added iperf chart

Signed-off-by: Michal Minář <michal.minar@id.ethz.ch>

.gitlab-ci.yml

@@ -33,8 +33,6 @@ variables:
   CACHE: auto
 
 build-push:
-  tags:
-    - staging
   extends: .kaniko-build
   before_script:
     - >

.gitlab/lint.yaml

 ---
+include:
+  - remote: https://gitlab.com/ethz-hpc/pipelines/-/raw/main/scripts/chart/kube-linter.yaml
+
 yamllint:
   stage: lint
   image: registry.gitlab.com/pipeline-components/yamllint:0.31.2@sha256:82f082414bad17ec04f4d271262a6dcaf64883bb4f1ce73923380125af8b94ee
@@ -21,7 +24,7 @@ markdownlint:
   stage: lint
   image: registry.gitlab.com/pipeline-components/markdownlint:0.13.3@sha256:05e98b078e72c637e90a15094d012ed63108d101a941c2526833717ae50eb802
   script:
-    - mdl --style all --warnings .
+    - mdl --warnings .
   rules:
     - if: >-
         $CI_PIPELINE_SOURCE !~ /^(?:push|merge_request_event|schedule|pipeline)$/ &&
@@ -34,6 +37,8 @@ markdownlint:
           - "*.MD"
           - "**/*.md"
           - "**/*.MD"
+          - ".mdlrc"
+          - ".markdown.style.rb"
 
 hadolint:
   stage: lint
@@ -50,3 +55,27 @@ hadolint:
           - Dockerfile*
           - "**/Dockerfile*"
           - .gitlab-ci.yaml
+          - .gitlab/lint.yaml
+
+iperf-kube-lint:
+  extends: .kube-linter
+  image: registry.gitlab.com/ethz-hpc/pipelines/kube-linter:latest
+  stage: lint
+  script:
+    - set -eo pipefail
+    - cd charts/iperf
+    - >-
+      helm template iperf-server . |
+        awk -v o=/dev/stderr '/^(apiVersion:|---)/ { o="/dev/stdout" } { print >o }' |
+        tee /dev/stderr |
+        kube-linter lint --fail-if-no-objects-found --fail-on-invalid-resource -
+  rules:
+    - if: >-
+        $CI_PIPELINE_SOURCE !~ /^(?:push|merge_request_event|schedule|pipeline)$/ &&
+        $RENOVATE == "true"
+      when: never
+    - changes:
+        paths:
+          - .gitlab-ci.yaml
+          - .gitlab/lint.yaml
+          - charts/**/*.yaml

.markdown.style.rb

+all
+rule 'MD013', :line_length => 150, :code_block_line_length => 150

.mdlrc

+style "./.markdown.style.rb"

.yamllint

@@ -12,4 +12,9 @@ rules:
     max: 150  # due to digest pinning
     level: warning
 
+ignore:
+  - charts/iperf/templates/deployment.yaml
+  - charts/iperf/templates/networkpolicy.yaml
+  - charts/iperf/templates/service.yaml
+
 # ex: ft=yaml et ts=2 sw=2 :

Dockerfile

@@ -16,6 +16,18 @@ ARG CURL_VERSION=8.5.0-2ubuntu10.1
 ARG NMAP_VERSION=7.94+git20230807.3be01efb1+dfsg-3build2
 # renovate: datasource=repology depName=ubuntu_24_04/tini versioning=semver-coerced
 ARG TINI_VERSION=0.19.0-1
+# renovate: datasource=repology depName=ubuntu_24_04/traceroute versioning=semver-coerced
+ARG TRACEROUTE_VERSION=1:2.1.5-1
+# renovate: datasource=repology depName=ubuntu_24_04/inetutils-ping versioning=semver-coerced
+ARG INETUTILS_PING_VERSION=2:2.5-3ubuntu4
+# renovate: datasource=repology depName=ubuntu_24_04/iftop versioning=semver-coerced
+ARG IFTOP=1.0~pre4-9build2
+# renovate: datasource=repology depName=ubuntu_24_04/tcpdump versioning=semver-coerced
+ARG TCPDUMP_VERSION=4.99.4-3ubuntu4
+# renovate: datasource=repology depName=ubuntu_24_04/mtr-tiny versioning=semver-coerced
+ARG MTR_TINY_VERSION=0.95-1.1build2
+# renovate: datasource=repology depName=ubuntu_24_04/iputils-tracepath versioning=semver-coerced
+ARG IPUTILS_TRACEPATH=3:20240117-1build1
 
