                description: The BGP LOCAL_PREF attribute which is used by BGP best
                  path algorithm, Path with higher localpref is preferred over one
                  with lower localpref.
                format: int32
                type: integer
              nodeSelectors:
                description: NodeSelectors allows to limit the nodes to announce as
                  next hops for the LoadBalancer IP. When empty, all the nodes having  are
                  announced as next hops.
                items:
                  description: A label selector is a label query over a set of resources.
                    The result of matchLabels and matchExpressions are ANDed. An empty
                    label selector matches all objects. A null label selector matches
                    no objects.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: A label selector requirement is a selector that
                          contains values, a key, and an operator that relates the
                          key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: operator represents a key's relationship
                              to a set of values. Valid operators are In, NotIn, Exists
                              and DoesNotExist.
                            type: string
                          values:
                            description: values is an array of string values. If the
                              operator is In or NotIn, the values array must be non-empty.
                              If the operator is Exists or DoesNotExist, the values
                              array must be empty. This array is replaced during a
                              strategic merge patch.
                            items:
                              type: string
                            type: array
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: matchLabels is a map of {key,value} pairs. A single
                        {key,value} in the matchLabels map is equivalent to an element
                        of matchExpressions, whose key field is "key", the operator
                        is "In", and the values array contains only "value". The requirements
                        are ANDed.
                      type: object
                  type: object
                  x-kubernetes-map-type: atomic
                type: array
              peers:
                description: Peers limits the bgppeer to advertise the ips of the
                  selected pools to. When empty, the loadbalancer IP is announced
                  to all the BGPPeers configured.
                items:
                  type: string
                type: array
            type: object
          status:
            description: BGPAdvertisementStatus defines the observed state of BGPAdvertisement.
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  name: bgppeers.metallb.io
spec:
  conversion:
    strategy: Webhook
    webhook:
      clientConfig:
        caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGWlRDQ0EwMmdBd0lCQWdJVU5GRW1XcTM3MVpKdGkrMmlSQzk1WmpBV1MxZ3dEUVlKS29aSWh2Y05BUUVMDQpCUUF3UWpFTE1Ba0dBMVVFQmhNQ1dGZ3hGVEFUQmdOVkJBY01ERVJsWm1GMWJIUWdRMmwwZVRFY01Cb0dBMVVFDQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlNakEzTVRrd09UTXlNek5hRncweU1qQTRNVGd3DQpPVE15TXpOYU1FSXhDekFKQmdOVkJBWVRBbGhZTVJVd0V3WURWUVFIREF4RVpXWmhkV3gwSUVOcGRIa3hIREFhDQpCZ05WQkFvTUUwUmxabUYxYkhRZ1EyOXRjR0Z1ZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDDQpEd0F3Z2dJS0FvSUNBUUNxVFpxMWZRcC9vYkdlenhES0o3OVB3Ny94azJwellualNzMlkzb1ZYSm5sRmM4YjVlDQpma2ZZQnY2bndscW1keW5PL2phWFBaQmRQSS82aFdOUDBkdVhadEtWU0NCUUpyZzEyOGNXb3F0MGNTN3pLb1VpDQpvcU1tQ0QvRXVBeFFNZjhRZDF2c1gvVllkZ0poVTZBRXJLZEpIaXpFOUJtUkNkTDBGMW1OVW55Rk82UnRtWFZUDQpidkxsTDVYeTc2R0FaQVBLOFB4aVlDa0NtbDdxN0VnTWNiOXlLWldCYmlxQ3VkTXE5TGJLNmdKNzF6YkZnSXV4DQo1L1pXK2JraTB2RlplWk9ZODUxb1psckFUNzJvMDI4NHNTWW9uN0pHZVZkY3NoUnh5R1VpSFpSTzdkaXZVTDVTDQpmM2JmSDFYbWY1ZDQzT0NWTWRuUUV2NWVaOG8zeWVLa3ZrbkZQUGVJMU9BbjdGbDlFRVNNR2dhOGFaSG1URSttDQpsLzlMSmdDYjBnQmtPT0M0WnV4bWh2aERKV1EzWnJCS3pMQlNUZXN0NWlLNVlwcXRWVVk2THRyRW9FelVTK1lsDQpwWndXY2VQWHlHeHM5ZURsR3lNVmQraW15Y3NTU1UvVno2Mmx6MnZCS21NTXBkYldDQWhud0RsRTVqU2dyMjRRDQp0eGNXLys2N3d5KzhuQlI3UXdqVTFITndVRjBzeERWdEwrZ1NHVERnSEVZSlhZelYvT05zMy94TkpoVFNPSkxNDQpoeXNVdyttaGdackdhbUdXcHVIVU1DUitvTWJzMTc1UkcrQjJnUFFHVytPTjJnUTRyOXN2b0ZBNHBBQm8xd1dLDQpRYjRhY3pmeVVscElBOVFoSmFsZEY3S3dPSHVlV3gwRUNrNXg0T2tvVDBvWVp0dzFiR0JjRGtaSmF3SURBUUFCDQpvMU13VVRBZEJnTlZIUTRFRmdRVW90UlNIUm9IWTEyRFZ4R0NCdEhpb1g2ZmVFQXdId1lEVlIwakJCZ3dGb0FVDQpvdFJTSFJvSFkxMkRWeEdDQnRIaW9YNmZlRUF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCDQpBUXNGQUFPQ0FnRUFSbkpsWWRjMTFHd0VxWnh6RDF2R3BDR2pDN2VWTlQ3aVY1d3IybXlybHdPYi9aUWFEa0xYDQpvVStaOVVXT1VlSXJTdzUydDdmQUpvVVAwSm5iYkMveVIrU1lqUGhvUXNiVHduOTc2ZldBWTduM3FMOXhCd1Y0DQphek41OXNjeUp0dlhMeUtOL2N5ak1ReDRLajBIMFg0bWJ6bzVZNUtzWWtYVU0vOEFPdWZMcEd0S1NGVGgrSEFDDQpab1Q5YnZHS25adnNHd0tYZFF0Wnh0akhaUjVqK3U3ZGtQOTJBT051RFNabS8rWVV4b2tBK09JbzdSR3BwSHNXDQo1ZTdNY0FTVXRtb1FORXd6dVFoVkJaRWQ1OGtKYjUrV0VWbGNzanlXNnRTbzErZ25tTWNqR1BsMWgxR2hVbjV4DQpFY0lWRnBIWXM5YWo1NmpBSjk1MVQvZjhMaWxmTlVnanBLQ0c1bnl0SUt3emxhOHNtdGlPdm1UNEpYbXBwSkI2DQo4bmdHRVluVjUrUTYwWFJ2OEhSSGp1VG9CRHVhaERrVDA2R1JGODU1d09FR2V4bkZpMXZYWUxLVllWb1V2MXRKDQo4dVdUR1pwNllDSVJldlBqbzg5ZytWTlJSaVFYUThJd0dybXE5c0RoVTlqTjA0SjdVL1RvRDFpNHE3VnlsRUc5DQorV1VGNkNLaEdBeTJIaEhwVncyTGFoOS9lUzdZMUZ1YURrWmhPZG1laG1BOCtqdHNZamJadnR5Mm1SWlF0UUZzDQpUU1VUUjREbUR2bVVPRVRmeStpRHdzK2RkWXVNTnJGeVVYV2dkMnpBQU4ydVl1UHFGY2pRcFNPODFzVTJTU3R3DQoxVzAyeUtYOGJEYmZFdjBzbUh3UzliQnFlSGo5NEM1Mjg0YXpsdTBmaUdpTm1OUEM4ckJLRmhBPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
        service:
          name: webhook-service
          namespace: metallb-system
          path: /convert
      conversionReviewVersions:
      - v1beta1
      - v1beta2
  group: metallb.io
  names:
    kind: BGPPeer
    listKind: BGPPeerList
    plural: bgppeers
    singular: bgppeer
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.peerAddress
      name: Address
      type: string
    - jsonPath: .spec.peerASN
      name: ASN
      type: string
    - jsonPath: .spec.bfdProfile
      name: BFD Profile
      type: string
    - jsonPath: .spec.ebgpMultiHop
      name: Multi Hops
      type: string
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: BGPPeer is the Schema for the peers API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: BGPPeerSpec defines the desired state of Peer.
            properties:
              bfdProfile:
                type: string
              ebgpMultiHop:
                description: EBGP peer is multi-hops away
                type: boolean
              holdTime:
                description: Requested BGP hold time, per RFC4271.
                type: string
              keepaliveTime:
                description: Requested BGP keepalive time, per RFC4271.
                type: string
              myASN:
                description: AS number to use for the local end of the session.
                format: int32
                maximum: 4294967295
                minimum: 0
                type: integer
              nodeSelectors:
                description: Only connect to this peer on nodes that match one of
                  these selectors.
                items:
                  properties:
                    matchExpressions:
                      items:
                        properties:
                          key:
                            type: string
                          operator:
                            type: string
                          values:
                            items:
                              type: string
                            minItems: 1
                            type: array
                        required:
                        - key
                        - operator
                        - values
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        type: string
                      type: object
                  type: object
                type: array
              password:
                description: Authentication password for routers enforcing TCP MD5
                  authenticated sessions
                type: string
              peerASN:
                description: AS number to expect from the remote end of the session.
                format: int32
                maximum: 4294967295
                minimum: 0
                type: integer
              peerAddress:
                description: Address to dial when establishing the session.
                type: string
              peerPort:
                description: Port to dial when establishing the session.
                maximum: 16384
                minimum: 0
                type: integer
              routerID:
                description: BGP router ID to advertise to the peer
                type: string
              sourceAddress:
                description: Source address to use when establishing the session.
                type: string
            required:
            - myASN
            - peerASN
            - peerAddress
            type: object
          status:
            description: BGPPeerStatus defines the observed state of Peer.
            type: object
        type: object
    served: true
    storage: false
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .spec.peerAddress
      name: Address
      type: string
    - jsonPath: .spec.peerASN
      name: ASN
      type: string
    - jsonPath: .spec.bfdProfile
      name: BFD Profile
      type: string
    - jsonPath: .spec.ebgpMultiHop
      name: Multi Hops
      type: string
    name: v1beta2
    schema:
      openAPIV3Schema:
        description: BGPPeer is the Schema for the peers API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: BGPPeerSpec defines the desired state of Peer.
            properties:
              bfdProfile:
                description: The name of the BFD Profile to be used for the BFD session
                  associated to the BGP session. If not set, the BFD session won't
                  be set up.
                type: string
              ebgpMultiHop:
                description: To set if the BGPPeer is multi-hops away. Needed for
                  FRR mode only.
                type: boolean
              holdTime:
                description: Requested BGP hold time, per RFC4271.
                type: string
              keepaliveTime:
                description: Requested BGP keepalive time, per RFC4271.
                type: string
              myASN:
                description: AS number to use for the local end of the session.
                format: int32
                maximum: 4294967295
                minimum: 0
                type: integer
              nodeSelectors:
                description: Only connect to this peer on nodes that match one of
                  these selectors.
                items:
                  description: A label selector is a label query over a set of resources.
                    The result of matchLabels and matchExpressions are ANDed. An empty
                    label selector matches all objects. A null label selector matches
                    no objects.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: A label selector requirement is a selector that
                          contains values, a key, and an operator that relates the
                          key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: operator represents a key's relationship
                              to a set of values. Valid operators are In, NotIn, Exists
                              and DoesNotExist.
                            type: string
                          values:
                            description: values is an array of string values. If the
                              operator is In or NotIn, the values array must be non-empty.
                              If the operator is Exists or DoesNotExist, the values
                              array must be empty. This array is replaced during a
                              strategic merge patch.
                            items:
                              type: string
                            type: array
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: matchLabels is a map of {key,value} pairs. A single
                        {key,value} in the matchLabels map is equivalent to an element
                        of matchExpressions, whose key field is "key", the operator
                        is "In", and the values array contains only "value". The requirements
                        are ANDed.
                      type: object
                  type: object
                  x-kubernetes-map-type: atomic
                type: array
              password:
                description: Authentication password for routers enforcing TCP MD5
                  authenticated sessions
                type: string
              passwordSecret:
                description: passwordSecret is name of the authentication secret for
                  BGP Peer. the secret must be of type "kubernetes.io/basic-auth",
                  and created in the same namespace as the MetalLB deployment. The
                  password is stored in the secret as the key "password".
                properties:
                  name:
                    description: name is unique within a namespace to reference a
                      secret resource.
                    type: string
                  namespace:
                    description: namespace defines the space within which the secret
                      name must be unique.
                    type: string
                type: object
                x-kubernetes-map-type: atomic
              peerASN:
                description: AS number to expect from the remote end of the session.
                format: int32
                maximum: 4294967295
                minimum: 0
                type: integer
              peerAddress:
                description: Address to dial when establishing the session.
                type: string
              peerPort:
                default: 179
                description: Port to dial when establishing the session.
                maximum: 16384
                minimum: 0
                type: integer
              routerID:
                description: BGP router ID to advertise to the peer
                type: string
              sourceAddress:
                description: Source address to use when establishing the session.
                type: string
              vrf:
                description: To set if we want to peer with the BGPPeer using an interface
                  belonging to a host vrf
                type: string
            required:
            - myASN
            - peerASN
            - peerAddress
            type: object
          status:
            description: BGPPeerStatus defines the observed state of Peer.
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  creationTimestamp: null
  name: communities.metallb.io
spec:
  group: metallb.io
  names:
    kind: Community
    listKind: CommunityList
    plural: communities
    singular: community
  scope: Namespaced
  versions:
  - name: v1beta1
    schema:
      openAPIV3Schema:
        description: Community is a collection of aliases for communities. Users can
          define named aliases to be used in the BGPPeer CRD.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: CommunitySpec defines the desired state of Community.
            properties:
              communities:
                items:
                  properties:
                    name:
                      description: The name of the alias for the community.
                      type: string
                    value:
                      description: The BGP community value corresponding to the given
                        name.
                      type: string
                  type: object
                type: array
            type: object
          status:
            description: CommunityStatus defines the observed state of Community.
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  creationTimestamp: null
  name: ipaddresspools.metallb.io
spec:
  group: metallb.io
  names:
    kind: IPAddressPool
    listKind: IPAddressPoolList
    plural: ipaddresspools
    singular: ipaddresspool
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.autoAssign
      name: Auto Assign
      type: boolean
    - jsonPath: .spec.avoidBuggyIPs
      name: Avoid Buggy IPs
      type: boolean
    - jsonPath: .spec.addresses
      name: Addresses
      type: string
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: IPAddressPool represents a pool of IP addresses that can be allocated
          to LoadBalancer services.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: IPAddressPoolSpec defines the desired state of IPAddressPool.
            properties:
              addresses:
                description: A list of IP address ranges over which MetalLB has authority.
                  You can list multiple ranges in a single pool, they will all share
                  the same settings. Each range can be either a CIDR prefix, or an
                  explicit start-end range of IPs.
                items:
                  type: string
                type: array
              autoAssign:
                default: true
                description: AutoAssign flag used to prevent MetallB from automatic
                  allocation for a pool.
                type: boolean
              avoidBuggyIPs:
                default: false
                description: AvoidBuggyIPs prevents addresses ending with .0 and .255
                  to be used by a pool.
                type: boolean
              serviceAllocation:
                description: AllocateTo makes ip pool allocation to specific namespace
                  and/or service. The controller will use the pool with lowest value
                  of priority in case of multiple matches. A pool with no priority
                  set will be used only if the pools with priority can't be used.
                  If multiple matching IPAddressPools are available it will check
                  for the availability of IPs sorting the matching IPAddressPools
                  by priority, starting from the highest to the lowest. If multiple
                  IPAddressPools have the same priority, choice will be random.
                properties:
                  namespaceSelectors:
                    description: NamespaceSelectors list of label selectors to select
                      namespace(s) for ip pool, an alternative to using namespace
                      list.
                    items:
                      description: A label selector is a label query over a set of
                        resources. The result of matchLabels and matchExpressions
                        are ANDed. An empty label selector matches all objects. A
                        null label selector matches no objects.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: A label selector requirement is a selector
                              that contains values, a key, and an operator that relates
                              the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: operator represents a key's relationship
                                  to a set of values. Valid operators are In, NotIn,
                                  Exists and DoesNotExist.
                                type: string
                              values:
                                description: values is an array of string values.
                                  If the operator is In or NotIn, the values array
                                  must be non-empty. If the operator is Exists or
                                  DoesNotExist, the values array must be empty. This
                                  array is replaced during a strategic merge patch.
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: matchLabels is a map of {key,value} pairs.
                            A single {key,value} in the matchLabels map is equivalent
                            to an element of matchExpressions, whose key field is
                            "key", the operator is "In", and the values array contains
                            only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    type: array
                  namespaces:
                    description: Namespaces list of namespace(s) on which ip pool
                      can be attached.
                    items:
                      type: string
                    type: array
                  priority:
                    description: Priority priority given for ip pool while ip allocation
                      on a service.
                    type: integer
                  serviceSelectors:
                    description: ServiceSelectors list of label selector to select
                      service(s) for which ip pool can be used for ip allocation.
                    items:
                      description: A label selector is a label query over a set of
                        resources. The result of matchLabels and matchExpressions
                        are ANDed. An empty label selector matches all objects. A
                        null label selector matches no objects.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: A label selector requirement is a selector
                              that contains values, a key, and an operator that relates
                              the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: operator represents a key's relationship
                                  to a set of values. Valid operators are In, NotIn,
                                  Exists and DoesNotExist.
                                type: string
                              values:
                                description: values is an array of string values.
                                  If the operator is In or NotIn, the values array
                                  must be non-empty. If the operator is Exists or
                                  DoesNotExist, the values array must be empty. This
                                  array is replaced during a strategic merge patch.
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: matchLabels is a map of {key,value} pairs.
                            A single {key,value} in the matchLabels map is equivalent
                            to an element of matchExpressions, whose key field is
                            "key", the operator is "In", and the values array contains
                            only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    type: array
                type: object
            required:
            - addresses
            type: object
          status:
            description: IPAddressPoolStatus defines the observed state of IPAddressPool.
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  creationTimestamp: null
  name: l2advertisements.metallb.io
spec:
  group: metallb.io
  names:
    kind: L2Advertisement
    listKind: L2AdvertisementList
    plural: l2advertisements
    singular: l2advertisement
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.ipAddressPools
      name: IPAddressPools
      type: string
    - jsonPath: .spec.ipAddressPoolSelectors
      name: IPAddressPool Selectors
      type: string
    - jsonPath: .spec.interfaces
      name: Interfaces
      type: string
    - jsonPath: .spec.nodeSelectors
      name: Node Selectors
      priority: 10
      type: string
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: L2Advertisement allows to advertise the LoadBalancer IPs provided
          by the selected pools via L2.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: L2AdvertisementSpec defines the desired state of L2Advertisement.
            properties:
              interfaces:
                description: A list of interfaces to announce from. The LB IP will
                  be announced only from these interfaces. If the field is not set,
                  we advertise from all the interfaces on the host.
                items:
                  type: string
                type: array
              ipAddressPoolSelectors:
                description: A selector for the IPAddressPools which would get advertised
                  via this advertisement. If no IPAddressPool is selected by this
                  or by the list, the advertisement is applied to all the IPAddressPools.
                items:
                  description: A label selector is a label query over a set of resources.
                    The result of matchLabels and matchExpressions are ANDed. An empty
                    label selector matches all objects. A null label selector matches
                    no objects.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: A label selector requirement is a selector that
                          contains values, a key, and an operator that relates the
                          key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: operator represents a key's relationship
                              to a set of values. Valid operators are In, NotIn, Exists
                              and DoesNotExist.
                            type: string
                          values:
                            description: values is an array of string values. If the
                              operator is In or NotIn, the values array must be non-empty.
                              If the operator is Exists or DoesNotExist, the values
                              array must be empty. This array is replaced during a
                              strategic merge patch.
                            items:
                              type: string
                            type: array
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: matchLabels is a map of {key,value} pairs. A single
                        {key,value} in the matchLabels map is equivalent to an element
                        of matchExpressions, whose key field is "key", the operator
                        is "In", and the values array contains only "value". The requirements
                        are ANDed.
                      type: object
                  type: object
                  x-kubernetes-map-type: atomic
                type: array
              ipAddressPools:
                description: The list of IPAddressPools to advertise via this advertisement,
                  selected by name.
                items:
                  type: string
                type: array
              nodeSelectors:
                description: NodeSelectors allows to limit the nodes to announce as
                  next hops for the LoadBalancer IP. When empty, all the nodes having  are
                  announced as next hops.
                items:
                  description: A label selector is a label query over a set of resources.
                    The result of matchLabels and matchExpressions are ANDed. An empty
                    label selector matches all objects. A null label selector matches
                    no objects.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: A label selector requirement is a selector that
                          contains values, a key, and an operator that relates the
                          key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: operator represents a key's relationship
                              to a set of values. Valid operators are In, NotIn, Exists
                              and DoesNotExist.
                            type: string
                          values:
                            description: values is an array of string values. If the
                              operator is In or NotIn, the values array must be non-empty.
                              If the operator is Exists or DoesNotExist, the values
                              array must be empty. This array is replaced during a
                              strategic merge patch.
                            items:
                              type: string
                            type: array
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: matchLabels is a map of {key,value} pairs. A single
                        {key,value} in the matchLabels map is equivalent to an element
                        of matchExpressions, whose key field is "key", the operator
                        is "In", and the values array contains only "value". The requirements
                        are ANDed.
                      type: object
                  type: object
                  x-kubernetes-map-type: atomic
                type: array
            type: object
          status:
            description: L2AdvertisementStatus defines the observed state of L2Advertisement.
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app: metallb
  name: controller
  namespace: metallb-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app: metallb
  name: speaker
  namespace: metallb-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app: metallb
  name: controller
  namespace: metallb-system
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resourceNames:
  - memberlist
  resources:
  - secrets
  verbs:
  - list
- apiGroups:
  - apps
  resourceNames:
  - controller
  resources:
  - deployments
  verbs:
  - get
- apiGroups:
  - metallb.io
  resources:
  - bgppeers
  verbs:
  - get
  - list
- apiGroups:
  - metallb.io
  resources:
  - addresspools
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - bfdprofiles
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - ipaddresspools
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - bgpadvertisements
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - l2advertisements
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - communities
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app: metallb
  name: pod-lister
  namespace: metallb-system
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - addresspools
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - bfdprofiles
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - bgppeers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - l2advertisements
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - bgpadvertisements
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - ipaddresspools
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metallb.io
  resources:
  - communities
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: metallb
  name: metallb-system:controller
rules:
- apiGroups:
  - ""
  resources:
  - services
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services/status
  verbs:
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - policy
  resourceNames:
  - controller
  resources:
  - podsecuritypolicies
  verbs:
  - use
- apiGroups:
  - admissionregistration.k8s.io
  resourceNames:
  - metallb-webhook-configuration
  resources:
  - validatingwebhookconfigurations
  - mutatingwebhookconfigurations
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  - mutatingwebhookconfigurations
  verbs:
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resourceNames:
  - addresspools.metallb.io
  - bfdprofiles.metallb.io
  - bgpadvertisements.metallb.io
  - bgppeers.metallb.io
  - ipaddresspools.metallb.io
  - l2advertisements.metallb.io
  - communities.metallb.io
  resources:
  - customresourcedefinitions
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: metallb
  name: metallb-system:speaker
rules:
- apiGroups:
  - ""
  resources:
  - services
  - endpoints
  - nodes
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - policy
  resourceNames:
  - speaker
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app: metallb
  name: controller
  namespace: metallb-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: controller
subjects:
- kind: ServiceAccount
  name: controller
  namespace: metallb-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app: metallb
  name: pod-lister
  namespace: metallb-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-lister
subjects:
- kind: ServiceAccount
  name: speaker
  namespace: metallb-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: metallb
  name: metallb-system:controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metallb-system:controller
subjects:
- kind: ServiceAccount
  name: controller
  namespace: metallb-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: metallb
  name: metallb-system:speaker
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metallb-system:speaker
subjects:
- kind: ServiceAccount
  name: speaker
  namespace: metallb-system
---
apiVersion: v1
kind: Secret
metadata:
  name: webhook-server-cert
  namespace: metallb-system
---
apiVersion: v1
kind: Service
metadata:
  name: webhook-service
  namespace: metallb-system
spec:
  ports:
  - port: 443
    targetPort: 9443
  selector:
    component: controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: metallb
    component: controller
  name: controller
  namespace: metallb-system
spec:
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app: metallb
      component: controller
  template:
    metadata:
      annotations:
        prometheus.io/port: "7472"
        prometheus.io/scrape: "true"
      labels:
        app: metallb
        component: controller
    spec:
      containers:
      - args:
        - --port=7472
        - --log-level=info
        env:
        - name: METALLB_ML_SECRET_NAME
          value: memberlist
        - name: METALLB_DEPLOYMENT
          value: controller
        image: quay.io/metallb/controller:v0.13.9
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /metrics
            port: monitoring
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: controller
        ports:
        - containerPort: 7472
          name: monitoring
        - containerPort: 9443
          name: webhook-server
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /metrics
            port: monitoring
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /tmp/k8s-webhook-server/serving-certs
          name: cert
          readOnly: true
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        fsGroup: 65534
        runAsNonRoot: true
        runAsUser: 65534
      serviceAccountName: controller
      terminationGracePeriodSeconds: 0
      volumes:
      - name: cert
        secret:
          defaultMode: 420
          secretName: webhook-server-cert
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    app: metallb
    component: speaker
  name: speaker
  namespace: metallb-system
spec:
  selector:
    matchLabels:
      app: metallb
      component: speaker
  template:
    metadata:
      annotations:
        prometheus.io/port: "7472"
        prometheus.io/scrape: "true"
      labels:
        app: metallb
        component: speaker
    spec:
      containers:
      - args:
        - --port=7472
        - --log-level=info
        env:
        - name: METALLB_NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        - name: METALLB_HOST
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        - name: METALLB_ML_BIND_ADDR
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        - name: METALLB_ML_LABELS
          value: app=metallb,component=speaker
        - name: METALLB_ML_SECRET_KEY_PATH
          value: /etc/ml_secret_key
        image: quay.io/metallb/speaker:v0.13.9
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /metrics
            port: monitoring
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: speaker
        ports:
        - containerPort: 7472
          name: monitoring
        - containerPort: 7946
          name: memberlist-tcp
        - containerPort: 7946
          name: memberlist-udp
          protocol: UDP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /metrics
            port: monitoring
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_RAW
            drop:
            - ALL
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /etc/ml_secret_key
          name: memberlist
          readOnly: true
      hostNetwork: true
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: speaker
      terminationGracePeriodSeconds: 2
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
        operator: Exists
      volumes:
      - name: memberlist
        secret:
          defaultMode: 420
          secretName: memberlist
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  creationTimestamp: null
  name: metallb-webhook-configuration
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: webhook-service
      namespace: metallb-system
      path: /validate-metallb-io-v1beta2-bgppeer
  failurePolicy: Fail
  name: bgppeersvalidationwebhook.metallb.io
  rules:
  - apiGroups:
    - metallb.io
    apiVersions:
    - v1beta2
    operations:
    - CREATE
    - UPDATE
    resources:
    - bgppeers
  sideEffects: None
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: webhook-service
      namespace: metallb-system
      path: /validate-metallb-io-v1beta1-addresspool
  failurePolicy: Fail
  name: addresspoolvalidationwebhook.metallb.io
  rules:
  - apiGroups:
    - metallb.io
    apiVersions:
    - v1beta1
    operations:
    - CREATE
    - UPDATE
    resources:
    - addresspools
  sideEffects: None
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: webhook-service
      namespace: metallb-system
      path: /validate-metallb-io-v1beta1-bfdprofile
  failurePolicy: Fail
  name: bfdprofilevalidationwebhook.metallb.io
  rules:
  - apiGroups:
    - metallb.io
    apiVersions:
    - v1beta1
    operations:
    - CREATE
    - DELETE
    resources:
    - bfdprofiles
  sideEffects: None
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: webhook-service
      namespace: metallb-system
      path: /validate-metallb-io-v1beta1-bgpadvertisement
  failurePolicy: Fail
  name: bgpadvertisementvalidationwebhook.metallb.io
  rules:
  - apiGroups:
    - metallb.io
    apiVersions:
    - v1beta1
    operations:
    - CREATE
    - UPDATE
    resources:
    - bgpadvertisements
  sideEffects: None
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: webhook-service
      namespace: metallb-system
      path: /validate-metallb-io-v1beta1-community
  failurePolicy: Fail
  name: communityvalidationwebhook.metallb.io
  rules:
  - apiGroups:
    - metallb.io
    apiVersions:
    - v1beta1
    operations:
    - CREATE
    - UPDATE
    resources:
    - communities
  sideEffects: None
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: webhook-service
      namespace: metallb-system
      path: /validate-metallb-io-v1beta1-ipaddresspool
  failurePolicy: Fail
  name: ipaddresspoolvalidationwebhook.metallb.io
  rules:
  - apiGroups:
    - metallb.io
    apiVersions:
    - v1beta1
    operations:
    - CREATE
    - UPDATE
    resources:
    - ipaddresspools
  sideEffects: None
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: webhook-service
      namespace: metallb-system
      path: /validate-metallb-io-v1beta1-l2advertisement
  failurePolicy: Fail
  name: l2advertisementvalidationwebhook.metallb.io
  rules:
  - apiGroups:
    - metallb.io
    apiVersions:
    - v1beta1
    operations:
    - CREATE
    - UPDATE
    resources:
    - l2advertisements
  sideEffects: None

```

#### Apply Manifest

We can kick off the deployment by applying the kubernetes manifest.

