LukeRepko · github-actions · Nov 4, 2025 · Nov 5, 2025 · Nov 6, 2025 · Nov 7, 2025
diff --git a/.github/workflows/release-ipfix-collector.yaml b/.github/workflows/release-ipfix-collector.yaml
@@ -0,0 +1,115 @@
+#
+name: Create and publish an IPFIX Collector image
+
+on:
+  push:
+    paths:
+    - '.github/workflows/release-ipfix-collector.yaml'
+    - 'Containerfiles/IPFIX-Collector-Containerfile'
+    branches:
+      - development
+      - main
+  workflow_dispatch:
+    inputs:
+      imageTag:
+        description: 'Set tag for the image'
+        required: true
+        default: '1.0.0-alpine'
+        type: choice
+        options:
+          - 1.0.0-alpine
+          - 1.1.0-alpine
+          - latest
+
+# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository  }}
+  DEF_TAG_NAME: 1.0.0-alpine
+
+# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
+jobs:
+  build-and-push-image:
+    outputs:
+      MY_DATE: ${{ steps.mydate.outputs.MY_DATE }}
+      MY_CONTAINER: ${{ steps.mycontainer.outputs.MY_CONTAINER }}
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      # ghcr only allows lowercase repository names
+      - name: lowercase repo name
+        run: |
+          echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
+      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
+      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
+      - name: Dynamically set MY_DATE environment variable
+        run: echo "MY_DATE=$(date +%s)" >> $GITHUB_ENV
+      - name: Build and push Docker image
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          file: Containerfiles/IPFIX-Collector-Containerfile
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/ipfix-collector:${{ github.event.inputs.imageTag || env.DEF_TAG_NAME }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/ipfix-collector:${{ github.event.inputs.imageTag || env.DEF_TAG_NAME }}-${{ env.MY_DATE }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Dynamically set MY_CONTAINER output option
+        id: mycontainer
+        run: echo "MY_CONTAINER=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/ipfix-collector:${{ github.event.inputs.imageTag || env.DEF_TAG_NAME }}-${{ env.MY_DATE }}" >> $GITHUB_OUTPUT
+      - name: Dynamically set MY_DATE output option
+        id: mydate
+        run: echo "MY_DATE=${{ env.MY_DATE }}" >> $GITHUB_OUTPUT
+
+  change-original-images:
+    runs-on: ubuntu-latest
+    needs: [build-and-push-image]
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Dynamically update the original images file
+        run: jq '. + ["${{ needs.build-and-push-image.outputs.MY_CONTAINER }}"] | sort' .original-images.json | tee .original-images.json.new
+      - name: Rewrite original images file
+        run: mv .original-images.json.new .original-images.json
+      - name: Create Pull Request
+        id: cpr
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: Update original images with new IPFIX collector container
+          committer: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
+          author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>
+          signoff: false
+          branch: ipfix-collector-${{ needs.build-and-push-image.outputs.MY_DATE }}
+          sign-commits: true
+          delete-branch: true
+          title: 'chore: Update original images with IPFIX collector'
+          body: |
+            Update container image
+            - Updated original image file with container ${{needs.build-and-push-image.outputs.MY_CONTAINER}}
+            change request Auto-generated
+          labels: |
+            container images
+            automated pr
+          draft: false
diff --git a/.original-images.json b/.original-images.json
@@ -1,5 +1,8 @@
 [
   "cr.fluentbit.io/fluent/fluent-bit:4.0.7",
+  "docker.io/bitnamilegacy/memcached-exporter:0.15.0-debian-12-r3",
+  "docker.io/bitnamilegacy/memcached:1.6.33-debian-12-r0",
+  "docker.io/bitnamilegacy/os-shell:12-debian-12-r50",
   "docker.io/docker:17.07.0",
   "docker.io/kolla/ubuntu-source-nova-compute-ironic:master",
   "docker.io/library/postgres:14.5",