 # renovate: datasource=docker
 ARG UBUNTU_IMAGE_TAG=24.04
@@ -25,12 +37,17 @@ ARG REVISION=""
 # hadolint ignore=DL3015
 RUN apt-get update \
  && DEBIAN_FRONTEND=noninteractive apt-get install -y \
-        iproute2="${IPROUTE2_VERSION}" \
-        bind9-utils="${BIND9_UTILS_VERSION}" \
         bind9-dnsutils="${BIND9_UTILS_VERSION}" \
-        tini="${TINI_VERSION}" \
+        bind9-utils="${BIND9_UTILS_VERSION}" \
         curl="${CURL_VERSION}" \
+        inetutils-ping="${INETUTILS_PING_VERSION}" \
+        iproute2="${IPROUTE2_VERSION}" \
+        iputils-tracepath="${IPUTILS_TRACEPATH}" \
+        mtr-tiny="${MTR_TINY_VERSION}" \
         nmap="${NMAP_VERSION}" \
+        tcpdump="${TCPDUMP_VERSION}" \
+        tini="${TINI_VERSION}" \
+        traceroute="${TRACEROUTE_VERSION}" \
  && if [ "${WITH_IPERF:-0}" = "1" ]; then apt-get install -y iperf3="${IPERF3_VERSION}"; fi \
  && rm -rf /var/cache/apt/*
 

README.md

 # Network utilities container image
 
 Useful for debugging network issues.
+
+## Usage
+
+Create an ad-hoc "net-debug" pod in the default namespace on the pod network:
+
+```sh
+$ kubectl run -it --rm -n default \
+    --image=registry.ethz.ch/hpc-registry/netutils net-debug
+root@debug:/# nslookup kubernetes.default
+Server:         10.205.209.10
+Address:        10.205.209.10#53
+
+Name:   kubernetes.default.svc.cluster.local
+Address: 10.205.209.1
+```
+
+The same on the host network:
+
+```sh
+$ kubectl run -it --rm -n default --overrides='{"spec":{"hostNetwork":true}}' \
+    --image=registry.ethz.ch/hpc-registry/netutils net-debug
+root@eu-k8s-dev-10:/# ip a show access
+8: access: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000
+    link/ether d6:6a:36:07:83:02 brd ff:ff:ff:ff:ff:ff
+    inet 10.205.160.40/20 brd 10.205.175.255 scope global access
+       valid_lft forever preferred_lft forever
+```
+
+### Iperf server-client
+
+An ad-hoc pod on a specific node running iperf server:
+
+```sh
+$ kubectl run --attach --rm -n default \
+    --overrides='{"spec":{"nodeName":"eu-k8s-dev-09.euler.ethz.ch"}}' \
+    --image=registry.ethz.ch/hpc-registry/netutils \
+    iperf-server --command -- iperf3 --server -4 --one-off
+```
+
+*Note*: The pod will terminate and will be deleted after the first handled
+connection thanks to `--one-off`.
+
+Determine its IP:
+
+```sh
+$ kubectl get pod -o wide -n default iperf-server
+NAME           READY   STATUS    RESTARTS   AGE    IP               NODE                          NOMINATED NODE   READINESS GATES
+iperf-server   1/1     Running   0          4m2s   10.205.244.143   eu-k8s-dev-09.euler.ethz.ch   <none>           <none>
+```
+
+And run a client on a different node (on pod network):
+
+```sh
+$ kubectl run --attach --rm -n default \
+    --overrides='{"spec":{"nodeName":"eu-k8s-dev-10.euler.ethz.ch"}}' \
+    --image registry.ethz.ch/hpc-registry/netutils \
+    iperf-client --command -- iperf3 --bidir -P 4 -4 --client 10.205.244.143
+...
+[ 17][RX-C]   0.00-10.00  sec  3.79 GBytes  3.25 Gbits/sec  2725             sender
+[ 17][RX-C]   0.00-10.00  sec  3.79 GBytes  3.25 Gbits/sec                  receiver
+[ 19][RX-C]   0.00-10.00  sec  3.81 GBytes  3.27 Gbits/sec  3012             sender
+[ 19][RX-C]   0.00-10.00  sec  3.80 GBytes  3.27 Gbits/sec                  receiver
+[SUM][RX-C]   0.00-10.00  sec  22.2 GBytes  19.1 Gbits/sec  11059             sender
+[SUM][RX-C]   0.00-10.00  sec  22.2 GBytes  19.0 Gbits/sec                  receiver
+
+iperf Done.
+pod "iperf-client" deleted
+```

charts/iperf/.kube-linter.yaml

+---
+checks:
+  exclude:
+    - latest-tag
+    - drop-net-raw-capability

charts/iperf/Chart.yaml

+---
+apiVersion: v2
+name: iperf
+description: Iperf3 server for network bandwidth testing
+
+type: application
+version: 0.1.0
+appVersion: 0.1.0
+
+dependencies: []

