ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 25 Packages Projects Releases Wiki Activity

fix: fix broken CRDs handling for ECK operator

Browse Source
This commit is contained in:
Stefan Reimer 2021-05-14 00:11:13 +02:00
parent 2e72673c01
commit 117ee6be49
25 changed files with 5173 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
charts/kubezero-logging/Chart.yaml
View File

@ -3,7 +3,7 @@ name: kubezero-logging
description: KubeZero Umbrella Chart for complete EFK stack
type: application
version: 0.6.5
appVersion: 1.4.1
appVersion: 1.5.0
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -20,7 +20,7 @@ dependencies:
repository: https://zero-down-time.github.io/kubezero/
- name: eck-operator
version: 1.5.0
repository: https://helm.elastic.co
# repository: https://helm.elastic.co
condition: eck-operator.enabled
- name: fluentd
version: 0.2.2

28
charts/kubezero-logging/README.md
View File

@ -1,6 +1,6 @@
# kubezero-logging
![Version: 0.6.2](https://img.shields.io/badge/Version-0.6.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.1](https://img.shields.io/badge/AppVersion-1.4.1-informational?style=flat-square)
![Version: 0.6.5](https://img.shields.io/badge/Version-0.6.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.0](https://img.shields.io/badge/AppVersion-1.5.0-informational?style=flat-square)
KubeZero Umbrella Chart for complete EFK stack
@ -14,13 +14,13 @@ KubeZero Umbrella Chart for complete EFK stack
## Requirements
Kubernetes: `>= 1.16.0`
Kubernetes: `>= 1.18.0`
| Repository | Name | Version |
|------------|------|---------|
| | fluent-bit | 0.12.3 |
| | fluent-bit | 0.15.4 |
| | fluentd | 0.2.2 |
| https://helm.elastic.co | eck-operator | 1.4.1 |
| https://helm.elastic.co | eck-operator | 1.5.0 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Changes from upstream
@ -70,21 +70,31 @@ Kubernetes: `>= 1.16.0`
| fluent-bit.config.customParsers | string | `"[PARSER]\n Name cri-log\n Format regex\n Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<log>.*)$\n Time_Key time\n Time_Format %Y-%m-%dT%H:%M:%S.%L%z\n"` | |
| fluent-bit.config.filters | string | `"[FILTER]\n Name lua\n Match cri.*\n script /fluent-bit/scripts/kubezero.lua\n call reassemble_cri_logs\n\n[FILTER]\n Name kubernetes\n Match cri.*\n Merge_Log On\n Merge_Log_Key kube\n Kube_Tag_Prefix cri.var.log.containers.\n Keep_Log Off\n K8S-Logging.Parser Off\n K8S-Logging.Exclude Off\n #Use_Kubelet true\n #Kubelet_Port 10250\n\n{{- if index .Values \"config\" \"extraRecords\" }}\n\n[FILTER]\n Name record_modifier\n Match cri.*\n {{- range $k,$v := index .Values \"config\" \"extraRecords\" }}\n Record {{ $k }} {{ $v }}\n {{- end }}\n{{- end }}\n\n[FILTER]\n Name rewrite_tag\n Match cri.*\n Emitter_Name kube_tag_rewriter\n Rule logtag F kube.$kubernetes['namespace_name'].$kubernetes['container_name'] false\n\n[FILTER]\n Name lua\n Match kube.*\n script /fluent-bit/scripts/kubezero.lua\n call nest_k8s_ns\n"` | |
| fluent-bit.config.flushInterval | int | `5` | |
| fluent-bit.config.input.memBufLimit | string | `"16MB"` | |
| fluent-bit.config.input.memBufLimit | string | `"4MB"` | |
| fluent-bit.config.input.refreshInterval | int | `10` | |
| fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n Parser cri-log\n Tag cri.*\n Skip_Long_Lines On\n DB /var/log/flb_kube.db\n DB.Sync Normal\n {{- with .Values.config.input }}\n Mem_Buf_Limit {{ default \"16MB\" .memBufLimit }}\n Refresh_Interval {{ default 10 .refreshInterval }}\n {{- end }}\n"` | |
| fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n Parser cri-log\n Tag cri.*\n Skip_Long_Lines On\n DB /var/log/flb_kube.db\n DB.Sync Normal\n {{- with .Values.config.input }}\n Mem_Buf_Limit {{ default \"4MB\" .memBufLimit }}\n Refresh_Interval {{ default 10 .refreshInterval }}\n {{- end }}\n"` | |
| fluent-bit.config.logLevel | string | `"warn"` | |
| fluent-bit.config.output.host | string | `"logging-fluentd"` | |
| fluent-bit.config.output.sharedKey | string | `"cloudbender"` | |
| fluent-bit.config.output.tls | bool | `false` | |
| fluent-bit.config.outputs | string | `"[OUTPUT]\n Match *\n Name forward\n Host {{ .Values.config.output.host }}\n Port 24224\n Shared_Key {{ .Values.config.output.sharedKey }}\n tls {{ ternary \"on\" \"off\" .Values.config.output.tls }}\n Send_options true\n Require_ack_response true\n"` | |
| fluent-bit.config.service | string | `"[SERVICE]\n Flush {{ .Values.config.flushInterval }}\n Daemon Off\n Log_Level {{ .Values.config.logLevel }}\n Parsers_File parsers.conf\n Parsers_File custom_parsers.conf\n HTTP_Server On\n HTTP_Listen 0.0.0.0\n HTTP_Port {{ .Values.service.port }}\n"` | |
| fluent-bit.daemonSetVolumeMounts[0].mountPath | string | `"/var/log"` | |
| fluent-bit.daemonSetVolumeMounts[0].name | string | `"varlog"` | |
| fluent-bit.daemonSetVolumeMounts[1].mountPath | string | `"/etc/machine-id"` | |