```
[root@os004k8-master001 pachyderm]# kubectl apply -f metallb-native.yaml
namespace/metallb-system created
customresourcedefinition.apiextensions.k8s.io/addresspools.metallb.io created
customresourcedefinition.apiextensions.k8s.io/bfdprofiles.metallb.io created
customresourcedefinition.apiextensions.k8s.io/bgpadvertisements.metallb.io created
customresourcedefinition.apiextensions.k8s.io/bgppeers.metallb.io created
customresourcedefinition.apiextensions.k8s.io/communities.metallb.io created
customresourcedefinition.apiextensions.k8s.io/ipaddresspools.metallb.io created
customresourcedefinition.apiextensions.k8s.io/l2advertisements.metallb.io created
serviceaccount/controller created
serviceaccount/speaker created
role.rbac.authorization.k8s.io/controller created
role.rbac.authorization.k8s.io/pod-lister created
clusterrole.rbac.authorization.k8s.io/metallb-system:controller created
clusterrole.rbac.authorization.k8s.io/metallb-system:speaker created
rolebinding.rbac.authorization.k8s.io/controller created
rolebinding.rbac.authorization.k8s.io/pod-lister created
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller created
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker created
secret/webhook-server-cert created
service/webhook-service created
deployment.apps/controller created
daemonset.apps/speaker created
validatingwebhookconfiguration.admissionregistration.k8s.io/metallb-webhook-configuration created
```

Afterards we can have a look at the system to see what is created

```
[root@os004k8-master001 pachyderm]# kubectl get all -A
```

Ideally everything should be running and there should be no errors

#### A Note On The Operator

The MetalLB Operator is available on OperatorHub at operatorhub.io/operator/metallb-operator. It eases the deployment and life-cycle of MetalLB in a cluster and allows configuring MetalLB via CRDs.

The documentation mentions steps for using the operator in the case of using FRR Mode, When upgrading, or when deploying MetalLB in an environemnt where multiple different types of load balancers are being used.

### Configuration

Now that the instllation is complete, it's time to configure the solution to load balance my application.

#### IP Allocation
The first step is to define an IPAddressPool that we will allocate for the load balancer to manage. In my case I will pick an arbitrary range from my 15.0.0.0/8 subnet and elect 15.4.25.1 - 15.4.25.5.

```
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: first-pool
  namespace: metallb-system
spec:
  addresses:
  - 15.4.25.1-15.4.25.5
```

#### Announce The Service IPs

##### Layer 2
Once the IPs are assigned to a service, they must be announced. As mentioned earlier there are several options for this particular configuraiton. I will elect to use Layer 2 Advertisement as it is the simplest option and does not require any protocol-specific configuration (as it's layer 2 in the OSI model and site below the layer 3 or layer 7 which typically host the protocols being load balanced).


##### Layer2 info

https://metallb.universe.tf/concepts/layer2/

##### Layer 2 Limitations

Layer 2 mode has two main limitations you should be aware of: single-node bottlenecking, and potentially slow failover.

As explained above, in layer2 mode a single leader-elected node receives all traffic for a service IP. This means that your service’s ingress bandwidth is limited to the bandwidth of a single node. This is a fundamental limitation of using ARP and NDP to steer traffic.

In the current implementation, failover between nodes depends on cooperation from the clients. When a failover occurs, MetalLB sends a number of gratuitous layer 2 packets (a bit of a misnomer - it should really be called “unsolicited layer 2 packets”) to notify clients that the MAC address associated with the service IP has changed.

Most operating systems handle “gratuitous” packets correctly, and update their neighbor caches promptly. In that case, failover happens within a few seconds. However, some systems either don’t implement gratuitous handling at all, or have buggy implementations that delay the cache update.

All modern versions of major OSes (Windows, Mac, Linux) implement layer 2 failover correctly, so the only situation where issues may happen is with older or less common OSes.

https://metallb.universe.tf/concepts/layer2/


To make this configuration we need to define a L2Advertisement resource and associate it with the IPAddressPool resource defined previously.

```
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: example
  namespace: metallb-system
spec:
  ipAddressPools:
    - first-pool
```

**Note**: Setting no IPAddressPool selector in an L2Advertisement instance is interpreted as that instance being associated to all the IPAddressPools available.

#### Configuration Validation
MetalLB ships validation webhooks that check the validity of the CRs applied.

However, due to the fact that the global MetalLB configuration is composed by different pieces, not all of the invalid configurations are blocked by those webhooks. Because of that, if a non valid MetalLB configuration is applied, MetalLB discards it and keeps using the last valid configuration.

In future releases MetalLB will expose misconfigurations as part of Kubernetes resources, but currently the only way to understand why the configuration was not loaded is by checking the controller’s logs.



We apply the configuration

```
[root@os004k8-master001 pachyderm]# cat metallb-configuration.yaml
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: first-pool
  namespace: metallb-system
spec:
  addresses:
  - 15.4.25.1-15.4.25.5

apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: example
  namespace: metallb-system
spec:
  ipAddressPools:
    - first-pool

[root@os004k8-master001 pachyderm]# kubectl apply -f metallb-configuration.yaml
ipaddresspool.metallb.io/first-pool created
l2advertisement.metallb.io/example created
```

We should see that two new resources are defined.

##### Check Pods Are Running
We can check the status of the applied resources. Note that these are custom resource definisions so the process of getting their status is a bit different that that of normal resources.

```
[root@os004k8-master001 pachyderm]# kubectl get customresourcedefinitions
NAME                           CREATED AT
addresspools.metallb.io        2023-05-03T15:27:08Z
bfdprofiles.metallb.io         2023-05-03T15:27:08Z
bgpadvertisements.metallb.io   2023-05-03T15:27:08Z
bgppeers.metallb.io            2023-05-03T15:27:08Z
communities.metallb.io         2023-05-03T15:27:08Z
ipaddresspools.metallb.io      2023-05-03T15:27:08Z
l2advertisements.metallb.io    2023-05-03T15:27:08Z
[root@os004k8-master001 pachyderm]# kubectl get ipaddresspools.metallb.io -A
NAMESPACE        NAME         AUTO ASSIGN   AVOID BUGGY IPS   ADDRESSES
metallb-system   first-pool   true          false             ["15.4.25.1-15.4.25.5"]
[root@os004k8-master001 pachyderm]# kubectl get l2advertisements.metallb.io -A
NAMESPACE        NAME      IPADDRESSPOOLS   IPADDRESSPOOL SELECTORS   INTERFACES
metallb-system   example   ["first-pool"]
```

These appear to be in proper order.

# Install Pachyderm On Kubernetes Cluster

Regardless of which installation method we have chosen, the steps should be reletively similar as we are essentially deployign an application to kubernetes.

## Install pachctl
The pachctl is a command-line tool that you can use to interact with a Pachyderm cluster in your terminal. It is provided as a precompiled binary available from the [github releases page](https://github.com/pachyderm/pachyderm/releases/tag/v2.5.5).

```
[root@os004k8-master001 ~]# curl -L -O https://github.com/pachyderm/pachyderm/releases/download/v2.5.5/pachctl_2.5.5_linux_amd64.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 37.1M  100 37.1M    0     0  33.6M      0  0:00:01  0:00:01 --:--:-- 82.4M

[root@os004k8-master001 ~]# tar -xzvf pachctl_2.5.5_linux_amd64.tar.gz
pachctl_2.5.5_linux_amd64/pachctl

[root@os004k8-master001 ~]# cp pachctl_2.5.5_linux_amd64/pachctl /usr/bin/

[root@os004k8-master001 ~]# pachctl version
COMPONENT           VERSION
pachctl             2.5.5


```

**Note**:The official installation instructions can be found [here](https://docs.pachyderm.com/2.3.x/getting-started/local-installation/#install-pachctl).

## Configure Helm To Install Pachyderm Chart

### Add Helm Chart Repository

The heml package format is referred to as a chart. Similar to regular OS packages, helm charts are provided by repositories. The package manager (helmp) is configured to point to repositories to allow users to download and install packages from those repositories. Artifact Hub is a public repository providing open source helm charts.




We want to add the repo for the pachyderm repo so we can install the app on our cluster.