@@ -13,9 +16,11 @@
   "docker.io/openstackhelm/horizon:2023.1-ubuntu_jammy",
   "docker.io/openstackhelm/ironic:2024.1-ubuntu_jammy",
   "docker.io/openstackhelm/magnum:2024.1-ubuntu_jammy",
+  "docker.io/openstackhelm/manila:2024.1-ubuntu_jammy",
+  "docker.io/openstackhelm/masakari-monitors:2024.1-ubuntu_jammy",
   "docker.io/openstackhelm/masakari-monitors:2024.1-ubuntu_jammy",
   "docker.io/openstackhelm/masakari:2024.1-ubuntu_jammy",
-  "docker.io/openstackhelm/manila:2024.1-ubuntu_jammy",
+  "docker.io/openstackhelm/masakari:2024.1-ubuntu_jammy",
   "docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy",
   "docker.io/openstackhelm/osh-selenium:latest-ubuntu_jammy",
   "docker.io/openstackhelm/ospurge:latest",
@@ -25,6 +30,7 @@
   "docker.io/wrouesnel/postgres_exporter:v0.4.6",
   "docker.io/xrally/xrally-openstack:2.0.0",
   "gcr.io/google_containers/hyperkube-amd64:v1.11.6",
+  "ghcr.io/lukerepko/genestack/ipfix-collector:1.0.0-alpine-1772077661",
   "ghcr.io/rackerlabs/genestack/ceilometer:2024.1-ubuntu_jammy-1738626813",
   "ghcr.io/rackerlabs/genestack/cinder-volume-rxt:2024.1-ubuntu_jammy-1731085441",
   "ghcr.io/rackerlabs/genestack/glance:2024.1-ubuntu_jammy-1740121591",
@@ -43,15 +49,10 @@
   "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1747958291",
   "ghcr.io/rackerlabs/skyline-rxt:master-ubuntu_jammy-1748595671",
   "ghcr.io/vexxhost/netoffload:v1.0.1",
-  "quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_jammy",
-  "quay.io/airshipit/porthole-postgresql-utility:latest-ubuntu_bionic",
-  "quay.io/airshipit/freezer:2025.1-ubuntu_jammy",
-  "quay.io/airshipit/freezer-api:2025.1-ubuntu_jammy",
   "quay.io/airshipit/blazar:2025.1-ubuntu_jammy",
   "quay.io/airshipit/cloudkitty:2024.1-ubuntu_jammy",
-  "docker.io/openstackhelm/masakari:2024.1-ubuntu_jammy",
-  "docker.io/openstackhelm/masakari-monitors:2024.1-ubuntu_jammy",
-  "docker.io/bitnamilegacy/memcached:1.6.33-debian-12-r0",
-  "docker.io/bitnamilegacy/memcached-exporter:0.15.0-debian-12-r3",
-  "docker.io/bitnamilegacy/os-shell:12-debian-12-r50"
+  "quay.io/airshipit/freezer-api:2025.1-ubuntu_jammy",
+  "quay.io/airshipit/freezer:2025.1-ubuntu_jammy",
+  "quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_jammy",
+  "quay.io/airshipit/porthole-postgresql-utility:latest-ubuntu_bionic"
 ]
diff --git a/Containerfiles/IPFIX-Collector-Containerfile b/Containerfiles/IPFIX-Collector-Containerfile
@@ -0,0 +1,27 @@
+FROM python:3.13-alpine
+
+# Install runtime dependencies
+RUN apk add --no-cache \
+    bash \
+    ca-certificates \
+    tzdata \
+    curl \
+    nfdump
+
+# Install Python dependencies for rollup script
+RUN pip install --no-cache-dir \
+    requests \
+    urllib3
+
+# Create flow directory
+RUN mkdir -p /var/lib/ipfix /var/lib/ipfix/processed && \
+    chmod 755 /var/lib/ipfix /var/lib/ipfix/processed
+
+# Add non-root user
+RUN adduser -D -u 1000 ipfix
+
+WORKDIR /var/lib/ipfix
+
+USER ipfix
+
+ENTRYPOINT ["/bin/bash"]
diff --git a/base-helm-configs/clickhouse/clickhouse-helm-overrides.yaml b/base-helm-configs/clickhouse/clickhouse-helm-overrides.yaml
@@ -0,0 +1,34 @@
+# Operator goes in the clickhouse namespace and watches that namespace only.
+createCRDs: true
+watchNamespaces:
+  - clickhouse
+
+affinity:
+  # Schedule the operator only on worker nodes.
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+        - matchExpressions:
+          - key: node-role.kubernetes.io/worker
+            operator: In
+            values:
+            - worker
+  # Spread away from other operator pods (if HA operator is enabled later).
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/name
+                operator: In
+                values: ["altinity-clickhouse-operator"]
+          topologyKey: "kubernetes.io/hostname"
+
+# Keep it quiet-ish but observable
+env:
+  - name: LOG_LEVEL
+    value: "info"
+
+metrics:
+  enabled: true
diff --git a/base-helm-configs/ipfix/ipfix-helm-overrides.yaml b/base-helm-configs/ipfix/ipfix-helm-overrides.yaml
@@ -0,0 +1,37 @@
+ipfix:
+  namespace: ipfix
+
+  # Schedule collectors only on nodes we expect VIP egress on.