charts/iperf/Makefile

+NAMESPACE    ?= default
+CHART_NAME   ?= iperf-server
+HELM_ARGS    := $(CHART_NAME) . -n $(NAMESPACE) -f values.yaml $(HELM_ARGS)
+
+.PHONY: lint
+lint:
+	make render | awk -v o=/dev/stderr '/^(apiVersion:|---)/ { o="/dev/stdout" } { print >o }' | \
+		kube-linter lint --fail-if-no-objects-found --fail-on-invalid-resource -
+
+.PHONY: render
+render:
+	helm template $(HELM_ARGS)
+
+.PHONY: install
+install:
+	helm install --create-namespace $(HELM_ARGS)
+
+upgrade:
+	helm upgrade $(HELM_ARGS)
+
+.PHONY: diff
+# requires helm diff plugin
+diff:
+	helm diff upgrade $(HELM_ARGS)
+
+.PHONY: kdiff
+kdiff:
+	make render | awk -v o=/dev/stderr '/^(apiVersion:|---)/ { o="/dev/stdout" } { print >o }' | \
+		kubectl diff -n "$(NAMESPACE)" -f - ||:
+
+# ex: ft=make noet ts=4 sw=4 :

charts/iperf/templates/deployment.yaml

+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+  labels:
+    app.kubernetes.io/name: iperf-server
+    app.kubernetes.io/part-of: iperf-server
+  name: iperf-server
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  replicas: {{ .Values.replicas | default 1 }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: iperf-server
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: iperf-server
+        app.kubernetes.io/part-of: iperf-server
+    spec:
+      containers:
+        - command:
+            - /usr/bin/iperf3
+          args:
+            - --server
+{{- range $_, $arg := (index (default (list) .Values.server) "args") }}
+            - {{ $arg }}
+{{- end }}
+          image: {{ .Values.image.name |
+              default "registry.ethz.ch/hpc-registry/netutils" }}:{{
+              .Values.image.tag | default "latest" }}
+          imagePullPolicy: Always
+          name: iperf-server
+          ports:
+            - containerPort: {{ .Values.server.port | default 5201 }}
+              name: iperf-server
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 2
+              ephemeral-storage: 64Mi
+              memory: 512Mi
+            requests:
+              cpu: 200m
+              ephemeral-storage: 2Mi
+              memory: 64Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              add:
+                - NET_ADMIN
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+{{- if .Values.mountHost | default false }}
+            - name: host
+              mountPath: /host
+{{- end }}
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ .Values.nodeSelector | indent 10 }}
+{{- end }}
+      restartPolicy: Always
+      hostNetwork: {{ .Values.hostNetwork | default false }}
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: iperf
+{{- if .Values.tolerations }}
+      tolerations:
+{{ .Values.tolerations | indent 10 }}
+{{- end }}
+      volumes:
+        - name: tmp
+          emptyDir:
+            sizeLimit: 56Mi
+{{- if .Values.mountHost | default false }}
+        - hostPath:
+            path: /
+          name: host
+{{- end }}

charts/iperf/templates/networkpolicy.yaml

+{{- if index (default (dict) .Values.networkPolicy) "enabled" | default false }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/name: iperf-server
+    app.kubernetes.io/part-of: iperf-server
+  name: iperf-server
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  ingress:
+    - from:
+{{- range $_, $cidr := .Values.networkPolicy.ingress.CIDRs }}
+        - ipBlock:
+            cidr: "{{ $cidr }}"
+{{- end }}
+      ports:
+        - port: {{ .Values.server.port | default 5201 }}
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: iperf-server
+      app.kubernetes.io/part-of: iperf-server
+  policyTypes:
+    - Ingress
+{{- end }}

charts/iperf/templates/sa.yaml

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: iperf
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    app.kubernetes.io/part-of: iperf-server

charts/iperf/templates/service.yaml

+---
+apiVersion: v1
+kind: Service
+metadata:
+{{- if index (default (dict) .Values.service) "annotations" }}
+  annotations:
+{{ .Values.service.annotations | toYaml | indent 4 }}
+{{- end }}
+  labels:
+    app.kubernetes.io/name: iperf-server
+    app.kubernetes.io/part-of: iperf-server
+  name: iperf-server
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  externalTrafficPolicy: "{{ .Values.service.externalTrafficPolicy | default "Local" }}"
+  ports:
+    - name: iperf-server
+      port: {{ .Values.server.port | default 5201 }}
+      targetPort: iperf-server
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: iperf-server
+  type: LoadBalancer

charts/iperf/values.yaml

+---
+image:
+  name: registry.ethz.ch/hpc-registry/netutils
+  tag: latest
+replicas: 1
+## mount / of the host at /host in the container
+mountHost: false
+hostNetwork: false
+# nodeSelector: {}
+service:
+  annotations:
+    metallb.universe.tf/address-pool: public
+    metallb.universe.tf/ip-allocated-from-pool: public
+    metallb.universe.tf/loadBalancerIPs: CHANGEME
+  externalTrafficPolicy: Local
+server:
+  args: []
+  port: 5201
+networkPolicy:
+  enabled: false
+  ingress:
+    CIDRs: []