```
[root@os004k8-master001 ~]# helm repo add pachyderm https://helm.pachyderm.com
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
"pachyderm" has been added to your repositories

[root@os004k8-master001 ~]# helm repo update
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "pachyderm" chart repository
Update Complete. ⎈Happy Helming!⎈

```

### Inspect Helm Chart
We can ask helm for a definition of the pachyderm chart

```
[root@os004k8-master001 ~]# helm show chart pachyderm/pachyderm
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
annotations:
  artifacthub.io/license: Apache-2.0
  artifacthub.io/links: |
    - name: "Pachyderm"
      url: https://www.pachyderm.com/
    - name: "Pachyderm repo"
      url: https://github.com/pachyderm/pachyderm
    - name: "Chart repo"
      url: https://github.com/pachyderm/helmchart
  artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 2.5.5
dependencies:
- condition: postgresql.enabled
  name: postgresql
  repository: file://./dependencies/postgresql
  version: 10.8.0
- condition: pachd.lokiDeploy
  name: loki-stack
  repository: https://grafana.github.io/helm-charts
  version: 2.8.1
description: Explainable, repeatable, scalable data science
home: https://www.pachyderm.com/
icon: https://www.pachyderm.com/wp-content/themes/pachyderm/assets/img/favicons/favicon-32x32.png
keywords:
- data science
kubeVersion: '>= 1.16.0-0'
name: pachyderm
sources:
- https://github.com/pachyderm/pachyderm
- https://github.com/pachyderm/helmchart
type: application
version: 2.5.5
```

**Note**: More information about the helm chart format can be found here: https://helm.sh/docs/topics/charts/

#### Inspect Dependencies

Taking a closer look at the chart, we can wee there are dependencies listed for this chart:

```
...
dependencies:
- condition: postgresql.enabled
  name: postgresql
  repository: file://./dependencies/postgresql
  version: 10.8.0
- condition: pachd.lokiDeploy
  name: loki-stack
  repository: https://grafana.github.io/helm-charts
  version: 2.8.1
...
```

For the first dependency, we see that there is an instruction to install the postgresql chart from from a local source (the source code for this chart is specified as a relative reference). Looking at the repository in github I was able to find the code [here](https://github.com/pachyderm/pachyderm/blob/master/etc/helm/pachyderm/dependencies/postgresql/Chart.yaml). This points to  a vanilla postgress installtion [provided by bitnami](https://github.com/bitnami/charts/tree/main/bitnami/postgresql).

The second dependency points to a package called [loki-stack](https://github.com/grafana/helm-charts/blob/main/charts/loki-stack/Chart.yaml). This package is provided by the grafana project and hosts the Loki service. Grafana is the open source analytics and monitoring solution. Loki is a log aggregation system designed to store and query logs from applications and infrastructure. Loki and Grafana work together to store and to query and display the logs respectively. 
The official instructions for installing Grafana Loki canbe found [here](https://grafana.com/docs/loki/latest/installation/helm/).

#### Inspect Values
Helm was designed so that the helm charts could be defined in a flexible and customizable way. One of the ways this is facilitated is through the values object. Helm assumes the chart is a template and allows users to specify values which map into the configurations hosted in the chart. In this way a user might have a single chart for multiple database deployments; a separate values file could be used to configure each instance (i.e. set the password etc.).

We can see the values that are packaged with the helm chart in the [git repository](https://github.com/pachyderm/pachyderm/blob/master/etc/helm/pachyderm/values.yaml) or we can ask helm to tell us what values are associated with a given chart with the following:

```
### \#
[root@os004k8-master001 ~]# helm show values pachyderm/pachyderm
# SPDX-FileCopyrightText: Pachyderm, Inc. <info@pachyderm.com>
# SPDX-License-Identifier: Apache-2.0

# Deploy Target configures the storage backend to use and cloud provider
# settings (storage classes, etc). It must be one of GOOGLE, AMAZON,
# MINIO, MICROSOFT, CUSTOM or LOCAL.
deployTarget: ""

global:
  postgresql:
    # postgresqlUsername is the username to access the pachyderm and dex databases
    postgresqlUsername: "pachyderm"
    # postgresqlPassword to access the postgresql database.  We set a default well-known password to
    # facilitate easy upgrades when testing locally.  Any sort of install that needs to be secure
    # must specify a secure password here, or provide the postgresqlExistingSecretName and
    # postgresqlExistingSecretKey secret.  If using an external Postgres instance (CloudSQL / RDS /
    # etc.), this is the password that Pachyderm will use to connect to it.
    postgresqlPassword: "insecure-user-password"
    # When installing a local Postgres instance, postgresqlPostgresPassword defines the root
    # ('postgres') user's password.  It must remain consistent between upgrades, and must be
    # explicitly set to a value if security is desired.  Pachyderm does not use this account; this
    # password is only required so that administrators can manually perform administrative tasks.
    postgresqlPostgresPassword: "insecure-root-password"
    # The auth type to use with postgres and pg-bouncer. md5 is the default
    postgresqlAuthType: "md5"
    # If you want to supply the postgresql password in an existing secret, leave Password blank and
    # Supply the name of the existing secret in the namespace and the key in that secret with the password
    postgresqlExistingSecretName: ""
    postgresqlExistingSecretKey: ""
    # postgresqlDatabase is the database name where pachyderm data will be stored
    postgresqlDatabase: "pachyderm"
    # The postgresql database host to connect to. Defaults to postgres service in subchart
    postgresqlHost: "postgres"
    # The postgresql database port to connect to. Defaults to postgres server in subchart
    postgresqlPort: "5432"
    # postgresqlSSL is the SSL mode to use for pg-bouncer connecting to Postgres, for the default local postgres it is disabled
    postgresqlSSL: "disable"
    # CA Certificate required to connect to Postgres
    postgresqlSSLCACert: ""
    # TLS Secret with cert/key to connect to Postgres
    postgresqlSSLSecret: ""
    # Indicates the DB name that dex connects to
    # Indicates the DB name that dex connects to. Defaults to "Dex" if not set.
    identityDatabaseFullNameOverride: ""
  # imagePullSecrets allow you to pull images from private repositories, these will also be added to pipeline workers
  # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  # Example:
  # imagePullSecrets:
  #   - regcred
  imagePullSecrets: []
  # when set, the certificate file in pachd-tls-cert will be loaded as the root certificate for pachd, console, and enterprise-server pods
  customCaCerts: false
  # Sets the HTTP/S proxy server address for console, pachd, and enterprise server.  (This is for
  # traffic leaving the cluster, not traffic coming into the cluster.)
  proxy: ""
  # If proxy is set, this allows you to set a comma-separated list of destinations that bypass the proxy
  noProxy: ""
  # Set security context runAs users. If running on openshift, set enabled to false as openshift creates its own contexts.
  securityContexts:
    enabled: true

console:
  # enabled controls whether the console manifests are created or not.
  enabled: true
  annotations: {}
  image:
    # repository is the image repo to pull from; together with tag it
    # replicates the --console-image & --registry arguments to pachctl
    # deploy.
    repository: "pachyderm/haberdashery"
    pullPolicy: "IfNotPresent"
    # tag is the image repo to pull from; together with repository it
    # replicates the --console-image argument to pachctl deploy.
    tag: "2.5.5-1"
  priorityClassName: ""
  nodeSelector: {}
  tolerations: []
  # podLabels specifies labels to add to the console pod.
  podLabels: {}
  # resources specifies the resource request and limits.
  resources:
    {}
    #limits:
    #  cpu: "1"
    #  memory: "2G"
    #requests:
    #  cpu: "1"
    #  memory: "2G"
  config:
    reactAppRuntimeIssuerURI: "" # Inferred if running locally or using ingress
    oauthRedirectURI: "" # Infered if running locally or using ingress
    oauthClientID: "console"
    oauthClientSecret: "" # Autogenerated on install if blank
    # oauthClientSecretSecretName is used to set the OAuth Client Secret via an existing k8s secret.
    # The value is pulled from the key, "OAUTH_CLIENT_SECRET".
    oauthClientSecretSecretName: ""
    graphqlPort: 4000
    pachdAddress: "pachd-peer:30653"
    disableTelemetry: false # Disables analytics and error data collection

  service:
    annotations: {}
    # labels specifies labels to add to the console service.
    labels: {}
    # type specifies the Kubernetes type of the console service.
    type: ClusterIP

etcd:
  affinity: {}
  annotations: {}
  # dynamicNodes sets the number of nodes in the etcd StatefulSet.  It
  # is analogous to the --dynamic-etcd-nodes argument to pachctl
  # deploy.
  dynamicNodes: 1
  image:
    repository: "pachyderm/etcd"
    tag: "v3.5.5"
    pullPolicy: "IfNotPresent"
  # maxTxnOps sets the --max-txn-ops in the container args
  maxTxnOps: 10000
  priorityClassName: ""
  nodeSelector: {}
  # podLabels specifies labels to add to the etcd pod.
  podLabels: {}
  # resources specifies the resource request and limits
  resources:
    {}
    #limits:
    #  cpu: "1"
    #  memory: "2G"
    #requests:
    #  cpu: "1"
    #  memory: "2G"
  # storageClass indicates the etcd should use an existing
  # StorageClass for its storage.  It is analogous to the
  # --etcd-storage-class argument to pachctl deploy.
  # More info for setting up storage classes on various cloud providers:
  # AWS: https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html
  # GCP: https://cloud.google.com/compute/docs/disks/performance#disk_types
  # Azure: https://docs.microsoft.com/en-us/azure/aks/concepts-storage#storage-classes
  storageClass: ""
  # storageSize specifies the size of the volume to use for etcd.
  # Recommended Minimum Disk size for Microsoft/Azure: 256Gi  - 1,100 IOPS https://azure.microsoft.com/en-us/pricing/details/managed-disks/
  # Recommended Minimum Disk size for Google/GCP: 50Gi        - 1,500 IOPS https://cloud.google.com/compute/docs/disks/performance
  # Recommended Minimum Disk size for Amazon/AWS: 500Gi (GP2) - 1,500 IOPS https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html
  storageSize: 10Gi
  service:
    # annotations specifies annotations to add to the etcd service.
    annotations: {}
    # labels specifies labels to add to the etcd service.
    labels: {}
    # type specifies the Kubernetes type of the etcd service.
    type: ClusterIP
  tolerations: []

enterpriseServer:
  enabled: false
  affinity: {}
  annotations: {}
  tolerations: []
  priorityClassName: ""
  nodeSelector: {}
  service:
    type: ClusterIP
    apiGRPCPort: 31650
    prometheusPort: 31656
    oidcPort: 31657
    identityPort: 31658
    s3GatewayPort: 31600
  # There are three options for TLS:
  # 1. Disabled
  # 2. Enabled, existingSecret, specify secret name
  # 3. Enabled, newSecret, must specify cert, key and name
  tls:
    enabled: false
    secretName: ""
    newSecret:
      create: false
      crt: ""
      key: ""
  resources:
    {}
    #limits:
    #  cpu: "1"
    #  memory: "2G"
    #requests:
    #  cpu: "1"
    #  memory: "2G"
  # podLabels specifies labels to add to the pachd pod.
  podLabels: {}
  clusterDeploymentID: ""
  image:
    repository: "pachyderm/pachd"
    pullPolicy: "IfNotPresent"
    # tag defaults to the chart’s specified appVersion.
    tag: ""

ingress:
  enabled: false
  annotations: {}
  host: ""
  # when set to true, uriHttpsProtoOverride will add the https protocol to the ingress URI routes without configuring certs
  uriHttpsProtoOverride: false
  # There are three options for TLS:
  # 1. Disabled
  # 2. Enabled, existingSecret, specify secret name
  # 3. Enabled, newSecret, must specify cert, key, secretName and set newSecret.create to true
  tls:
    enabled: false
    secretName: ""
    newSecret:
      create: false
      crt: ""
      key: ""

# loki-stack contains values that will be passed to the loki-stack subchart
loki-stack:
  loki:
    serviceAccount:
      automountServiceAccountToken: false
    persistence:
      enabled: true
      accessModes:
        - ReadWriteOnce
      size: 10Gi
      # More info for setting up storage classes on various cloud providers:
      # AWS: https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html
      # GCP: https://cloud.google.com/compute/docs/disks/performance#disk_types
      # Azure: https://docs.microsoft.com/en-us/azure/aks/concepts-storage#storage-classes
      storageClassName: ""
      annotations: {}
      priorityClassName: ""
      nodeSelector: {}
      tolerations: []
    config:
      server:
        grpc_server_max_recv_msg_size: 67108864 # 64MiB
      query_scheduler:
        grpc_client_config:
          max_send_msg_size: 67108864 # 64MiB
      limits_config:
        retention_period: 24h
        retention_stream:
          - selector: '{suite="pachyderm"}'
            priority: 1
            period: 168h # = 1 week
  grafana:
    enabled: false
  promtail:
    config:
      clients:
        - url: "http://{{ .Release.Name }}-loki:3100/loki/api/v1/push"
      snippets:
        # The scrapeConfigs section is copied from loki-stack-2.6.4
        # The pipeline_stages.match stanza has been added to prevent multiple lokis in a cluster from mixing their logs.
        scrapeConfigs: |
          - job_name: kubernetes-pods
            pipeline_stages:
              {{- toYaml .Values.config.snippets.pipelineStages | nindent 4 }}
              - match:
                  selector: '{namespace!="{{ .Release.Namespace }}"}'
                  action: drop
            kubernetes_sd_configs:
              - role: pod
            relabel_configs:
              - source_labels:
                  - __meta_kubernetes_pod_controller_name
                regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
                action: replace
                target_label: __tmp_controller_name
              - source_labels:
                  - __meta_kubernetes_pod_label_app_kubernetes_io_name
                  - __meta_kubernetes_pod_label_app
                  - __tmp_controller_name
                  - __meta_kubernetes_pod_name
                regex: ^;*([^;]+)(;.*)?$
                action: replace
                target_label: app
              - source_labels:
                  - __meta_kubernetes_pod_label_app_kubernetes_io_instance
                  - __meta_kubernetes_pod_label_release
                regex: ^;*([^;]+)(;.*)?$
                action: replace
                target_label: instance
              - source_labels:
                  - __meta_kubernetes_pod_label_app_kubernetes_io_component
                  - __meta_kubernetes_pod_label_component
                regex: ^;*([^;]+)(;.*)?$
                action: replace
                target_label: component
              {{- if .Values.config.snippets.addScrapeJobLabel }}
              - replacement: kubernetes-pods
                target_label: scrape_job
              {{- end }}
              {{- toYaml .Values.config.snippets.common | nindent 4 }}
              {{- with .Values.config.snippets.extraRelabelConfigs }}
              {{- toYaml . | nindent 4 }}
              {{- end }}
        pipelineStages:
          - cri: {}
        common:
          # This is copy and paste of existing actions, so we don't lose them.
          # Cf. https://github.com/grafana/loki/issues/3519#issuecomment-1125998705
          - action: replace
            source_labels:
              - __meta_kubernetes_pod_node_name
            target_label: node_name
          - action: replace
            source_labels:
              - __meta_kubernetes_namespace
            target_label: namespace
          - action: replace
            replacement: $1
            separator: /
            source_labels:
              - namespace
              - app
            target_label: job
          - action: replace
            source_labels:
              - __meta_kubernetes_pod_name
            target_label: pod
          - action: replace
            source_labels:
              - __meta_kubernetes_pod_container_name
            target_label: container
          - action: replace
            replacement: /var/log/pods/*$1/*.log
            separator: /
            source_labels:
              - __meta_kubernetes_pod_uid
              - __meta_kubernetes_pod_container_name
            target_label: __path__
          - action: replace
            regex: true/(.*)
            replacement: /var/log/pods/*$1/*.log
            separator: /
            source_labels:
              - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash
              - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash
              - __meta_kubernetes_pod_container_name
            target_label: __path__
          - action: keep
            regex: pachyderm
            source_labels:
              - __meta_kubernetes_pod_label_suite
          # this gets all kubernetes labels as well
          - action: labelmap
            regex: __meta_kubernetes_pod_label_(.+)
    # Tolerations for promtail pods. Promtail must run on any node where pachyderm resources will run or you won't get any logs for them
    # For example, GKE gpu nodes have a default taint of nvidia.com/gpu=present:NoSchedule so if you use GPUs we wouldn't have logs
    tolerations: []
    livenessProbe:
      failureThreshold: 5
      tcpSocket:
        port: http-metrics
      initialDelaySeconds: 10
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 1