| fluent-bit.daemonSetVolumeMounts[1].name | string | `"etcmachineid"` | |
| fluent-bit.daemonSetVolumeMounts[1].readOnly | bool | `true` | |
| fluent-bit.daemonSetVolumes[0].hostPath.path | string | `"/var/log"` | |
| fluent-bit.daemonSetVolumes[0].name | string | `"varlog"` | |
| fluent-bit.daemonSetVolumes[1].hostPath.path | string | `"/etc/machine-id"` | |
| fluent-bit.daemonSetVolumes[1].hostPath.type | string | `"File"` | |
| fluent-bit.daemonSetVolumes[1].name | string | `"etcmachineid"` | |
| fluent-bit.enabled | bool | `false` | |
| fluent-bit.luaScripts."kubezero.lua" | string | `"local reassemble_state = {}\n\nfunction reassemble_cri_logs(tag, timestamp, record)\n local reassemble_key = tag\n if record.logtag == 'P' then\n reassemble_state[reassemble_key] = reassemble_state[reassemble_key] or \"\" .. record.log\n return -1, 0, 0\n end\n record.log = reassemble_state[reassemble_key] or \"\" .. (record.log or \"\")\n reassemble_state[reassemble_key] = nil\n return 1, timestamp, record\nend\n\nfunction nest_k8s_ns(tag, timestamp, record)\n if not record['kubernetes']['namespace_name'] then\n return 0, 0, 0\n end\n new_record = {}\n for key, val in pairs(record) do\n if key == 'kube' then\n new_record[key] = {}\n new_record[key][record['kubernetes']['namespace_name']] = record[key]\n else\n new_record[key] = record[key]\n end\n end\n return 1, timestamp, new_record\nend\n"` | |
| fluent-bit.resources.limits.memory | string | `"64Mi"` | |
| fluent-bit.resources.requests.cpu | string | `"20m"` | |
| fluent-bit.resources.requests.memory | string | `"16Mi"` | |
| fluent-bit.serviceMonitor.enabled | bool | `true` | |
| fluent-bit.resources.requests.memory | string | `"32Mi"` | |
| fluent-bit.serviceMonitor.enabled | bool | `false` | |
| fluent-bit.serviceMonitor.selector.release | string | `"metrics"` | |
| fluent-bit.tolerations[0].effect | string | `"NoSchedule"` | |
| fluent-bit.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
@ -98,7 +108,7 @@ Kubernetes: `>= 1.16.0`
| fluentd.fileConfigs."00_system.conf" | string | `"<system>\n workers 2\n</system>"` | |
| fluentd.fileConfigs."01_sources.conf" | string | `"<source>\n @type http\n @label @KUBERNETES\n port 9880\n bind 0.0.0.0\n keepalive_timeout 30\n</source>\n\n<source>\n @type forward\n @label @KUBERNETES\n port 24224\n bind 0.0.0.0\n # skip_invalid_event true\n send_keepalive_packet true\n <security>\n self_hostname \"#{ENV['HOSTNAME']}\"\n shared_key {{ .Values.shared_key }}\n </security>\n</source>"` | |
| fluentd.fileConfigs."02_filters.conf" | string | `"<label @KUBERNETES>\n # prevent log feedback loops eg. ES has issues etc.\n # discard logs from our own pods\n <match kube.logging.fluentd>\n @type relabel\n @label @FLUENT_LOG\n </match>\n\n <match **>\n @type relabel\n @label @DISPATCH\n </match>\n</label>"` | |
| fluentd.fileConfigs."04_outputs.conf" | string | `"<label @OUTPUT>\n <match **>\n @id elasticsearch\n @type elasticsearch\n @log_level info\n include_tag_key true\n id_key id\n remove_keys id\n\n # KubeZero pipeline incl. GeoIP etc.\n pipeline fluentd\n\n hosts \"{{ .Values.output.host }}\"\n port 9200\n scheme http\n user elastic\n password \"#{ENV['OUTPUT_PASSWORD']}\"\n\n log_es_400_reason\n logstash_format true\n reconnect_on_error true\n reload_on_failure true\n request_timeout 60s\n suppress_type_name true\n\n <buffer tag>\n @type file_single\n path /var/log/fluentd-buffers/kubernetes.system.buffer\n chunk_limit_size 8MB\n total_limit_size 4GB\n flush_mode interval\n flush_thread_count 2\n flush_interval 10s\n flush_at_shutdown true\n retry_type exponential_backoff\n retry_timeout 300m\n overflow_action drop_oldest_chunk\n disable_chunk_backup true\n </buffer>\n </match>\n</label>"` | |
| fluentd.fileConfigs."04_outputs.conf" | string | `"<label @OUTPUT>\n <match **>\n @id elasticsearch\n @type elasticsearch\n @log_level info\n include_tag_key true\n id_key id\n remove_keys id\n\n # KubeZero pipeline incl. GeoIP etc.\n pipeline fluentd\n\n hosts \"{{ .Values.output.host }}\"\n port 9200\n scheme http\n user elastic\n password \"#{ENV['OUTPUT_PASSWORD']}\"\n\n log_es_400_reason\n logstash_format true\n reconnect_on_error true\n reload_on_failure true\n request_timeout 120s\n suppress_type_name true\n bulk_message_request_threshold 2097152\n\n <buffer tag>\n @type file_single\n path /var/log/fluentd-buffers/kubernetes.system.buffer\n chunk_limit_size 8MB\n total_limit_size 4GB\n flush_mode interval\n flush_thread_count 8\n flush_interval 10s\n flush_at_shutdown true\n retry_type exponential_backoff\n retry_timeout 300m\n overflow_action drop_oldest_chunk\n disable_chunk_backup true\n </buffer>\n </match>\n</label>"` | |
| fluentd.image.repository | string | `"fluent/fluentd-kubernetes-daemonset"` | |
| fluentd.image.tag | string | `"v1.12-debian-elasticsearch7-1"` | |
| fluentd.istio.enabled | bool | `false` | |