+  nodeSelector:
+    openstack-network-node: "enabled"
+
+  # nfcapd
+  listenPort: 4739
+  rotateSeconds: 300
+  compress: true
+
+  # Local flow storage on each node (hostPath: /var/lib/ipfix)
+  # Flows are stored locally on each node, surviving reboots
+  # No shared storage needed - each node processes its own flows
+
+  # Rollup interval (seconds)
+  rollupEverySeconds: 300
+
+  # ClickHouse HTTP endpoint (override here to match your cluster)
+  clickhouse:
+    namespace: clickhouse
+    httpUrl: "http://clickhouse-http.clickhouse.svc.cluster.local:8123"
+    database: "ipfix"
+    table: "vip_hourly_node"
+    # secret name for creds; install script creates if missing
+    secretName: "ipfix-clickhouse-creds"
+
+  # Optional: restrict rollup to known VIPs
+  # (ConfigMap with vips.txt can be added later)
+  vipListConfigMap: ""
+
+  s3:
+    enabled: false
+    rawBucket: "s3://org-ipfix-raw-dev"
+    prefix: "clusterA/${NODE_NAME}/"
+    secretName: "s3-credentials"
diff --git a/base-kustomize/clickhouse/base/chi-server-base.yaml b/base-kustomize/clickhouse/base/chi-server-base.yaml
@@ -0,0 +1,84 @@
+apiVersion: clickhouse.altinity.com/v1
+kind: ClickHouseInstallation
+metadata:
+  name: server
+  namespace: clickhouse
+spec:
+  taskID: "1"
+
+  configuration:
+    # No Keeper here for base config (single node / non-replicated)
+
+    users:
+      # Disable dangerous defaults; create reader/writer explicitly.
+      default/readonly: 1
+
+      writer/password_sha256_hex:
+        valueFrom:
+          secretKeyRef:
+            name: clickhouse-db-passwords
+            key: writer_password_sha256
+      writer/profile: default
+      writer/quota: default
+      writer/networks/ip: "::/0"
+
+      reader/password_sha256_hex:
+        valueFrom:
+          secretKeyRef:
+            name: clickhouse-db-passwords
+            key: reader_password_sha256
+      reader/profile: readonly
+      reader/quota: default
+      reader/networks/ip: "::/0"
+
+    profiles:
+      readonly/readonly: 1
+
+    clusters:
+      - name: c
+        layout:
+          shardsCount: 1
+          replicasCount: 1
+        templates:
+          podTemplate: ch-pod
+          volumeClaimTemplate: ch-data
+
+  templates:
+    podTemplates:
+      - name: ch-pod
+        spec:
+          affinity:
+            nodeAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: node-role.kubernetes.io/worker
+                        operator: In
+                        values:
+                          - worker
+            podAntiAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                - labelSelector:
+                    matchLabels:
+                      clickhouse.altinity.com/chi: ch
+                  topologyKey: "kubernetes.io/hostname"
+          containers:
+            - name: clickhouse
+              # Injected by envsubst in install script from helm-chart-versions.yaml
+              image: ${CLICKHOUSE_SERVER_IMAGE}
+              imagePullPolicy: IfNotPresent
+              ports:
+                - name: http
+                  containerPort: 8123
+                - name: native
+                  containerPort: 9000
+                - name: inter
+                  containerPort: 9009
+    volumeClaimTemplates:
+      - name: ch-data
+        spec:
+          accessModes: ["ReadWriteOnce"]
+          storageClassName: general
+          resources:
+            requests:
+              storage: 10Gi
diff --git a/base-kustomize/clickhouse/base/kustomization.yaml b/base-kustomize/clickhouse/base/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+sortOptions:
+  order: fifo
+resources:
+  - chi-server-base.yaml
+  - svc-clickhouse-http.yaml
diff --git a/base-kustomize/clickhouse/base/svc-clickhouse-http.yaml b/base-kustomize/clickhouse/base/svc-clickhouse-http.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: clickhouse-http
+  namespace: clickhouse
+  labels:
+    app: clickhouse
+spec:
+  type: ClusterIP
+  selector:
+    clickhouse.altinity.com/chi: ch
+  ports:
+    - name: http
+      port: 8123
+      targetPort: 8123
diff --git a/base-kustomize/clickhouse/ipfix/ch-pdb-s01.yaml b/base-kustomize/clickhouse/ipfix/ch-pdb-s01.yaml
@@ -0,0 +1,12 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: ch-pdb-s01
+  namespace: clickhouse
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      clickhouse.altinity.com/chi: server
+      clickhouse.altinity.com/cluster: ipfix
+      clickhouse.altinity.com/shard: s01