# The pachw controller creates a pool of pachd instances running in 'pachw' mode which can dynamically scale to handle
# storage related tasks
pachw:
  # When set to true, inheritFromPachd defaults below configuration options like 'resources' and 'tolerations' to
  # values from pachd. These values can be overridden by defining the corresponding pachw values below.
  # When set to false, a nil value will be used by default instead. Some configuration variables will always use their
  # corresponding pachd value, regardless of whether 'inheritFromPachd' is true, such as 'serviceAccountName'
  inheritFromPachd: true
  # inSidecars is enabled by default to also process storage related tasks in pipeline storage sidecars like version 2.4 or less.
  # when enabled, pachw instances can still run in their own dedicated kubernetes deployment if maxReplicas is greater than 0.
  # For more control of where pachw instances run, 'inSidecars' can be disabled.
  inSidecars: true
  maxReplicas: 1
  # minReplicas: 0
  # We recommend defining resources when running pachw with a high value of maxReplicas.
  #resources:
  #  limits:
  #    cpu: "1"
  #    memory: "2G"
  #  requests:
  #    cpu: "1"
  #  memory: "2G"
  #
  #tolerations: []
  #affinity: {}
  #nodeSelector: {}
pachd:
  enabled: true
  preflightChecks:
    # if enabled runs kube validation preflight checks.
    enabled: true
  affinity: {}
  annotations: {}
  # clusterDeploymentID sets the Pachyderm cluster ID.
  clusterDeploymentID: ""
  configJob:
    annotations: {}
  # goMaxProcs is passed as GOMAXPROCS to the pachd container.  pachd can automatically pick an
  # optimal GOMAXPROCS from the configured CPU limit, but this overrides it.
  goMaxProcs: 0
  # goMemLimit is passed as GOMEMLIMIT to the pachd container. pachd can automatically pick an
  # optimal GOMEMLIMIT from the configured memory request or limit, but this overrides it.  This is a string
  # because it can be something like '256MiB'.
  goMemLimit: ""
  # gcPercent sets the initial garbage collection target percentage.
  gcPercent: 0
  image:
    repository: "pachyderm/pachd"
    pullPolicy: "IfNotPresent"
    # tag defaults to the chart’s specified appVersion.
    # This sets the worker image tag as well (they should be kept in lock step)
    tag: ""
  logLevel: "info"
  disableLogSampling: false
  developmentLogger: false
  # If lokiDeploy is true, a Pachyderm-specific instance of Loki will
  # be deployed.
  lokiDeploy: true
  # lokiLogging enables Loki logging if set.
  lokiLogging: true
  metrics:
    # enabled sets the METRICS environment variable if set.
    enabled: true
    # endpoint should be the URL of the metrics endpoint.
    endpoint: ""
  priorityClassName: ""
  nodeSelector: {}
  # podLabels specifies labels to add to the pachd pod.
  podLabels: {}
  # resources specifies the resource requests and limits
  # replicas sets the number of pachd running pods
  replicas: 1
  resources:
    {}
    #limits:
    #  cpu: "1"
    #  memory: "2G"
    #requests:
    #  cpu: "1"
    #  memory: "2G"
  # requireCriticalServersOnly only requires the critical pachd
  # servers to startup and run without errors.  It is analogous to the
  # --require-critical-servers-only argument to pachctl deploy.
  requireCriticalServersOnly: false
  # If enabled, External service creates a service which is safe to
  # be exposed externally
  externalService:
    enabled: false
    # (Optional) specify the existing IP Address of the load balancer
    loadBalancerIP: ""
    apiGRPCPort: 30650
    s3GatewayPort: 30600
    annotations: {}
  service:
    # labels specifies labels to add to the pachd service.
    labels: {}
    # type specifies the Kubernetes type of the pachd service.
    type: "ClusterIP"
    annotations: {}
    apiGRPCPort: 30650
    prometheusPort: 30656
    oidcPort: 30657
    identityPort: 30658
    s3GatewayPort: 30600
    #apiGrpcPort:
    #  expose: true
    #  port: 30650
  # DEPRECATED: activateEnterprise is no longer used.
  activateEnterprise: false
  ## if pachd.activateEnterpriseMember is set, enterprise will be activated and connected to an existing enterprise server.
  ## if pachd.enterpriseLicenseKey is set, enterprise will be activated.
  activateEnterpriseMember: false
  ## if pachd.activateAuth is set, auth will be bootstrapped by the config-job.
  activateAuth: true
  ## the license key used to activate enterprise features
  enterpriseLicenseKey: ""
  # enterpriseLicenseKeySecretName is used to pass the enterprise license key value via an existing k8s secret.
  # The value is pulled from the key, "enterprise-license-key".
  enterpriseLicenseKeySecretName: ""
  # if a token is not provided, a secret will be autogenerated on install and stored in the k8s secret 'pachyderm-bootstrap-config.rootToken'
  rootToken: ""
  # rootTokenSecretName is used to pass the rootToken value via an existing k8s secret
  # The value is pulled from the key, "root-token".
  rootTokenSecretName: ""
  # if a secret is not provided, a secret will be autogenerated on install and stored in the k8s secret 'pachyderm-bootstrap-config.enterpriseSecret'
  enterpriseSecret: ""
  # enterpriseSecretSecretName is used to pass the enterprise secret value via an existing k8s secret.
  # The value is pulled from the key, "enterprise-secret".
  enterpriseSecretSecretName: ""
  # if a secret is not provided, a secret will be autogenerated on install and stored in the k8s secret 'pachyderm-bootstrap-config.authConfig.clientSecret'
  oauthClientID: pachd
  oauthClientSecret: ""
  # oauthClientSecretSecretName is used to set the OAuth Client Secret via an existing k8s secret.
  # The value is pulled from the key, "pachd-oauth-client-secret".
  oauthClientSecretSecretName: ""
  oauthRedirectURI: ""
  # DEPRECATED: enterpriseRootToken is deprecated, in favor of enterpriseServerToken
  # NOTE only used if pachd.activateEnterpriseMember == true
  enterpriseRootToken: ""
  # DEPRECATED: enterpriseRootTokenSecretName is deprecated in favor of enterpriseServerTokenSecretName
  # enterpriseRootTokenSecretName is used to pass the enterpriseRootToken value via an existing k8s secret.
  # The value is pulled from the key, "enterprise-root-token".
  enterpriseRootTokenSecretName: ""
  # enterpriseServerToken represents a token that can authenticate to a separate pachyderm enterprise server,
  # and is used to complete the enterprise member registration process for this pachyderm cluster.
  # The user backing this token should have either the licenseAdmin & identityAdmin roles assigned, or
  # the clusterAdmin role.
  # NOTE: only used if pachd.activateEnterpriseMember == true
  enterpriseServerToken: ""
  # enterpriseServerTokenSecretName is used to pass the enterpriseServerToken value via an existing k8s secret.
  # The value is pulled from the key, "enterprise-server-token".
  enterpriseServerTokenSecretName: ""
  # only used if pachd.activateEnterpriseMember == true
  enterpriseServerAddress: ""
  enterpriseCallbackAddress: ""
  # Indicates to pachd whether dex is embedded in its process.
  localhostIssuer: "" # "true", "false", or "" (used string as bool doesn't support empty value)
  # set the initial pachyderm cluster role bindings, mapping a user to their list of roles
  # ex.
  # pachAuthClusterRoleBindings:
  #   robot:wallie:
  #   - repoReader
  #   robot:eve:
  #   - repoWriter
  pachAuthClusterRoleBindings: {}
  # additionalTrustedPeers is used to configure the identity service to recognize additional OIDC clients as trusted peers of pachd.
  # For example, see the following example or the dex docs (https://dexidp.io/docs/custom-scopes-claims-clients/#cross-client-trust-and-authorized-party).
  # additionalTrustedPeers:
  #   - example-app
  additionalTrustedPeers: []
  serviceAccount:
    create: true
    additionalAnnotations: {}
    name: "pachyderm" #TODO Set default in helpers / Wire up in templates
  storage:
    # backend configures the storage backend to use.  It must be one
    # of GOOGLE, AMAZON, MINIO, MICROSOFT or LOCAL. This is set automatically
    # if deployTarget is GOOGLE, AMAZON, MICROSOFT, or LOCAL
    backend: ""
    amazon:
      # bucket sets the S3 bucket to use.
      bucket: ""
      # cloudFrontDistribution sets the CloudFront distribution in the
      # storage secrets.  It is analogous to the
      # --cloudfront-distribution argument to pachctl deploy.
      cloudFrontDistribution: ""
      customEndpoint: ""
      # disableSSL disables SSL.  It is analogous to the --disable-ssl
      # argument to pachctl deploy.
      disableSSL: false
      # id sets the Amazon access key ID to use.  Together with secret
      # and token, it implements the functionality of the
      # --credentials argument to pachctl deploy.
      id: ""
      # logOptions sets various log options in Pachyderm’s internal S3
      # client.  Comma-separated list containing zero or more of:
      # 'Debug', 'Signing', 'HTTPBody', 'RequestRetries',
      # 'RequestErrors', 'EventStreamBody', or 'all'
      # (case-insensitive).  See 'AWS SDK for Go' docs for details.
      # logOptions is analogous to the --obj-log-options argument to
      # pachctl deploy.
      logOptions: ""
      # maxUploadParts sets the maximum number of upload parts.  It is
      # analogous to the --max-upload-parts argument to pachctl
      # deploy.
      maxUploadParts: 10000
      # verifySSL performs SSL certificate verification.  It is the
      # inverse of the --no-verify-ssl argument to pachctl deploy.
      verifySSL: true
      # partSize sets the part size for object storage uploads.  It is
      # analogous to the --part-size argument to pachctl deploy.  It
      # has to be a string due to Helm and YAML parsing integers as
      # floats.  Cf. https://github.com/helm/helm/issues/1707
      partSize: "5242880"
      # region sets the AWS region to use.
      region: ""
      # retries sets the number of retries for object storage
      # requests.  It is analogous to the --retries argument to
      # pachctl deploy.
      retries: 10
      # reverse reverses object storage paths.  It is analogous to the
      # --reverse argument to pachctl deploy.
      reverse: true
      # secret sets the Amazon secret access key to use.  Together with id
      # and token, it implements the functionality of the
      # --credentials argument to pachctl deploy.
      secret: ""
      # timeout sets the timeout for object storage requests.  It is
      # analogous to the --timeout argument to pachctl deploy.
      timeout: "5m"
      # token optionally sets the Amazon token to use.  Together with
      # id and secret, it implements the functionality of the
      # --credentials argument to pachctl deploy.
      token: ""
      # uploadACL sets the upload ACL for object storage uploads.  It
      # is analogous to the --upload-acl argument to pachctl deploy.
      uploadACL: "bucket-owner-full-control"
    google:
      bucket: ""
      # cred is a string containing a GCP service account private key,
      # in object (JSON or YAML) form.  A simple way to pass this on
      # the command line is with the set-file flag, e.g.:
      #
      #  helm install pachd -f my-values.yaml --set-file storage.google.cred=creds.json pachyderm/pachyderm
      cred: ""
      # Example:
      # cred: |
      #  {
      #    "type": "service_account",
      #    "project_id": "…",
      #    "private_key_id": "…",
      #    "private_key": "-----BEGIN PRIVATE KEY-----\n…\n-----END PRIVATE KEY-----\n",
      #    "client_email": "…@….iam.gserviceaccount.com",
      #    "client_id": "…",
      #    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      #    "token_uri": "https://oauth2.googleapis.com/token",
      #    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      #    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/…%40….iam.gserviceaccount.com"
      #  }
    local:
      # hostPath indicates the path on the host where the PFS metadata
      # will be stored.  It must end in /.  It is analogous to the
      # --host-path argument to pachctl deploy.
      hostPath: ""
      requireRoot: true #Root required for hostpath, but we run rootless in CI
    microsoft:
      container: ""
      id: ""
      secret: ""
    minio:
      # minio bucket name
      bucket: ""
      # the minio endpoint. Should only be the hostname:port, no http/https.
      endpoint: ""
      # the username/id with readwrite access to the bucket.
      id: ""
      # the secret/password of the user with readwrite access to the bucket.
      secret: ""
      # enable https for minio with "true" defaults to "false"
      secure: ""
      # Enable S3v2 support by setting signature to "1". This feature is being deprecated
      signature: ""
    # putFileConcurrencyLimit sets the maximum number of files to
    # upload or fetch from remote sources (HTTP, blob storage) using
    # PutFile concurrently.  It is analogous to the
    # --put-file-concurrency-limit argument to pachctl deploy.
    putFileConcurrencyLimit: 100
    # uploadConcurrencyLimit sets the maximum number of concurrent
    # object storage uploads per Pachd instance.  It is analogous to
    # the --upload-concurrency-limit argument to pachctl deploy.
    uploadConcurrencyLimit: 100
    # The shard size corresponds to the total size of the files in a shard.
    # The shard count corresponds to the total number of files in a shard.
    # If either criteria is met, a shard will be created.
    # values are strings
    compactionShardSizeThreshold: "0"
    compactionShardCountThreshold: "0"
    memoryThreshold: 0
    levelFactor: 0
    maxFanIn: 10
    maxOpenFileSets: 50
    # diskCacheSize and memoryCacheSize are defined in units of 8 Mb chunks. The default is 100 chunks which is 800 Mb.
    diskCacheSize: 100
    memoryCacheSize: 100
  ppsWorkerGRPCPort: 1080
  # the number of seconds between pfs's garbage collection cycles.
  # if this value is set to 0, it will default to pachyderm's internal configuration.
  # if this value is less than 0, it will turn off garbage collection.
  storageGCPeriod: 0
  # the number of seconds between chunk garbage colletion cycles.
  # if this value is set to 0, it will default to pachyderm's internal configuration.
  # if this value is less than 0, it will turn off chunk garbage collection.
  storageChunkGCPeriod: 0
  # There are three options for TLS:
  # 1. Disabled
  # 2. Enabled, existingSecret, specify secret name
  # 3. Enabled, newSecret, must specify cert, key and name
  tls:
    enabled: false
    secretName: ""
    newSecret:
      create: false
      crt: ""
      key: ""
  tolerations: []
  worker:
    image:
      repository: "pachyderm/worker"
      pullPolicy: "IfNotPresent"
      # Worker tag is set under pachd.image.tag (they should be kept in lock step)
    serviceAccount:
      create: true
      additionalAnnotations: {}
      # name sets the name of the worker service account.  Analogous to
      # the --worker-service-account argument to pachctl deploy.
      name: "pachyderm-worker" #TODO Set default in helpers / Wire up in templates
  rbac:
    # create indicates whether RBAC resources should be created.
    # Setting it to false is analogous to passing --no-rbac to pachctl
    # deploy.
    create: true
  # Set up default resources for pipelines that don't include any requests or limits.  The values
  # are k8s resource quantities, so "1Gi", "2", etc.  Set to "0" to disable setting any defaults.
  defaultPipelineCPURequest: ""
  defaultPipelineMemoryRequest: ""
  defaultPipelineStorageRequest: ""
kubeEventTail:
  # Deploys a lightweight app that watches kubernetes events and echos them to logs.
  enabled: true
  # clusterScope determines whether kube-event-tail should watch all events or just events in its namespace.
  clusterScope: false
  image:
    repository: pachyderm/kube-event-tail
    pullPolicy: "IfNotPresent"
    tag: "v0.0.7"
  resources:
    limits:
      cpu: "1"
      memory: 100Mi
    requests:
      cpu: 100m
      memory: 45Mi

pgbouncer:
  service:
    type: ClusterIP
  annotations: {}
  priorityClassName: ""
  nodeSelector: {}
  tolerations: []
  image:
    repository: pachyderm/pgbouncer
    tag: 1.16.2
  resources:
    {}
    #limits:
    #  cpu: "1"
    #  memory: "2G"
    #requests:
    #  cpu: "1"
    #  memory: "2G"
  # maxConnections specifies the maximum number of concurrent connections into pgbouncer.
  maxConnections: 1000
  # defaultPoolSize specifies the maximum number of concurrent connections from pgbouncer to the postgresql database.
  defaultPoolSize: 20

# Note: Postgres values control the Bitnami Postgresql Subchart
postgresql:
  # enabled controls whether to install postgres or not.
  # If not using the built in Postgres, you must specify a Postgresql
  # database server to connect to in global.postgresql
  # The enabled value is watched by the 'condition' set on the Postgresql
  # dependency in Chart.yaml
  enabled: true
  image:
    repository: pachyderm/postgresql
    tag: "13.3.0"
  # DEPRECATED from pachyderm 2.1.5
  initdbScripts:
    dex.sh: |
      #!/bin/bash
      set -e
      psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
        CREATE DATABASE dex;
        GRANT ALL PRIVILEGES ON DATABASE dex TO "$POSTGRES_USER";
      EOSQL
  fullnameOverride: postgres
  persistence:
    # Specify the storage class for the postgresql Persistent Volume (PV)
    # See notes in Bitnami chart values.yaml file for more information.
    # More info for setting up storage classes on various cloud providers:
    # AWS: https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html
    # GCP: https://cloud.google.com/compute/docs/disks/performance#disk_types
    # Azure: https://docs.microsoft.com/en-us/azure/aks/concepts-storage#storage-classes
    storageClass: ""
    # storageSize specifies the size of the volume to use for postgresql
    # Recommended Minimum Disk size for Microsoft/Azure: 256Gi  - 1,100 IOPS https://azure.microsoft.com/en-us/pricing/details/managed-disks/
    # Recommended Minimum Disk size for Google/GCP: 50Gi        - 1,500 IOPS https://cloud.google.com/compute/docs/disks/performance
    # Recommended Minimum Disk size for Amazon/AWS: 500Gi (GP2) - 1,500 IOPS https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html
    size: 10Gi
    labels:
      suite: pachyderm
  primary:
    priorityClassName: ""
    nodeSelector: {}
    tolerations: []
  readReplicas:
    priorityClassName: ""
    nodeSelector: {}
    tolerations: []

cloudsqlAuthProxy:
  # connectionName may be found by running `gcloud sql instances describe INSTANCE_NAME --project PROJECT_ID`
  connectionName: ""
  serviceAccount: ""
  iamLogin: false
  port: 5432
  enabled: false
  image:
    # repository is the image repo to pull from; together with tag it
    # replicates the --dash-image & --registry arguments to pachctl
    # deploy.
    repository: "gcr.io/cloudsql-docker/gce-proxy"
    pullPolicy: "IfNotPresent"
    # tag is the image repo to pull from; together with repository it
    # replicates the --dash-image argument to pachctl deploy.
    tag: "1.23.0"
  priorityClassName: ""
  nodeSelector: {}
  tolerations: []
  # podLabels specifies labels to add to the dash pod.
  podLabels: {}
  # resources specifies the resource request and limits.
  resources: {}
  #  requests:
  #    # The proxy's memory use scales linearly with the number of active
  #    # connections. Fewer open connections will use less memory. Adjust
  #    # this value based on your application's requirements.
  #    memory: ""
  #    # The proxy's CPU use scales linearly with the amount of IO between
  #    # the database and the application. Adjust this value based on your
  #    # application's requirements.
  #    cpu: ""
  service:
    # labels specifies labels to add to the cloudsql auth proxy service.
    labels: {}
    # type specifies the Kubernetes type of the cloudsql auth proxy service.
    type: ClusterIP