23
charts/kubezero-logging/charts/eck-operator/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

20
charts/kubezero-logging/charts/eck-operator/Chart.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v2
appVersion: 1.5.0
description: 'A Helm chart for deploying the Elastic Cloud on Kubernetes (ECK) operator: the official Kubernetes operator for orchestrating Elasticsearch, Kibana, APM Server, Enterprise Search, and Beats.'
home: https://github.com/elastic/cloud-on-k8s
icon: https://helm.elastic.co/icons/eck.png
keywords:
- Elasticsearch
- Kibana
- APM Server
- Beats
- Enterprise Search
- Elastic Stack
- Operator
kubeVersion: '>=1.12.0-0'
maintainers:
- email: eck@elastic.co
name: Elastic
name: eck-operator
type: application
version: 1.5.0

20
charts/kubezero-logging/charts/eck-operator/README.md Normal file
View File

@ -0,0 +1,20 @@
# ECK Operator Helm Chart
[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/elastic)](https://artifacthub.io/packages/helm/elastic/eck-operator)
A Helm chart to install the ECK Operator: the official Kubernetes operator from Elastic to orchestrate Elasticsearch, Kibana, APM Server, Enterprise Search, and Beats on Kubernetes.
For more information about the ECK Operator, see:
- [Documentation](https://www.elastic.co/guide/en/cloud-on-k8s/current/index.html)
- [GitHub repo](https://github.com/elastic/cloud-on-k8s)
## Requirements
- Supported Kubernetes versions are listed in the documentation: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s_supported_versions.html
- Helm >= 3.0.0
## Usage
Refer to the documentation at https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-install-helm.html