oidc:
  issuerURI: "" #Inferred if running locally or using ingress
  requireVerifiedEmail: false
  # IDTokenExpiry is parsed into golang's time.Duration: https://pkg.go.dev/time#example-ParseDuration
  IDTokenExpiry: 24h
  # (Optional) If set, enables OIDC rotation tokens, and specifies the duration where they are valid.
  # RotationTokenExpiry is parsed into golang's time.Duration: https://pkg.go.dev/time#example-ParseDuration
  RotationTokenExpiry: 48h
  # (Optional) Only set in cases where the issuerURI is not user accessible (ie. localhost install)
  userAccessibleOauthIssuerHost: ""
  ## to set up upstream IDPs, set pachd.mockIDP to false,
  ## and populate the pachd.upstreamIDPs with an array of Dex Connector configurations.
  ## See the example below or https://dexidp.io/docs/connectors/
  # upstreamIDPs:
  #   - id: idpConnector
  #     config:
  #       issuer: ""
  #       clientID: ""
  #       clientSecret: ""
  #       redirectURI: "http://localhost:30658/callback"
  #       insecureEnableGroups: true
  #       insecureSkipEmailVerified: true
  #       insecureSkipIssuerCallbackDomainCheck: true
  #       forwardedLoginParams:
  #       - login_hint
  #     name: idpConnector
  #     type: oidc
  #
  #   - id: okta
  #     config:
  #       issuer: "https://dev-84362674.okta.com"
  #       clientID: "client_id"
  #       clientSecret: "notsecret"
  #       redirectURI: "http://localhost:30658/callback"
  #       insecureEnableGroups: true
  #       insecureSkipEmailVerified: true
  #       insecureSkipIssuerCallbackDomainCheck: true
  #       forwardedLoginParams:
  #       - login_hint
  #     name: okta
  #     type: oidc
  upstreamIDPs: []
  # upstreamIDPsSecretName is used to pass the upstreamIDPs value via an existing k8s secret.
  # The value is pulled from the secret key, "upstream-idps".
  upstreamIDPsSecretName: ""
  # Some dex configurations (like Google) require a credential file. Whatever secret is included in this
  # below secret will be mounted to the pachd pod at /dexcreds/ so for example serviceAccountFilePath: /dexcreds/googleAuth.json
  dexCredentialSecretName: ""
  mockIDP: true
  # additionalClients specifies a list of clients for the cluster to recognize
  # See the ecample below or the dex docs (https://dexidp.io/docs/using-dex/#configuring-your-app).
  # additionalOIDCClient:
  #   - id: example-app
  #     secret: example-app-secret
  #     name: 'Example App'
  #     redirectURIs:
  #     - 'http://127.0.0.1:5555/callback'
  additionalClients: []
  additionalClientsSecretName: ""
  #TODO scopes:

testConnection:
  image:
    repository: alpine
    tag: latest

# The proxy is a service to handle all Pachyderm traffic (S3, Console, OIDC, Dex, GRPC) on a single
# port; good for exposing directly to the Internet.
proxy:
  # If enabled, create a proxy deployment (based on the Envoy proxy) and a service to expose it.  If
  # ingress is also enabled, any Ingress traffic will be routed through the proxy before being sent
  # to pachd or Console.
  enabled: true
  # The external hostname (including port if nonstandard) that the proxy will be reachable at.
  # If you have ingress enabled and an ingress hostname defined, the proxy will use that.
  # Ingress will be deprecated in the future so configuring the proxy host instead is recommended.
  host: ""
  # The number of proxy replicas to run.  1 should be fine, but if you want more for higher
  # availability, that's perfectly reasonable.  Each replica can handle 50,000 concurrent
  # connections.  There is an affinity rule to prefer scheduling the proxy pods on the same node as
  # pachd, so a number here that matches the number of pachd replicas is a fine configuration.
  # (Note that we don't guarantee to keep the proxy<->pachd traffic on-node or even in-region.)
  replicas: 1
  # The envoy image to pull.
  image:
    repository: "envoyproxy/envoy-distroless"
    tag: "v1.24.1"
    pullPolicy: "IfNotPresent"
  # Set up resources.  The proxy is configured to shed traffic before using 500MB of RAM, so that's
  # a resonable memory limit.  It doesn't need much CPU.
  resources:
    requests:
      cpu: 100m
      memory: 512Mi
    limits:
      memory: 512Mi
  # Any additional labels to add to the pods.  These are also added to the deployment and service
  # selectors.
  labels: {}
  # Any additional annotations to add to the pods.
  annotations: {}
  # A nodeSelector statement for each pod in the proxy Deployment, if desired.
  nodeSelector: {}
  # A tolerations statement for each pod in the proxy Deployment, if desired.
  tolerations: []
  # A priority class name for each pod in the proxy Deployment, if desired.
  priorityClassName: ""
  # Configure the service that routes traffic to the proxy.
  service:
    # The type of service can be ClusterIP, NodePort, or LoadBalancer.
    type: ClusterIP
    # If the service is a LoadBalancer, you can specify the IP address to use.
    loadBalancerIP: ""
    # The port to serve plain HTTP traffic on.
    httpPort: 80
    # The port to serve HTTPS traffic on, if enabled below.
    httpsPort: 443
    # If the service is a NodePort, you can specify the port to receive HTTP traffic on.
    httpNodePort: 30080
    httpsNodePort: 30443
    # Any additional annotations to add.
    annotations: {}
    # Any additional labels to add to the service itself (not the selector!).
    labels: {}
    # The proxy can also serve each backend service on a numbered port, and will do so for any port
    # not numbered 0 here.  If this service is of type NodePort, the port numbers here will be used
    # for the node port, and will need to be in the node port range.
    legacyPorts:
      console: 0 # legacy 30080, conflicts with default httpNodePort
      grpc: 0 # legacy 30650
      s3Gateway: 0 # legacy 30600
      oidc: 0 # legacy 30657
      identity: 0 # legacy 30658
      metrics: 0 # legacy 30656
    # externalTrafficPolicy determines cluster-wide routing policy; see "kubectl explain
    # service.spec.externalTrafficPolicy".
    externalTrafficPolicy: ""
  # Configuration for TLS (SSL, HTTPS).
  tls:
    # If true, enable TLS serving.  Enabling TLS is incompatible with support for legacy ports (you
    # can't get a generally-trusted certificate for port numbers), and disables support for
    # cleartext communication (cleartext requests will redirect to the secure server, and HSTS
    # headers are set to prevent downgrade attacks).
    #
    # Note that if you are planning on putting the proxy behind an ingress controller, you probably
    # want to configure TLS for the ingress controller, not the proxy.  This is intended for the
    # case where the proxy is exposed directly to the Internet.  (It is possible to have your
    # ingress controller talk to the proxy over TLS, in which case, it's fine to enable TLS here in
    # addition to in the ingress section above.)
    enabled: false
    # The secret containing "tls.key" and "tls.crt" keys that contain PEM-encoded private key and
    # certificate material.  Generate one with "kubectl create secret tls <name> --key=tls.key
    # --cert=tls.cert".  This format is compatible with the secrets produced by cert-manager, and
    # the proxy will pick up new data when cert-manager rotates the certificate.
    secretName: ""
    # If set, generate the secret from values here.  This is intended only for unit tests.
    secret: {}
```


## Deploy Persistent Volumes Kubernetes

The pachyderm solution will rely on several services to make the solution work. Such as etcd, postgresql, loki, and others. These services in particular will require access to storage. 

We will provide storage to kubernetes hosted services through a kubernetes resource called Persistend Volumes.

### Understanding Volumes
> Volumes
>
> On-disk files in a container are ephemeral, which presents some problems for non-trivial applications when running in containers. One problem occurs when a container crashes or is stopped. Container state is not saved so all of the files that were created or modified during the lifetime of the container are lost. During a crash, kubelet restarts the container with a clean state. Another problem occurs when multiple containers are running in a Pod and need to share files. It can be challenging to setup and access a shared filesystem across all of the containers. The Kubernetes volume abstraction solves both of these problems.
>
> ...
>
> Kubernetes supports many types of volumes. A Pod can use any number of volume types simultaneously. Ephemeral volume types have a lifetime of a pod, but persistent volumes exist beyond the lifetime of a pod. When a pod ceases to exist, Kubernetes destroys ephemeral volumes; however, Kubernetes does not destroy persistent volumes. For any kind of volume in a given pod, data is preserved across container restarts.
>
> At its core, a volume is a directory, possibly with some data in it, which is accessible to the containers in a pod. How that directory comes to be, the medium that backs it, and the contents of it are determined by the particular volume type used.
>

> https://kubernetes.io/docs/concepts/storage/volumes/


### Understanding Persistent Volumes
Persistent Volumes are a non-ephemeral volume implimentation. They are a kubernetes resource which provides storage.

> A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Classes. It is a resource in the cluster just like a node is a cluster resource. PVs are volume plugins like Volumes, but have a lifecycle independent of any individual Pod that uses the PV. This API object captures the details of the implementation of the storage, be that NFS, iSCSI, or a cloud-provider-specific storage system.
>
> https://kubernetes.io/docs/concepts/storage/persistent-volumes/


Persistent Volume Claims are requests to have resources allocated to them.

> A PersistentVolumeClaim (PVC) is a request for storage by a user. It is similar to a Pod. Pods consume node resources and PVCs consume PV resources. Pods can request specific levels of resources (CPU and Memory). Claims can request specific size and access modes (e.g., they can be mounted ReadWriteOnce, ReadOnlyMany or ReadWriteMany, see AccessModes).
>
> https://kubernetes.io/docs/concepts/storage/persistent-volumes/
>

### Understanding Storage Classes

The Persistant Volume Claim allows a user to request access to specific storage resources. But in some cases, we may want to logically classify our storage and then make a selection from a particular classification. For example if we want a 7200 rpm disk vs a 5200 rpm disk. Storage Classes provide this abstraction:

> A StorageClass provides a way for administrators to describe the "classes" of storage they offer. Different classes might map to quality-of-service levels, or to backup policies, or to arbitrary policies determined by the cluster administrators. Kubernetes itself is unopinionated about what classes represent. This concept is sometimes called "profiles" in other storage systems
> 
> https://kubernetes.io/docs/concepts/storage/storage-classes/
>
> While PersistentVolumeClaims allow a user to consume abstract storage resources, it is common that users need PersistentVolumes with varying properties, such as performance, for different problems. Cluster administrators need to be able to offer a variety of PersistentVolumes that differ in more ways than size and access modes, without exposing users to the details of how those volumes are implemented. For these needs, there is the StorageClass resource.
> 
> https://kubernetes.io/docs/concepts/storage/persistent-volumes/
>
> Each StorageClass has a provisioner that determines what volume plugin is used for provisioning PVs. This field must be specified.
>
> https://kubernetes.io/docs/concepts/storage/storage-classes/#provisioner

Kubernetes supports the following Volumn plugins and provisioners:

|Volume Plugin | Internal Provisioner | Config Example |
|--------------|----------------------|----------------|
|AWSElasticBlockStore | ✓ | AWS EBS |
|AzureFile | ✓ | Azure File |
|AzureDisk | ✓ | Azure Disk |
|CephFS | - | - |
|Cinder | ✓ | OpenStack Cinder |
|FC | - | - |
|FlexVolume | - | -
|GCEPersistentDisk | ✓ | GCE PD |
|iSCSI | - | - |
|NFS | - | NFS |
|RBD | ✓ | Ceph RBD |
|VsphereVolume | ✓ | vSphere |
|PortworxVolume | ✓ | Portworx Volume |
|Local | - | Local |

### The NFS Storage Class

For my deployment I will keep things simple and use an NFS storage volume. In the past I have used ceph, but in this case I will keep things very simple.

**Note**: Kubernetes doesn't include an internal NFS provisioner. You need to use an external provisioner to create a StorageClass for NFS. Here are some examples:

- NFS Ganesha server and external provisioner
- NFS subdir external provisioner

Configuration example and documentation can be found [here](https://kubernetes.io/docs/concepts/storage/storage-classes/#nfs).

#### Installing the NFS server

https://dev.to/prajwalmithun/setup-nfs-server-client-in-linux-and-unix-27id

```
[root@localhost ~]# yum -y install nfs-utils
[root@localhost ~]# vi /etc/exports
[root@localhost ~]# cat /etc/exports
/nfs_exports   *(rw,root_squash,sync,no_subtree_check)
[root@localhost ~]# mkdir /nfs_exports
[root@localhost ~]# chmod 777 /nfs_exports
[root@localhost ~]# systemctl enable rpcbind
[root@localhost ~]# systemctl enable nfs-server
[root@localhost ~]# systemctl enable nfs-lock
[root@localhost ~]# systemctl enable nfs-idmap
[root@localhost ~]# systemctl start rpcbind
[root@localhost ~]# systemctl start nfs-server
[root@localhost ~]# systemctl start nfs-lock
[root@localhost ~]# systemctl start nfs-idmap
[root@localhost ~]# systemctl status nfs
● nfs-server.service - NFS server and services
   Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled; vendor preset: disabled)
   Active: active (exited) since Mon 2023-05-01 18:12:08 EDT; 2s ago
  Process: 27255 ExecStartPost=/bin/sh -c if systemctl -q is-active gssproxy; then systemctl reload gssproxy ; fi (code=exited, status=0/SUCCESS)
  Process: 27253 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
  Process: 27250 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
 Main PID: 27253 (code=exited, status=0/SUCCESS)
    Tasks: 0
   Memory: 0B
   CGroup: /system.slice/nfs-server.service
   
[root@localhost ~]# exportfs
/nfs_exports    <world>
```

**Note**: Make sure your firewall is properly configured

#### Install NFS Client on K8 Nodes
This need to be installed on the mater and the workers

```
[root@os004k8-master001 ~]# yum -y install nfs-utils
```

#### Test NFS Connection
Test we can mount the nfs server and have the permissions to create files and directories

```
[root@os004k8-master001 ~]# mount -t nfs 15.4.22.101:/nfs_exports /mnt/test
[root@os004k8-master001 ~]# mkdir /mnt/test/test
```

#### Installing NFS Subdir External Provisioner Using Helm

Official instructions can be found [here](https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner)
```
[root@os004k8-master001 ~]# helm repo add nfs-subdir-external-provisioner https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
"nfs-subdir-external-provisioner" has been added to your repositories

[root@os004k8-master001 ~]# helm install nfs-subdir-external-provisioner nfs-subdir-external-provisioner/nfs-subdir-external-provisioner  --set nfs.server=15.4.22.101 --set nfs.path=/nfs_exports
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
NAME: nfs-subdir-external-provisioner
LAST DEPLOYED: Mon May  1 18:24:08 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None

[root@os004k8-master001 ~]# kubectl get deployment nfs-subdir-external-provisioner
NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
nfs-subdir-external-provisioner   1/1     1            1           102s

```

<a id="define-storage-class"></a>
#### Define Storage Class

When we deployed the helm chart in the previous step, a storage class was created for us:

```
[root@os004k8-master001 pachyderm]# kubectl get storageclass
NAME         PROVISIONER                                     RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
nfs-client   cluster.local/nfs-subdir-external-provisioner   Delete          Immediate           true                   6m31s

```

#### Test the installation

```
[root@os004k8-master001 pachyderm]# cat test-claim.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: test-claim
spec:
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Mi
      
[root@os004k8-master001 pachyderm]# kubectl apply -f test-claim.yaml
persistentvolumeclaim/test-claim created
[root@os004k8-master001 pachyderm]# kubectl get persistentvolumeclaim/test-claim
NAME         STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
test-claim   Bound    pvc-c83b7c08-3ff0-4a3d-948e-16436326f31f   1Mi        RWX            nfs-client     10s
```


```
[root@os004k8-master001 pachyderm]# cat test-pod.yaml
kind: Pod
apiVersion: v1
metadata:
  name: test-pod
spec:
  containers:
  - name: test-pod
    image: busybox:stable
    command:
      - "/bin/sh"
    args:
      - "-c"
      - "touch /mnt/SUCCESS && exit 0 || exit 1"
    volumeMounts:
      - name: nfs-pvc
        mountPath: "/mnt"
  restartPolicy: "Never"
  volumes:
    - name: nfs-pvc
      persistentVolumeClaim:
        claimName: test-claim

[root@os004k8-master001 pachyderm]# kubectl apply -f test-pod.yaml
pod/test-pod created

[root@os004k8-master001 pachyderm]# kubectl get pod/test-pod
NAME       READY   STATUS      RESTARTS   AGE
test-pod   0/1     Completed   0          7s

```


```
[root@os004k8-master001 pachyderm]# kubectl delete -f test-pod.yaml
pod "test-pod" deleted
[root@os004k8-master001 pachyderm]# kubectl delete -f test-claim.yaml
persistentvolumeclaim "test-claim" deleted
```

## Deploy Minio Object Store

From what I understand, Minio is needed in addition to the Persistent Volumes being made available in the previous step.

> An object store is used by Pachyderm’s pachd for storing all your data. The object store you use must be accessible via a low-latency, high-bandwidth connection.
>
> Storage providers like MinIO (the most common and officially supported option), EMC’s ECS, Ceph, or SwiftStack provide S3-compatible access to enterprise storage for on-premises deployment.
> 
> https://docs.pachyderm.com/latest/deploy-manage/deploy/on-premises/#on-premises-sizing-and-configuring-the-object-store

I googled around for examples on how to deploy minio on kubernetes. I found a guide [here](https://min.io/docs/minio/kubernetes/upstream/index.html) which got me most of the way home. I needed to make a few tweaks which I will describe below.

### Deploy minio pod
The first thing we need to do is deploy a pod which runs minio. Most of the work here was done for me. The [article mentioned previously](https://min.io/docs/minio/kubernetes/upstream/index.html) hosted a yaml file with the pod manifest. 

I needed to tweak this file to expose ports on the container so that external services could connect. I also needed to specify which node to run the service on so it would have direct disk access.

```
[root@os004k8-master001 pachyderm]# cat minio-dev.yaml
# Deploys a new MinIO Pod into the metadata.namespace Kubernetes namespace
#
# The `spec.containers[0].args` contains the command run on the pod
# The `/data` directory corresponds to the `spec.containers[0].volumeMounts[0].mountPath`
# That mount path corresponds to a Kubernetes HostPath which binds `/data` to a local drive or volume on the worker node where the pod runs
#
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: minio
  name: minio
spec:
  containers:
  - name: minio
    image: quay.io/minio/minio:latest
    command:
    - /bin/bash
    - -c
    args:
    - minio server /data --console-address :9090 --address :9000
    volumeMounts:
    - mountPath: /data
      name: localvolume # Corresponds to the `spec.volumes` Persistent Volume
    ports:
    - name: minio-console
      containerPort: 9090
    - name: minio
      containerPort: 9000
  nodeSelector:
    kubernetes.io/hostname: os004k8-worker001.foobar.com
  volumes:
  - name: localvolume
    hostPath: # MinIO generally recommends using locally-attached volumes
      path: /mnt/disk1/data # Specify a path to a local drive or volume on the Kubernetes worker node
      type: DirectoryOrCreate # The path to the last directory must exist
```

Notice the port 9000 and 9090 that are exposed. We will be connecting to the web ui through 9090.

We check that the pod is deployed successfully:
```
[root@os004k8-master001 pachyderm]# kubectl apply -f minio-dev.yaml
pod/minio configured
[root@os004k8-master001 pachyderm]# kubectl get pod/minio
NAME    READY   STATUS    RESTARTS   AGE
minio   1/1     Running   0          10h
```

We then do a sanity check to confirm the service is online and running

```
[root@os004k8-master001 pachyderm]# kubectl exec -ti minio -- netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      1/minio
tcp6       0      0 :::9090                 :::*                    LISTEN      1/minio
tcp6       0      0 :::9000                 :::*                    LISTEN      1/minio
[root@os004k8-master001 pachyderm]# kubectl exec -ti minio -- curl 127.0.0.1:9090
<!doctype html><html lang="en"><head><meta charset="utf-8"/><base href="/"/><meta content="width=device-width,initial-scale=1" name="viewport"/><meta content="#081C42" media="(prefers-color-scheme: light)" name="theme-color"/><meta content="#081C42" media="(prefers-color-scheme: dark)" name="theme-color"/><meta content="MinIO Console" name="description"/><meta name="minio-license" content="agpl" /><link href="./styles/root-styles.css" rel="stylesheet"/><link href="./apple-icon-180x180.png" rel="apple-touch-icon" sizes="180x180"/><link href="./favicon-32x32.png" rel="icon" sizes="32x32" type="image/png"/><link href="./favicon-96x96.png" rel="icon" sizes="96x96" type="image/png"/><link href="./favicon-16x16.png" rel="icon" sizes="16x16" type="image/png"/><link href="./manifest.json" rel="manifest"/><link color="#3a4e54" href="./safari-pinned-tab.svg" rel="mask-icon"/><title>MinIO Console</title><script defer="defer" src="./static/js/main.ebbcb389.js"></script><link href="./static/css/main.57e739f5.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"><div id="preload"><img src="./images/background.svg"/> <img src="./images/background-wave-orig2.svg"/></div><div id="loader-block"><img src="./Loader.svg"/></div></div></body></html>
```

We can then confirm the pod networking is setup correctly and the service is exposed properly on the cluster's internal subnet.

```
[root@os004k8-master001 pachyderm]# kubectl describe pod/minio | grep -E "^IP:"
IP:           10.36.0.1
[root@os004k8-master001 pachyderm]# curl 10.36.0.1:9090
<!doctype html><html lang="en"><head><meta charset="utf-8"/><base href="/"/><meta content="width=device-width,initial-scale=1" name="viewport"/><meta content="#081C42" media="(prefers-color-scheme: light)" name="theme-color"/><meta content="#081C42" media="(prefers-color-scheme: dark)" name="theme-color"/><meta content="MinIO Console" name="description"/><meta name="minio-license" content="agpl" /><link href="./styles/root-styles.css" rel="stylesheet"/><link href="./apple-icon-180x180.png" rel="apple-touch-icon" sizes="180x180"/><link href="./favicon-32x32.png" rel="icon" sizes="32x32" type="image/png"/><link href="./favicon-96x96.png" rel="icon" sizes="96x96" type="image/png"/><link href="./favicon-16x16.png" rel="icon" sizes="16x16" type="image/png"/><link href="./manifest.json" rel="manifest"/><link color="#3a4e54" href="./safari-pinned-tab.svg" rel="mask-icon"/><title>MinIO Console</title><script defer="defer" src="./static/js/main.ebbcb389.js"></script><link href="./static/css/main.57e739f5.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"><div id="preload"><img src="./images/background.svg"/> <img src="./images/background-wave-orig2.svg"/></div><div id="loader-block"><img src="./Loader.svg"/></div></div></body></html>

```

### Setup a NodePort Service
We want minio to be accessible from outside the cluster. To do this we will need to add some additional kubernetes configurations. There are many ways to skin this cat, I am choosing the simplest approach. I will map a port on the kubernetes node to a port on the kubernetes pod. This will allos me to access the service inside the container that is mapped to the pod's external port. I got some help from this [article](https://stackoverflow.com/questions/71909726/how-to-expose-minio-outside-cluster-ip).

First I setup the yaml:

```
[root@os004k8-master001 pachyderm]# cat minio-node-port.yaml
apiVersion: v1
kind: Service
metadata:
  name: minio-nodeport
spec:
  ports:
  - name: minio-console
    port: 9090
    targetPort: 9090
    nodePort: 30090
  - name: minio
    port: 9000
    targetPort: 9000
    nodePort: 30000
  selector:
    app: minio
  type: NodePort
```

This file is assigning port 30090 on the kubernetes node to port 9090 on the container.

```
[root@os004k8-master001 pachyderm]# kubectl apply -f minio-node-port.yaml
service/minio-nodeport created

[root@os004k8-master001 pachyderm]# kubectl get service/minio-nodeport
NAME             TYPE       CLUSTER-IP    EXTERNAL-IP   PORT(S)                         AGE
minio-nodeport   NodePort   10.106.5.77   <none>        9090:30090/TCP,9000:30000/TCP   10h

[root@os004k8-master001 pachyderm]# kubectl describe service/minio-nodeport
Name:                     minio-nodeport
Namespace:                default
Labels:                   <none>
Annotations:              <none>
Selector:                 app=minio
Type:                     NodePort
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       10.106.5.77
IPs:                      10.106.5.77
Port:                     minio-console  9090/TCP
TargetPort:               9090/TCP
NodePort:                 minio-console  30090/TCP
Endpoints:                10.36.0.1:9090
Port:                     minio  9000/TCP
TargetPort:               9000/TCP
NodePort:                 minio  30000/TCP
Endpoints:                10.36.0.1:9000
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>
```

We can do a sanity check and see if we can now access the service:

```
[root@os004k8-master001 pachyderm]# kubectl describe pod/minio | grep "Node:"
Node:         os004k8-worker001.foobar.com/15.4.7.101
[root@os004k8-master001 pachyderm]# curl 15.4.7.101:30090
<!doctype html><html lang="en"><head><meta charset="utf-8"/><base href="/"/><meta content="width=device-width,initial-scale=1" name="viewport"/><meta content="#081C42" media="(prefers-color-scheme: light)" name="theme-color"/><meta content="#081C42" media="(prefers-color-scheme: dark)" name="theme-color"/><meta content="MinIO Console" name="description"/><meta name="minio-license" content="agpl" /><link href="./styles/root-styles.css" rel="stylesheet"/><link href="./apple-icon-180x180.png" rel="apple-touch-icon" sizes="180x180"/><link href="./favicon-32x32.png" rel="icon" sizes="32x32" type="image/png"/><link href="./favicon-96x96.png" rel="icon" sizes="96x96" type="image/png"/><link href="./favicon-16x16.png" rel="icon" sizes="16x16" type="image/png"/><link href="./manifest.json" rel="manifest"/><link color="#3a4e54" href="./safari-pinned-tab.svg" rel="mask-icon"/><title>MinIO Console</title><script defer="defer" src="./static/js/main.ebbcb389.js"></script><link href="./static/css/main.57e739f5.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"><div id="preload"><img src="./images/background.svg"/> <img src="./images/background-wave-orig2.svg"/></div><div id="loader-block"><img src="./Loader.svg"/></div></div></body></html>
```

### Login Through Web Browser

Last we can navigate to a web browser on our LAN and confirm we can access the service. According to the [documentation](https://min.io/docs/minio/linux/index.html) the default credentials are:

```
API: http://192.0.2.10:9000  http://127.0.0.1:9000
RootUser: minioadmin
RootPass: minioadmin

Console: http://192.0.2.10:9090 http://127.0.0.1:9090
RootUser: minioadmin
RootPass: minioadmin
```

When logging in we see the following:

<center><img src="images/minio-login-page.png"></center>
<center><img src="images/minio-login-page-2.png"></center>
<center><img src="images/minio-login-page-3.png"></center>

### Generate Access Key And Secret Key
According to the [documentation](https://min.io/docs/minio/linux/administration/identity-access-management/minio-user-management.html):

> A MinIO user consists of a unique access key (username) and corresponding secret key (password). Clients must authenticate their identity by specifying both a valid access key (username) and the corresponding secret key (password) of an existing MinIO user.


## Create Values File For Helm

The helm chart, which deploys the pachyderm solution, requires that values be set to inform the installation. In fact, if the values are not set, helm will raise an exveption suring the installation. The default values file can be found [here](https://github.com/pachyderm/pachyderm/blob/2.3.x/etc/helm/pachyderm/values.yaml).

Through a bit of trial and error with the help of helm, who will complain if necessary values are missing, I was able to piece together the configurations required to deploy a working solution. The documentation is a bit messy and some of the links are broken. On some pages the documentation fails to mention what specific configurations must be made (eg. we must configure the loki-stack components). 

At the end of the day, my config file was as follows:

```
[root@os004k8-master001 pachyderm]# cat values.yaml
etcd:
  storageClass: nfs-client
  size: 10Gi

postgresql:
  persistence:
    storageClass: nfs-client
    size: 10Gi

loki-stack:
  loki:
    persistence:
      size: 10Gi
      storageClassName: nfs-client

deployTarget: MINIO

pachd:
  storage:
    backend: MINIO
    minio:
      bucket: pachyderm
      endpoint: 15.4.7.101:30000
      id: minioadmin
      secret: minioadmin
      secure: "false"

proxy:
  enabled: true
  service:
    type: LoadBalancer
```

In the next sections I explain the configurations.

<a id="persistent-volume-claims"></a>
### Storage Class For Persistent Volume Claims 

The pachyderm helm chart will deploy three services which require Persistant Volumes. This requirement will be specified through a Persistent Volume Claim. There are three services which require a Persistant Volume: etcd, postgresql, and loki-stack. Below are the configurations to inform them which Storage Class we should be using. We defined our Storage Class "nfs-client" in this [step](#define-storage-class). Our coresponding entry in the values file was as follows:

```
etcd:
  storageClass: nfs-client
  size: 10Gi

postgresql:
  persistence:
    storageClass: nfs-client
    size: 10Gi

loki-stack:
  loki:
    persistence:
      size: 10Gi
      storageClassName: nfs-client
```

### Configure Minio Backend

We also need to inform the pachd server that we are using a minio backend and provide it the coresponding configurations so that the connection works. The [documentation](https://docs.pachyderm.com/latest/deploy-manage/deploy/on-premises/#on-premises-deploying-an-object-store) provides some guidance, but ultimately it is incomplete and incorrect. 

The documenation provides the following descriptions of the configurations:

> **endpoint**: The access endpoint. For example, MinIO’s endpoints are usually something like minio-server:9000.
>
> > Do not begin it with the protocol; it is an endpoint, not an url. Also, check if your object store (e.g. MinIO) is using SSL/TLS. If not, disable it using secure: false.
>
>**bucket**: The bucket name you are dedicating to Pachyderm. Pachyderm will need exclusive access to this bucket.
>
>**id**: The access key id for the object store.
>
>**secret**: The secret key for the object store.

In total, the configurations for this case were as follows:

```
deployTarget: MINIO

pachd:
  storage:
    backend: MINIO
    minio:
      bucket: pachyderm
      endpoint: 15.4.7.101:30000
      id: minioadmin
      secret: minioadmin
      secure: "false"
```

#### Gotchas

**Note**: There were a couple quarks with this configuration which I describe below:

Tbe `deployTarget` specifies where pachyderm is being installed. Per the [documentation](https://docs.pachyderm.com/latest/reference/helm-values/deploy-target/#deploy-target-hcvs-values) the following values are supported: GOOGLE, AMAZON, MINIO, MICROSOFT, CUSTOM or LOCAL. Reading between the lines, the choice determines what downstream configurations are required and what assets are deployed to kubernetes.

The `secure` setting must be a string. If it's a boolean, helm will complain during the installation.

The `backend` must be in all caps despite documentation showing lower case. If we do set it to lower case, we sill see the following errot in the pachd pod logs:

```
[root@os004k8-master001 pachyderm]# kubectl logs pachd-55467db54f-dwddb | tail -n 5
...
{"severity":"info","time":"2023-05-02T17:16:17.869971271Z","caller":"grpcutil/server.go:69","message":"TLS disabled","error":"could not stat public cert at /pachd-tls-cert/tls.crt: stat /pachd-tls-cert/tls.crt: no such file or directory","errorVerbose":"stat /pachd-tls-cert/tls.crt: no such file or directory\ncould not stat public cert at /pachd-tls-cert/tls.crt\ngithub.com/pachyderm/pachyderm/v2/src/internal/tls.GetCertPaths\n\tsrc/internal/tls/tls.go:32\ngithub.com/pachyderm/pachyderm/v2/src/internal/grpcutil.NewServer\n\tsrc/internal/grpcutil/server.go:67\ngithub.com/pachyderm/pachyderm/v2/src/internal/pachd.(*builder).initExternalServer\n\tsrc/internal/pachd/builder.go:195\ngithub.com/pachyderm/pachyderm/v2/src/internal/pachd.(*builder).apply\n\tsrc/internal/pachd/builder.go:88\ngithub.com/pachyderm/pachyderm/v2/src/internal/pachd.(*fullBuilder).buildAndRun\n\tsrc/internal/pachd/full.go:66\ngithub.com/pachyderm/pachyderm/v2/src/internal/pachd.FullMode\n\tsrc/internal/pachd/full.go:107\ngithub.com/pachyderm/pachyderm/v2/src/internal/cmdutil.Main\n\tsrc/internal/cmdutil/env.go:34\nmain.main\n\tsrc/server/cmd/pachd/main.go:50\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:250\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1594"}
unrecognized storage backend: minio
```

The `bucket` must exist BEOFRE we go through the installation. The pachyderm pod will to a [quality check](https://github.com/pachyderm/pachyderm/blob/39a975208f55e657b64cf8de11c7375270becc3d/src/internal/obj/testsuite.go#L122) when starting up for the first time; it will create a test object in the backend and then confirm the object is there. If the bucket does not exist, this test will fail and we will see an error that resembles the following:

```
[root@os004k8-master001 pachyderm]# kubectl describe pod pachd-9c6b4c75b-ddlv6
...
  Warning  FailedMount  4m34s                  kubelet            MountVolume.SetUp failed for volume "pachyderm-storage-secret" : failed to sync secret cache: timed out waiting for the condition
...

[root@os004k8-master001 pachyderm]# kubectl logs pachd-9c6b4c75b-ddlv6
...
unable to write to object storage: pachyderm does not contain item: (test/6ac321e4a09147e3917104f7b3d4ae38)
```

<a id="configure-proxy"><a/>
### Configure Proxy

Currently Pachyderm supports the use of an optional proxy. While the deployment of the proxy is optional at the moment, it will become permanent in the next minor release of Pachyderm.

In my case the configuration was as follows:

```
proxy:
  enabled: true
  service:
    type: LoadBalancer
```

The purpose of the proxy is to provide a single point of contact for all user facing traffic. Like any proxy, the pachyderm proxy accepts requests from and each call to the appropriate backend microservice without any additional configuration.

It's not explicitly stated, but I belived the service specification maps to kubernetes service types. To confirm this I have seen mention of setting the type to be either LoadBalancer or NodePort, but I imagine Ingress and other services may also be possible. A good article on the differencescan be found [here](https://medium.com/google-cloud/kubernetes-nodeport-vs-loadbalancer-vs-ingress-when-should-i-use-what-922f010849e0).

The pachyderm proxy exposes one TCP port for all incoming traffic:
- grpc (grpcs)
- console (HTTP/HTTPS)
- s3 gateway, OIDC
- dex traffic

The following diagram outlines the kubernetes footprint and usage of the proxy:

<center><img src="images/pachyderm-proxy.png"></center>

More information and configuration examples can be found [here](https://docs.pachyderm.com/2.3.x/deploy-manage/deploy/deploy-w-proxy/).

## Install Pachyderm using helm

Pachyderm uses the client server model. The pachD damon is packaged as a kubernetes pod and the pachctl cli connects to the server (the daemon running in the pod) to execute commands etc.

### Run installation Using Helm Chart

We can ask helm to list all the charts it can find. In my case I only have one repo (the pachyderm repo) and we can list out all the charts available for a given repo:

```
[root@os004k8-master001 ~]# helm repo list
NAME            URL
pachyderm       https://helm.pachyderm.com

[root@os004k8-master001 ~]# helm search repo -l -r pachyderm 2>/dev/null
NAME                    CHART VERSION   APP VERSION     DESCRIPTION
pachyderm/pachyderm     2.5.5           2.5.5           Explainable, repeatable, scalable data science
pachyderm/pachyderm     2.5.4           2.5.4           Explainable, repeatable, scalable data science
pachyderm/pachyderm     2.5.3           2.5.3           Explainable, repeatable, scalable data science
pachyderm/pachyderm     2.5.2           2.5.2           Explainable, repeatable, scalable data science
pachyderm/pachyderm     2.5.1           2.5.1           Explainable, repeatable, scalable data science
pachyderm/pachyderm     2.5.0           2.5.0           Explainable, repeatable, scalable data science
pachyderm/pachyderm     2.4.6           2.4.6           Explainable, repeatable, scalable data science


```

We can then instruct helm to install the desired version of pachyderm and to apply the value settings from the values file we created previously:

```
[root@os004k8-master001 pachyderm]# helm install pachd -f values.yaml pachyderm/pachyderm --version 2.5.5
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
W0502 14:47:18.489877   22677 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
W0502 14:47:18.733281   22677 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME: pachd
LAST DEPLOYED: Tue May  2 14:47:17 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
NOTES:
```

### Sanity Check: All Pods Are Running

```
[root@os004k8-master001 pachyderm]# kubectl get pods
NAME                                               READY   STATUS    RESTARTS   AGE
console-5d4686d94-45d8j                            1/1     Running   0          6h14m
etcd-0                                             1/1     Running   0          6h14m
minio                                              1/1     Running   0          10h
nfs-subdir-external-provisioner-7f9cf64cd8-7pv5g   1/1     Running   0          26h
pachd-5586c8845d-6dfgk                             1/1     Running   0          6h14m
pachd-loki-0                                       1/1     Running   0          6h14m
pachd-promtail-6cf4t                               1/1     Running   0          6h14m
pachd-promtail-6mp89                               0/1     Running   0          6h14m
pachd-promtail-9plcr                               0/1     Running   0          6h14m
pachd-promtail-cnf22                               1/1     Running   0          6h14m
pachd-promtail-xplb5                               1/1     Running   0          6h14m
pachd-promtail-xsdxx                               1/1     Running   0          6h14m
pachyderm-kube-event-tail-6c6598cd5-9jxfm          1/1     Running   0          6h14m
pachyderm-proxy-7f4545985c-t4zjq                   1/1     Running   0          6h14m
pg-bouncer-88dbc966b-ldbwh                         1/1     Running   0          6h14m
postgres-0                                         1/1     Running   0          6h14m
```

**Note**: This will take some time before all the pods are running. Remember, the kubernetes cluster is going to download a bunch of docker images from dockerhub. This may take some time. It then neets to start the pods (containers) and wait for their internal services to come online.

### Sanity Check: Proxy Is Internally Accessible
Here we want to check that the proxy is internally available:

We can get a list of services associated with pachyderm
```
[root@os004k8-master001 pachyderm]# kubectl get services | grep pach
pachd                   ClusterIP      10.98.169.23     <none>        30650/TCP,30657/TCP,30658/TCP,30600/TCP,30656/TCP   6h41m
pachd-loki              ClusterIP      10.100.200.46    <none>        3100/TCP                                            6h41m
pachd-loki-headless     ClusterIP      None             <none>        3100/TCP                                            6h41m
pachd-loki-memberlist   ClusterIP      None             <none>        7946/TCP                                            6h41m
pachd-peer              ClusterIP      10.107.149.154   <none>        30653/TCP                                           6h41m
pachd-proxy-backend     ClusterIP      None             <none>        1650/TCP,1657/TCP,1658/TCP,1600/TCP,1656/TCP        6h41m
pachyderm-proxy         LoadBalancer   10.100.12.105    <pending>     80:30409/TCP                                        6h41m
```
We can then drill down into the specific LoadBalancer which we see is named "pachydrm-proxy"

```
[root@os004k8-master001 pachyderm]# kubectl get service pachyderm-proxy
NAME              TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
pachyderm-proxy   LoadBalancer   10.100.12.105   <pending>     80:30409/TCP   6h41m
```

Finally we can curl the internal cluster ip and port to see if we get an html response indicating the UI is up

```
[root@os004k8-master001 pachyderm]# curl 10.100.12.105:80
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <meta name="description" content="Visualize your Pachyderm workspace" />
    <link rel="shortcut icon" href="/favicon.ico">
    <title>Pachyderm Console</title>
    <script type="module" crossorigin src="/assets/index.822e4a40.js"></script>
    <link rel="stylesheet" href="/assets/index.572e5d88.css">
  </head>
  <body>

      <script>
        window.pachDashConfig = {"REACT_APP_RUNTIME_DISABLE_TELEMETRY":"false","REACT_APP_RUNTIME_ISSUER_URI":"http://localhost:30658","NODE_ENV":"production","REACT_APP_BACKEND_GRAPHQL_PREFIX":"/graphql","REACT_APP_BACKEND_PREFIX":"/","REACT_APP_BUILD_ENV":"production","REACT_APP_RELEASE_VERSION":"unversioned-production","REACT_APP_SENTRY_DSN":"https://5208a9e666bf4d85aa9f8281a7fdaf9a@o309125.ingest.sentry.io/6771948","REACT_APP_RUDDERSTACK_ID":"2FBfmxTHtnOO4VphcX0PsKWVUiU","REACT_APP_POLLING":"10000"}
      </script>


    <noscript>You need to enable JavaScript to run this app.</noscript>
    <div id="root"></div>

  </body>
</html>
```

We got hrml. It looks like the service is up!

### Sanity Check: Proxy Is Allocated An External IP

We should see that the LoadBalancer is allocated an external IP. This is the IP that the users should use to access the service.