3539
charts/kubezero-logging/charts/eck-operator/crds/all-crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

6
charts/kubezero-logging/charts/eck-operator/profile-global.yaml Normal file
View File

@ -0,0 +1,6 @@
managedNamespaces: []
createClusterScopedResources: true
webhook:
enabled: true

11
charts/kubezero-logging/charts/eck-operator/profile-istio.yaml Normal file
View File

@ -0,0 +1,11 @@
managedNamespaces: []
createClusterScopedResources: true
webhook:
enabled: true
podAnnotations:
sidecar.istio.io/inject: "true"
traffic.sidecar.istio.io/includeInboundPorts: "*"
traffic.sidecar.istio.io/excludeInboundPorts: "9443"

12
charts/kubezero-logging/charts/eck-operator/profile-restricted.yaml Normal file
View File

@ -0,0 +1,12 @@
managedNamespaces: ["elastic-system"]
createClusterScopedResources: false
config:
# no RBAC access to cluster-wide storage classes, hence disable storage class validation
validateStorageClass: false
installCRDs: false
webhook:
enabled: false

18
charts/kubezero-logging/charts/eck-operator/profile-soft-multi-tenancy.yaml Normal file
View File

@ -0,0 +1,18 @@
managedNamespaces: ["team-a", "team-b"]
createClusterScopedResources: true
refs:
enforceRBAC: true
webhook:
enabled: true
namespaceSelector:
matchExpressions:
- key: "eck.k8s.elastic.co/tenant"
operator: In
values: ["team-a", "team-b"]
softMultiTenancy:
enabled: true

2
charts/kubezero-logging/charts/eck-operator/templates/NOTES.txt Normal file
View File

@ -0,0 +1,2 @@
1. Inspect the operator logs by running the following command:
kubectl logs -n {{ .Release.Namespace }} sts/{{ .Release.Name }}