```
[root@os004k8-master001 pachyderm]# kubectl get service pachyderm-proxy
NAME              TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
pachyderm-proxy   LoadBalancer   10.100.227.99   15.4.25.1     80:30855/TCP   43s

```

### Sanity Check: Web UI Is Working And Accessible
At this point, the helm chart has stood up a bunch of pods (which we confirmed are running) and a proxy service. 

In some cases we may want to bypass the proxy and do some sanity checking and trouble shooting. For example, in a situation when the proxy is only accessible from within the cluster's overlay network and it is not accessible to nodes outside the cluster. In this case we can do some linux magic to tell the operating system on my kubernetes master to map one of it's public facing ports to the cluster ip and port provided by the pachyderm proxy. In short, I am creating an externally available proxy to reach my internally available proxy.

To do this hackery I can use socat. Below we see the command which maps port 8080 on the kubernetes master to 10.47.0.1:8080 (the ip and port of the proxy). This is a blocking command; as long as it's running the proxy is up

```
[root@os004k8-master001 pachyderm]# socat TCP-LISTEN:8080,fork TCP:10.47.0.1:8080
```

From another machine on the same LAN segment, we can open a web browser and navigate to the master node's ip and port.

```
[root@os004k8-master001 pachyderm]# route -nv
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         15.1.1.1        0.0.0.0         UG    100    0        0 eth0
10.32.0.0       0.0.0.0         255.240.0.0     U     0      0        0 weave
15.0.0.0        0.0.0.0         255.0.0.0       U     100    0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
[root@os004k8-master001 pachyderm]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 8e:cb:b0:2a:b5:1e brd ff:ff:ff:ff:ff:ff
    inet 15.4.7.11/8 brd 15.255.255.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::8ccb:b0ff:fe2a:b51e/64 scope link
       valid_lft forever preferred_lft forever
```

In my case we can see this url would be 15.4.7.11:8080. When we open this url in our web browser we see:

<center><img src="images/pachyderm-landing-page.png"></center>


```
[root@os004k8-master001 pachyderm]# kubectl get service pachd
NAME    TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                                             AGE
pachd   ClusterIP   10.109.63.8   <none>        30650/TCP,30657/TCP,30658/TCP,30600/TCP,30656/TCP   15m
[root@os004k8-master001 pachyderm]# kubectl get service pachd -o yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    meta.helm.sh/release-name: pachd
    meta.helm.sh/release-namespace: default
    prometheus.io/port: "1656"
    prometheus.io/scrape: "true"
  creationTimestamp: "2023-05-02T16:06:43Z"
  labels:
    app: pachd
    app.kubernetes.io/managed-by: Helm
    suite: pachyderm
  name: pachd
  namespace: default
  resourceVersion: "222366"
  uid: 3bf89370-b142-43cb-930c-66bd0d041c68
spec:
  clusterIP: 10.109.63.8
  clusterIPs:
  - 10.109.63.8
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: api-grpc-port
    port: 30650
    protocol: TCP
    targetPort: api-grpc-port
  - name: oidc-port
    port: 30657
    protocol: TCP
    targetPort: oidc-port
  - name: identity-port
    port: 30658
    protocol: TCP
    targetPort: identity-port
  - name: s3gateway-port
    port: 30600
    protocol: TCP
    targetPort: s3gateway-port
  - name: prom-metrics
    port: 30656
    protocol: TCP
    targetPort: prom-metrics
  selector:
    app: pachd
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}
```

We can then ask helm to install our preferred version:

```
[root@os004k8-master001 ~]# helm install pachd pachyderm/pachyderm --set deployTarget=LOCAL --set proxy.enabled=true --set proxy.service.type=LoadBalancer --version 2.5.5
W0501 12:39:42.848489   21435 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
W0501 12:39:43.115008   21435 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME: pachd
LAST DEPLOYED: Mon May  1 12:39:40 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
NOTES:
```

**Note**: In the command above, we are providing a number of parameters to the `helm install` command. The `--version` parameter instructs the help utility which specific version to install. The `--set` parameter instructs helm to override a value specified in a helm chart. Values, as we will discuss, are arbitrary settings that can override default settings or pvide values for templates in a helm chart. As the helm chart is written in yaml and consists of complex objects, the values specified in the ``--set` argument may consist of a json path description of the field being accessed. For example the value proxy.service.type is modifying a value for the type attribute of the service object on the proxy object. Fr more information on the arguments helm install accepts, see the [official documentation](https://helm.sh/docs/helm/helm_install/) for more detail.

**Note**: While the `--set` parameter can be used to override individual chart settings, the `helm install` command also allows the user to spcify a values.yaml file (i.e. a values file) to do a bulk override. 

### Troublshooting

During the installation I had some issues. I have shown some troubleshooting steps below:

#### Uninstall
If the helm installation fails (the pods never become ready) we can uninstall using the following:

```
[root@os004k8-master001 ~]# helm uninstall pachd
W0501 12:58:20.207995   30002 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
release "pachd" uninstalled
```

**Note**: This will not delete Persistent Storage Claims. We will need to deletet thoes manually:

```
[root@os004k8-master001 pachyderm]# kubectl get persistentvolumeclaims
NAME                   STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   AGE
data-postgres-0        Pending                                                     23h
etcd-storage-etcd-0    Pending                                                     23h
storage-pachd-loki-0   Pending                                                     23h
[root@os004k8-master001 pachyderm]# kubectl delete persistentvolumeclaims data-postgres-0
persistentvolumeclaim "data-postgres-0" deleted
[root@os004k8-master001 pachyderm]# kubectl delete persistentvolumeclaims etcd-storage-etcd-0
persistentvolumeclaim "etcd-storage-etcd-0" deleted
[root@os004k8-master001 pachyderm]# kubectl delete persistentvolumeclaims storage-pachd-loki-0
persistentvolumeclaim "storage-pachd-loki-0" deleted
```

#### Check Pods Are Running

We can get a list of pods and their current status:

```
[root@os004k8-master001 pachyderm]# kubectl get pods
NAME                                               READY   STATUS    RESTARTS   AGE
console-84865b4d78-s6dmf                           1/1     Running   0          8m18s
etcd-0                                             0/1     Pending   0          8m18s
minio                                              1/1     Running   0          89m
nfs-subdir-external-provisioner-7f9cf64cd8-7pv5g   1/1     Running   0          17h
pachd-6ffb7756c6-jlddk                             0/1     Running   1          8m18s
pachd-loki-0                                       0/1     Pending   0          8m18s
pachd-promtail-2j628                               0/1     Running   0          8m18s
pachd-promtail-4xhff                               1/1     Running   0          8m18s
pachd-promtail-5c2rc                               1/1     Running   0          8m18s
pachd-promtail-9czgl                               1/1     Running   0          8m18s
pachd-promtail-m5zr5                               0/1     Running   0          8m18s
pachd-promtail-mjlrc                               0/1     Running   0          8m18s
pachyderm-kube-event-tail-6c6598cd5-6sj2s          1/1     Running   0          8m18s
pachyderm-proxy-7f4545985c-92ntw                   1/1     Running   0          8m18s
pg-bouncer-88dbc966b-5c9d8                         1/1     Running   0          8m18s
postgres-0                                         0/1     Pending   0          8m18s
```

We can use the describe command to interrogate why a pod is not running and 

```
[root@os004k8-master001 ~]# kubectl describe pod pachd-loki-0
Name:           pachd-loki-0
Namespace:      default
Priority:       0
Node:           <none>
Labels:         app=loki
                controller-revision-hash=pachd-loki-5bc57fd4dd
                name=pachd-loki
                release=pachd
                statefulset.kubernetes.io/pod-name=pachd-loki-0
Annotations:    checksum/config: 9688827d4f9db7e59b48154e6433ef91fdc762d5b7545bfbe786f8d75c4de68a
                prometheus.io/port: http-metrics
                prometheus.io/scrape: true
Status:         Pending
IP:
IPs:            <none>
Controlled By:  StatefulSet/pachd-loki
Containers:
  loki:
    Image:       grafana/loki:2.6.1
    Ports:       3100/TCP, 9095/TCP, 7946/TCP
    Host Ports:  0/TCP, 0/TCP, 0/TCP
    Args:
      -config.file=/etc/loki/loki.yaml
    Liveness:     http-get http://:http-metrics/ready delay=45s timeout=1s period=10s #success=1 #failure=3
    Readiness:    http-get http://:http-metrics/ready delay=45s timeout=1s period=10s #success=1 #failure=3
    Environment:  <none>
    Mounts:
      /data from storage (rw)
      /etc/loki from config (rw)
      /tmp from tmp (rw)
Conditions:
  Type           Status
  PodScheduled   False
Volumes:
  storage:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  storage-pachd-loki-0
    ReadOnly:   false
  tmp:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  config:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  pachd-loki
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason            Age                  From               Message
  ----     ------            ----                 ----               -------
  Warning  FailedScheduling  45s (x3 over 2m12s)  default-scheduler  0/7 nodes are available: 7 pod has unbound immediate PersistentVolumeClaims.

```

#### Investigate Issue With Persistant Storage Claim

```
[root@os004k8-master001 pachyderm]# kubectl get persistentvolumeclaims
NAME                   STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   AGE
data-postgres-0        Pending                                                     23h
etcd-storage-etcd-0    Pending                                                     23h
storage-pachd-loki-0   Pending                                                     23h
```

```
[root@os004k8-master001 pachyderm]# kubectl describe persistentvolumeclaims storage-pachd-loki-0
Name:          storage-pachd-loki-0
Namespace:     default
StorageClass:
Status:        Pending
Volume:
Labels:        app=loki
               release=pachd
Annotations:   <none>
Finalizers:    [kubernetes.io/pvc-protection]
Capacity:
Access Modes:
VolumeMode:    Filesystem
Used By:       pachd-loki-0
Events:
  Type    Reason         Age                    From                         Message
  ----    ------         ----                   ----                         -------
  Normal  FailedBinding  3m8s (x5562 over 23h)  persistentvolume-controller  no persistent volumes available for this claim and no storage class is set
```

```
[root@os004k8-master001 pachyderm]# kubectl get persistentvolumeclaims/storage-pachd-loki-0 -o yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  creationTimestamp: "2023-05-01T16:39:45Z"
  finalizers:
  - kubernetes.io/pvc-protection
  labels:
    app: loki
    release: pachd
  name: storage-pachd-loki-0
  namespace: default
  resourceVersion: "34516"
  uid: 33d258a0-32a3-4911-a54a-46f57a2c757e
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  volumeMode: Filesystem
status:
  phase: Pending
```

Uninstalling does not delete persistent volume claims. We need to delete these and recreate. Make sure the values file specifies the correct storage class name.

**Note**: The claims should resemble the following:

```
[root@os004k8-master001 pachyderm]# kubectl get persistentvolumeclaims
NAME                   STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
data-postgres-0        Bound    pvc-6dfab811-746a-4805-9635-911974e1e11c   10Gi       RWO            nfs-client     5s
etcd-storage-etcd-0    Bound    pvc-9f4b9c42-50d4-4aac-9059-3025a68e2c60   10Gi       RWO            nfs-client     5s
storage-pachd-loki-0   Bound    pvc-28f6a320-2452-436a-b837-52d7fec07d4a   10Gi       RWO            nfs-client     5s
```

#### Investigate Sectret For Failed Pod

```
[root@os004k8-master001 pachyderm]# kubectl get pods
NAME                                               READY   STATUS             RESTARTS   AGE
console-5f7fbb6cb9-qjvlf                           1/1     Running            0          17m
etcd-0                                             1/1     Running            0          17m
minio                                              1/1     Running            0          122m
nfs-subdir-external-provisioner-7f9cf64cd8-7pv5g   1/1     Running            0          17h
pachd-55467db54f-dwddb                             0/1     CrashLoopBackOff   7          17m
pachd-loki-0                                       1/1     Running            0          17m
pachd-promtail-7v65r                               1/1     Running            0          17m
pachd-promtail-fzt4t                               0/1     Running            0          17m
pachd-promtail-kpq9p                               1/1     Running            0          17m
pachd-promtail-lsp8s                               0/1     Running            0          17m
pachd-promtail-npmrq                               1/1     Running            0          17m
pachd-promtail-vp822                               0/1     Running            0          17m
pachyderm-kube-event-tail-6c6598cd5-kjwvm          1/1     Running            0          17m
pachyderm-proxy-7f4545985c-xdl6q                   1/1     Running            0          17m
pg-bouncer-88dbc966b-vtdw9                         1/1     Running            0          17m
postgres-0                                         1/1     Running            0          17m
[root@os004k8-master001 pachyderm]# kubectl get pods pachd-55467db54f-dwddb
NAME                     READY   STATUS             RESTARTS   AGE
pachd-55467db54f-dwddb   0/1     CrashLoopBackOff   7          17m
[root@os004k8-master001 pachyderm]# kubectl describe pods pachd-55467db54f-dwddb
Name:         pachd-55467db54f-dwddb
Namespace:    default
Priority:     0
Node:         os004k8-worker005.foobar.com/15.4.7.105
Start Time:   Tue, 02 May 2023 12:06:43 -0400
Labels:       app=pachd
              pod-template-hash=55467db54f
              suite=pachyderm
Annotations:  checksum/helm-values: fd0a0a72dad39a14acf6eb56293e44d48356e0f8fc1a86307621c95b2f20d714
              checksum/storage-secret: 44d530a6561604c3aa1902c08580e6d18618f932f5199448520b26bc345bc88d
              seccomp.security.alpha.kubernetes.io/pod: runtime/default
Status:       Running
IP:           10.47.0.2
IPs:
  IP:           10.47.0.2
Controlled By:  ReplicaSet/pachd-55467db54f
Containers:
  pachd:
    Container ID:  docker://0f8409fd13fe1fa106b493b15fedc91e67c4631f57afbf668f1300d9bd7e39af
    Image:         pachyderm/pachd:2.5.5
    Image ID:      docker-pullable://pachyderm/pachd@sha256:186f8079a393314b5edbf12904019119f3266373dcdf5b2d09b2fc592c5e8237
    Ports:         1600/TCP, 1650/TCP, 1653/TCP, 1657/TCP, 1658/TCP, 1656/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP, 0/TCP, 0/TCP, 0/TCP
    Command:
      /pachd
    Args:
      --mode
      $(MODE)
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Tue, 02 May 2023 12:24:56 -0400
      Finished:     Tue, 02 May 2023 12:24:56 -0400
    Ready:          False
    Restart Count:  8
    Liveness:       exec [/pachd --readiness] delay=0s timeout=30s period=10s #success=1 #failure=10
    Readiness:      exec [/pachd --readiness] delay=0s timeout=1s period=10s #success=1 #failure=3
    Startup:        exec [/pachd --readiness] delay=0s timeout=30s period=10s #success=1 #failure=10
    Environment Variables from:
      pachyderm-storage-secret        Secret     Optional: false
      pachyderm-deployment-id-secret  Secret     Optional: false
      pachd-config                    ConfigMap  Optional: true
    Environment:
      PACHW_IN_SIDECARS:                         true
      PACHW_MIN_REPLICAS:                        0
      PACHW_MAX_REPLICAS:                        1
      POSTGRES_HOST:                             postgres
      POSTGRES_PORT:                             5432
      POSTGRES_USER:                             pachyderm
      POSTGRES_DATABASE:                         pachyderm
      POSTGRES_PASSWORD:                         <set to the key 'postgresql-password' in secret 'postgres'>  Optional: false
      PG_BOUNCER_HOST:                           pg-bouncer
      PG_BOUNCER_PORT:                           5432
      LOKI_LOGGING:                              true
      LOKI_SERVICE_HOST:                         $(PACHD_LOKI_SERVICE_HOST)
      LOKI_SERVICE_PORT:                         $(PACHD_LOKI_SERVICE_PORT)
      PACH_ROOT:                                 /pach
      ETCD_PREFIX:
      STORAGE_BACKEND:                           minio
      WORKER_IMAGE:                              pachyderm/worker:2.5.5
      WORKER_SIDECAR_IMAGE:                      pachyderm/pachd:2.5.5
      WORKER_IMAGE_PULL_POLICY:                  IfNotPresent
      WORKER_SERVICE_ACCOUNT:                    pachyderm-worker
      METRICS:                                   true
      PACHYDERM_LOG_LEVEL:                       info
      PACH_NAMESPACE:                            default (v1:metadata.namespace)
      REQUIRE_CRITICAL_SERVERS_ONLY:             false
      PACHD_POD_NAME:                            pachd-55467db54f-dwddb (v1:metadata.name)
      PPS_WORKER_GRPC_PORT:                      1080
      STORAGE_UPLOAD_CONCURRENCY_LIMIT:          100
      STORAGE_PUT_FILE_CONCURRENCY_LIMIT:        100
      STORAGE_COMPACTION_SHARD_SIZE_THRESHOLD:   0
      STORAGE_COMPACTION_SHARD_COUNT_THRESHOLD:  0
      STORAGE_COMPACTION_MAX_FANIN:              10
      STORAGE_FILESETS_MAX_OPEN:                 50
      STORAGE_DISK_CACHE_SIZE:                   100
      STORAGE_MEMORY_CACHE_SIZE:                 100
      CONSOLE_OAUTH_ID:                          console
      CONSOLE_OAUTH_SECRET:                      <set to the key 'OAUTH_CLIENT_SECRET' in secret 'pachyderm-console-secret'>  Optional: false
      ENABLE_WORKER_SECURITY_CONTEXTS:           true
      ENABLE_PREFLIGHT_CHECKS:                   true
      UNPAUSED_MODE:                             full
      K8S_MEMORY_REQUEST:                        0 (requests.memory)
      K8S_MEMORY_LIMIT:                          node allocatable (limits.memory)
    Mounts:
      /pach from pach-disk (rw)
      /pachyderm-storage-secret from pachyderm-storage-secret (rw)
      /tmp from tmp (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-rbrq7 (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  tmp:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  pach-disk:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  pachyderm-storage-secret:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  pachyderm-storage-secret
    Optional:    false
  kube-api-access-rbrq7:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                   From               Message
  ----     ------     ----                  ----               -------
  Normal   Scheduled  18m                   default-scheduler  Successfully assigned default/pachd-55467db54f-dwddb to os004k8-worker005.foobar.com
  Warning  Unhealthy  16m (x4 over 17m)     kubelet            Startup probe failed:
  Normal   Pulled     15m (x4 over 18m)     kubelet            Container image "pachyderm/pachd:2.5.5" already present on machine
  Normal   Created    15m (x4 over 18m)     kubelet            Created container pachd
  Normal   Started    15m (x4 over 18m)     kubelet            Started container pachd
  Warning  BackOff    3m25s (x72 over 16m)  kubelet            Back-off restarting failed container

```

We see there is some message related to POSTGRES_PASSWORD. I wonder if that is an issue or not.

Extracting the yaml for the pod we see:

```
    - name: POSTGRES_PASSWORD
      valueFrom:
        secretKeyRef:
          key: postgresql-password
          name: postgres
```

Looking at the secrets we see:

```
[root@os004k8-master001 pachyderm]# kubectl get secrets
NAME                                                    TYPE                                  DATA   AGE
default-token-8ptvk                                     kubernetes.io/service-account-token   3      41h
nfs-subdir-external-provisioner-token-f4rr7             kubernetes.io/service-account-token   3      17h
pachd-loki                                              Opaque                                1      23m
pachd-loki-token-mjvtd                                  kubernetes.io/service-account-token   3      23m
pachd-promtail                                          Opaque                                1      23m
pachd-promtail-token-4dg6z                              kubernetes.io/service-account-token   3      23m
pachyderm-console-secret                                Opaque                                1      23m
pachyderm-deployment-id-secret                          Opaque                                1      23m
pachyderm-identity                                      Opaque                                1      23m
pachyderm-kube-event-tail-token-k477h                   kubernetes.io/service-account-token   3      23m
pachyderm-storage-secret                                Opaque                                0      23m
pachyderm-token-5lbv2                                   kubernetes.io/service-account-token   3      23m
pachyderm-worker-token-dm5h2                            kubernetes.io/service-account-token   3      23m
postgres                                                Opaque                                2      23m
sh.helm.release.v1.nfs-subdir-external-provisioner.v1   helm.sh/release.v1                    1      17h
sh.helm.release.v1.pachd.v1                             helm.sh/release.v1                    1      23m
[root@os004k8-master001 pachyderm]# kubectl get secrets postgres
NAME       TYPE     DATA   AGE
postgres   Opaque   2      25m
[root@os004k8-master001 pachyderm]# kubectl describe secrets postgres
Name:         postgres
Namespace:    default
Labels:       app.kubernetes.io/instance=pachd
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=postgresql
              helm.sh/chart=postgresql-10.8.0
Annotations:  meta.helm.sh/release-name: pachd
              meta.helm.sh/release-namespace: default

Type:  Opaque

Data
====
postgresql-password:           22 bytes
postgresql-postgres-password:  22 bytes
```

We can then decode the secrets

```
[root@os004k8-master001 pachyderm]# kubectl get secrets postgres -o json
{
    "apiVersion": "v1",
    "data": {
        "postgresql-password": "aW5zZWN1cmUtdXNlci1wYXNzd29yZA==",
        "postgresql-postgres-password": "aW5zZWN1cmUtcm9vdC1wYXNzd29yZA=="
    },
    "kind": "Secret",
    "metadata": {
        "annotations": {
            "meta.helm.sh/release-name": "pachd",
            "meta.helm.sh/release-namespace": "default"
        },
        "creationTimestamp": "2023-05-02T16:06:42Z",
        "labels": {
            "app.kubernetes.io/instance": "pachd",
            "app.kubernetes.io/managed-by": "Helm",
            "app.kubernetes.io/name": "postgresql",
            "helm.sh/chart": "postgresql-10.8.0"
        },
        "name": "postgres",
        "namespace": "default",
        "resourceVersion": "222291",
        "uid": "ea28f919-4b94-4dfb-ac4e-a9608abc5651"
    },
    "type": "Opaque"
}
[root@os004k8-master001 pachyderm]# kubectl get secrets postgres -o json | jq '.data | map_values(@base64d)'
{
  "postgresql-password": "insecure-user-password",
  "postgresql-postgres-password": "insecure-root-password"
}
```

Looking at the values in the [values file on github](https://github.com/pachyderm/pachyderm/blob/2.5.x/etc/helm/pachyderm/values.yaml), we can see that these reflect the defaults:

```
global:
  postgresql:
    # postgresqlUsername is the username to access the pachyderm and dex databases
    postgresqlUsername: "pachyderm"
    # postgresqlPassword to access the postgresql database.  We set a default well-known password to
    # facilitate easy upgrades when testing locally.  Any sort of install that needs to be secure
    # must specify a secure password here, or provide the postgresqlExistingSecretName and
    # postgresqlExistingSecretKey secret.  If using an external Postgres instance (CloudSQL / RDS /
    # etc.), this is the password that Pachyderm will use to connect to it.
    postgresqlPassword: "insecure-user-password"
    # When installing a local Postgres instance, postgresqlPostgresPassword defines the root
    # ('postgres') user's password.  It must remain consistent between upgrades, and must be
    # explicitly set to a value if security is desired.  Pachyderm does not use this account; this
    # password is only required so that administrators can manually perform administrative tasks.
    postgresqlPostgresPassword: "insecure-root-password"
```

According to the [documentation](https://hub.docker.com/_/postgres), the credentials for the postgresql server are configured through environmental variables

We will confirm this. First we connect to the pod
```
[root@os004k8-master001 pachyderm]# kubectl get pods
NAME                                               READY   STATUS             RESTARTS   AGE
console-5f7fbb6cb9-qjvlf                           1/1     Running            0          63m
etcd-0                                             1/1     Running            0          63m
minio                                              1/1     Running            0          169m
nfs-subdir-external-provisioner-7f9cf64cd8-7pv5g   1/1     Running            0          18h
pachd-55467db54f-dwddb                             0/1     CrashLoopBackOff   16         63m
pachd-loki-0                                       1/1     Running            0          63m
pachd-promtail-7v65r                               1/1     Running            0          63m
pachd-promtail-fzt4t                               0/1     Running            0          63m
pachd-promtail-kpq9p                               1/1     Running            0          63m
pachd-promtail-lsp8s                               0/1     Running            0          63m
pachd-promtail-npmrq                               1/1     Running            0          63m
pachd-promtail-vp822                               0/1     Running            0          63m
pachyderm-kube-event-tail-6c6598cd5-kjwvm          1/1     Running            0          63m
pachyderm-proxy-7f4545985c-xdl6q                   1/1     Running            0          63m
pg-bouncer-88dbc966b-vtdw9                         1/1     Running            0          63m
postgres-0                                         1/1     Running            0          63m
[root@os004k8-master001 pachyderm]# kubectl exec -ti postgres-0 /bin/bash
```

Once `kubectl exec` connects us to the postgresql pod, we run a command which tests logging in with credentials

```
pgsql@postgres-0:/$ echo $POSTGRES_USER
pachyderm
pgsql@postgres-0:/$ echo $POSTGRES_PASSWORD
insecure-user-password
pgsql@postgres-0:/$ psql -d "postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@localhost" -c "select now()"
              now
-------------------------------
 2023-05-02 17:17:06.299393+00
(1 row)
```

We see the credentials are working.


#### Investigate Failing Pod (Deployment Target)

```
[root@os004k8-master001 pachyderm]# kubectl get pods
NAME                                               READY   STATUS             RESTARTS   AGE
console-5f7fbb6cb9-qjvlf                           1/1     Running            0          72m
etcd-0                                             1/1     Running            0          72m
minio                                              1/1     Running            0          177m
nfs-subdir-external-provisioner-7f9cf64cd8-7pv5g   1/1     Running            0          18h
pachd-55467db54f-dwddb                             0/1     CrashLoopBackOff   18         72m
...
```

```
[root@os004k8-master001 pachyderm]# kubectl logs pachd-55467db54f-dwddb | tail -n 5
{"severity":"info","time":"2023-05-02T17:16:17.858749827Z","logger":"ApplyMigrations","caller":"migrations/migrations.go:128","message":"migration 28 already applied"}
{"severity":"info","time":"2023-05-02T17:16:17.860701594Z","logger":"ApplyMigrations","caller":"migrations/migrations.go:128","message":"migration 29 already applied"}
{"severity":"info","time":"2023-05-02T17:16:17.86117891Z","logger":"ApplyMigrations","caller":"migrations/migrations.go:95","message":"ApplyMigrations: span finished ok","spanDuration":0.071345294}
{"severity":"info","time":"2023-05-02T17:16:17.869971271Z","caller":"grpcutil/server.go:69","message":"TLS disabled","error":"could not stat public cert at /pachd-tls-cert/tls.crt: stat /pachd-tls-cert/tls.crt: no such file or directory","errorVerbose":"stat /pachd-tls-cert/tls.crt: no such file or directory\ncould not stat public cert at /pachd-tls-cert/tls.crt\ngithub.com/pachyderm/pachyderm/v2/src/internal/tls.GetCertPaths\n\tsrc/internal/tls/tls.go:32\ngithub.com/pachyderm/pachyderm/v2/src/internal/grpcutil.NewServer\n\tsrc/internal/grpcutil/server.go:67\ngithub.com/pachyderm/pachyderm/v2/src/internal/pachd.(*builder).initExternalServer\n\tsrc/internal/pachd/builder.go:195\ngithub.com/pachyderm/pachyderm/v2/src/internal/pachd.(*builder).apply\n\tsrc/internal/pachd/builder.go:88\ngithub.com/pachyderm/pachyderm/v2/src/internal/pachd.(*fullBuilder).buildAndRun\n\tsrc/internal/pachd/full.go:66\ngithub.com/pachyderm/pachyderm/v2/src/internal/pachd.FullMode\n\tsrc/internal/pachd/full.go:107\ngithub.com/pachyderm/pachyderm/v2/src/internal/cmdutil.Main\n\tsrc/internal/cmdutil/env.go:34\nmain.main\n\tsrc/server/cmd/pachd/main.go:50\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:250\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1594"}
unrecognized storage backend: minio
```

```
{"severity":"info","time":"2023-05-02T17:26:32.937130467Z","logger":"WaitUntilReady","caller":"dbutil/db.go:142","message":"db is not ready","reason":"failed to connect to `host=pg-bouncer user=pachyderm database=pachyderm`: server error (FATAL: pgbouncer cannot connect to server (SQLSTATE 08P01))"}

```
this went away, flase alarm

I changed the backend to MINIO for the pachd section of the values file (documentation wrong)

Now i see

```
[root@os004k8-master001 pachyderm]# kubectl describe pod pachd-9c6b4c75b-ddlv6
...
  Warning  FailedMount  4m34s                  kubelet            MountVolume.SetUp failed for volume "pachyderm-storage-secret" : failed to sync secret cache: timed out waiting for the condition
...


[root@os004k8-master001 pachyderm]# kubectl logs pachd-9c6b4c75b-ddlv6
...
unable to write to object storage: pachyderm does not contain item: (test/6ac321e4a09147e3917104f7b3d4ae38)
```

Found it in the source code

```
// TestStorage is a defensive method for checking to make sure that storage is
// properly configured.
func TestStorage(ctx context.Context, c Client) error {
	testObj := "test/" + uuid.NewWithoutDashes()
	if err := func() (retErr error) {
		data := []byte("test")
		return errors.EnsureStack(c.Put(ctx, testObj, bytes.NewReader(data)))
	}(); err != nil {
		return errors.Wrapf(err, "unable to write to object storage")
	}
```



This suggests the minio configurations are wrong. They were. I needed to creat a bucket

#### Persistent Volume Claim Not Working
In the events section, I see the pod is not running because it failed to schedule. This failure shows an associated message of "pod has unbound immediate PersistentVolumeClaims". I see that the pod is trying to run a loki container provided by the grafana project. I googled this error to try an understand the root cause.

I managed to find an [issue](https://community.grafana.com/t/helm-installation-with-persisistent-storage-does-not-bind-storage/45672) from an issue tracker mentioning a similar issue.

The first question was to list out the persistent volume claims with a `kubectl get pvc`. Mine was as follows:

```
[root@os004k8-master001 ~]# kubectl get PersistentVolumeClaims
NAME                   STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   AGE
data-postgres-0        Pending                                                     128m
etcd-storage-etcd-0    Pending                                                     128m
storage-pachd-loki-0   Pending                                                     128m
```

Describing the resource I see the following:

```
[root@os004k8-master001 ~]# kubectl describe pvc storage-pachd-loki-0
Name:          storage-pachd-loki-0
Namespace:     default
StorageClass:
Status:        Pending
Volume:
Labels:        app=loki
               release=pachd
Annotations:   <none>
Finalizers:    [kubernetes.io/pvc-protection]
Capacity:
Access Modes:
VolumeMode:    Filesystem
Used By:       pachd-loki-0
Events:
  Type    Reason         Age                     From                         Message
  ----    ------         ----                    ----                         -------
  Normal  FailedBinding  4m25s (x502 over 129m)  persistentvolume-controller  no persistent volumes available for this claim and no storage class is set

```

Having a look at the deployment manifest I see:

```
[root@os004k8-master001 ~]# kubectl get pvc storage-pachd-loki-0 -o yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  creationTimestamp: "2023-05-01T16:39:45Z"
  finalizers:
  - kubernetes.io/pvc-protection
  labels:
    app: loki
    release: pachd
  name: storage-pachd-loki-0
  namespace: default
  resourceVersion: "34516"
  uid: 33d258a0-32a3-4911-a54a-46f57a2c757e
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  volumeMode: Filesystem
status:
  phase: Pending

```

I wanted to understand what a PVC was. I had a look at the official kubernetes documentation to dig in.

> The PersistentVolume subsystem provides an API for users and administrators that abstracts details of how storage is provided from how it is consumed. To do this, we introduce two new API resources: PersistentVolume and PersistentVolumeClaim.
>
> A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Classes. It is a resource in the cluster just like a node is a cluster resource. PVs are volume plugins like Volumes, but have a lifecycle independent of any individual Pod that uses the PV. This API object captures the details of the implementation of the storage, be that NFS, iSCSI, or a cloud-provider-specific storage system.
>
> A PersistentVolumeClaim (PVC) is a request for storage by a user. It is similar to a Pod. Pods consume node resources and PVCs consume PV resources. Pods can request specific levels of resources (CPU and Memory). Claims can request specific size and access modes (e.g., they can be mounted ReadWriteOnce, ReadOnlyMany or ReadWriteMany, see AccessModes).
>
> https://kubernetes.io/docs/concepts/storage/persistent-volumes/

At this point I think I am understanding the problem: the helm chart deployed pods which required PersistentVolumes, but those volumes do not exist. I wondered why and continued reading:

> Provisioning
>
>There are two ways PVs may be provisioned: statically or dynamically.
>
> Static
>
> A cluster administrator creates a number of PVs. They carry the details of the real storage, which is available for use by cluster users. They exist in the Kubernetes API and are available for consumption.
>
> Dynamic
>
> When none of the static PVs the administrator created match a user's PersistentVolumeClaim, the cluster may try to dynamically provision a volume specially for the PVC. This provisioning is based on StorageClasses: the PVC must request a storage class and the administrator must have created and configured that class for dynamic provisioning to occur. Claims that request the class "" effectively disable dynamic provisioning for themselves.
>
> To enable dynamic storage provisioning based on storage class, the cluster administrator needs to enable the DefaultStorageClass admission controller on the API server. This can be done, for example, by ensuring that DefaultStorageClass is among the comma-delimited, ordered list of values for the --enable-admission-plugins flag of the API server component. For more information on API server command-line flags, check kube-apiserver documentation.


So, if there are no volumes, the volume claims can never be satisfied. So my next question is: "Are resources being defined/requested but not being deployed correctly (i.e. something is failing) or are resources not being defined but are being requested?"

I checked and confirmed I do not have any persistent volumes provisioned on my cluster:

```
[root@os004k8-master001 ~]# kubectl get PersistentVolumes
No resources found

```

I would expect that if something was defined and a deployment failed I would see it listed in that output. This is telling me that nothing was provisioned.


To make sure this suspicion was correct I had a look at loki documentation. It does [mention](https://grafana.com/docs/loki/latest/installation/helm/configure-storage/) that in order to use loki, stoage must be configured. The storage configuration section in the values.yaml file accepts a number of parameters. 

> Configure storage
> The scalable installation requires a managed object store such as AWS S3 or Google Cloud Storage or a self-hosted store such as Minio. The single binary installation can only use the filesystem for storage.
>
> This guide assumes Loki will be installed in on of the modes above and that a values.yaml has been created.
>
> https://grafana.com/docs/loki/latest/installation/helm/configure-storage/

I had a look at the [values.yaml file from the git repository](https://github.com/grafana/helm-charts/blob/main/charts/loki-stack/values.yaml) and saw that it did not have any definitions specific to a storage provider.


Ultimately the root issue was that I had not properly defined a Storage Class and associated it with a Persistent Volume Claim. [This section](#persistent-volume-claims) describes how to accomplish this.