333
charts/kubezero-logging/charts/eck-operator/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,333 @@
{{/*
Expand the name of the chart.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "eck-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "eck-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "eck-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "eck-operator.labels" -}}
{{- include "eck-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
helm.sh/chart: {{ include "eck-operator.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "eck-operator.selectorLabels" -}}
{{- if .Values.internal.manifestGen }}
control-plane: elastic-operator
{{- else }}
app.kubernetes.io/name: {{ include "eck-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "eck-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "eck-operator.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Determine effective Kubernetes version
*/}}
{{- define "eck-operator.effectiveKubeVersion" -}}
{{- if .Values.internal.manifestGen -}}
{{- semver .Values.internal.kubeVersion -}}
{{- else -}}
{{- .Capabilities.KubeVersion.Version -}}
{{- end -}}
{{- end -}}
{{/*
Determine the name for the webhook
*/}}
{{- define "eck-operator.webhookName" -}}
{{- if .Values.internal.manifestGen -}}
elastic-webhook.k8s.elastic.co
{{- else -}}
{{- $name := include "eck-operator.name" . -}}
{{ printf "%s.%s.k8s.elastic.co" $name .Release.Namespace }}
{{- end -}}
{{- end -}}
{{/*
Determine the name for the webhook secret
*/}}
{{- define "eck-operator.webhookSecretName" -}}
{{- if .Values.internal.manifestGen -}}
elastic-webhook-server-cert
{{- else -}}
{{- $name := include "eck-operator.name" . -}}
{{ printf "%s-webhook-cert" $name | trunc 63 }}
{{- end -}}
{{- end -}}
{{/*
Determine the name for the webhook service
*/}}
{{- define "eck-operator.webhookServiceName" -}}
{{- if .Values.internal.manifestGen -}}
elastic-webhook-server
{{- else -}}
{{- $name := include "eck-operator.name" . -}}
{{ printf "%s-webhook" $name | trunc 63 }}
{{- end -}}
{{- end -}}
{{/*
Add the webhook sideEffects field on supported Kubernetes versions
*/}}
{{- define "eck-operator.webhookSideEffects" -}}
{{- $kubeVersion := (include "eck-operator.effectiveKubeVersion" .) -}}
{{- $kubeVersionSupported := semverCompare ">=1.13.0-0" $kubeVersion -}}
{{- if $kubeVersionSupported }}
sideEffects: "None"
{{- end }}
{{- end }}
{{/*
Use v1 of ValidatingWebhookConfiguration on supported Kubernetes versions
*/}}
{{- define "eck-operator.webhookAPIVersion" -}}
{{- $kubeVersion := (include "eck-operator.effectiveKubeVersion" .) -}}
{{- $kubeVersionSupported := semverCompare ">=1.16.0-0" $kubeVersion -}}
{{- if $kubeVersionSupported -}}
admissionregistration.k8s.io/v1
{{- else -}}
admissionregistration.k8s.io/v1beta1
{{- end -}}
{{- end }}
{{/*
Define admissionReviewVersions based on Kubernetes version
*/}}
{{- define "eck-operator.webhookAdmissionReviewVersions" -}}
{{- $kubeVersion := (include "eck-operator.effectiveKubeVersion" .) -}}
{{- $kubeVersionSupported := semverCompare ">=1.16.0-0" $kubeVersion -}}
{{- if $kubeVersionSupported }}
admissionReviewVersions: [v1beta1]
{{- end }}
{{- end }}
{{/*
Define webhook match policy based on Kubernetes version
*/}}
{{- define "eck-operator.webhookMatchPolicy" -}}
{{- $kubeVersion := (include "eck-operator.effectiveKubeVersion" .) -}}
{{- $kubeVersionSupported := semverCompare ">=1.16.0-0" $kubeVersion -}}
{{- if $kubeVersionSupported }}
matchPolicy: Exact
{{- end }}
{{- end }}
{{/*
RBAC permissions
*/}}
{{- define "eck-operator.rbacRules" -}}
- apiGroups:
- "authorization.k8s.io"
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
- pods
- endpoints
- events
- persistentvolumeclaims
- secrets
- services
- configmaps
- serviceaccounts
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- elasticsearch.k8s.elastic.co
resources:
- elasticsearches
- elasticsearches/status
- elasticsearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
- enterpriselicenses
- enterpriselicenses/status
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- kibana.k8s.elastic.co
resources:
- kibanas
- kibanas/status
- kibanas/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apm.k8s.elastic.co
resources:
- apmservers
- apmservers/status
- apmservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- enterprisesearch.k8s.elastic.co
resources:
- enterprisesearches
- enterprisesearches/status
- enterprisesearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- beat.k8s.elastic.co
resources:
- beats
- beats/status
- beats/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- agent.k8s.elastic.co
resources:
- agents
- agents/status
- agents/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
{{- end -}}
{{/*
RBAC permissions on non-namespaced resources
*/}}
{{- define "eck-operator.clusterWideRbacRules" -}}
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
{{- end -}}

63
charts/kubezero-logging/charts/eck-operator/templates/cluster-roles.yaml Normal file
View File

@ -0,0 +1,63 @@
{{- if .Values.createClusterScopedResources -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "eck-operator.fullname" . }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
rules:
{{ template "eck-operator.rbacRules" . | toYaml | indent 2 }}
{{ template "eck-operator.clusterWideRbacRules" . | toYaml | indent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: "{{ include "eck-operator.name" . }}-view"
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "eck-operator.labels" . | nindent 4 }}
rules:
- apiGroups: ["elasticsearch.k8s.elastic.co"]
resources: ["elasticsearches"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apm.k8s.elastic.co"]
resources: ["apmservers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["kibana.k8s.elastic.co"]
resources: ["kibanas"]
verbs: ["get", "list", "watch"]
- apiGroups: ["enterprisesearch.k8s.elastic.co"]
resources: ["enterprisesearches"]
verbs: ["get", "list", "watch"]
- apiGroups: ["beat.k8s.elastic.co"]
resources: ["beats"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: "{{ include "eck-operator.name" . }}-edit"
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "eck-operator.labels" . | nindent 4 }}
rules:
- apiGroups: ["elasticsearch.k8s.elastic.co"]
resources: ["elasticsearches"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["apm.k8s.elastic.co"]
resources: ["apmservers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["kibana.k8s.elastic.co"]
resources: ["kibanas"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["enterprisesearch.k8s.elastic.co"]
resources: ["enterprisesearches"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["beat.k8s.elastic.co"]
resources: ["beats"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
{{- end -}}

43
charts/kubezero-logging/charts/eck-operator/templates/configmap.yaml Normal file
View File

@ -0,0 +1,43 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "eck-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
data:
eck.yaml: |-
log-verbosity: {{ int .Values.config.logVerbosity }}
metrics-port: {{ int .Values.config.metricsPort }}
container-registry: {{ .Values.config.containerRegistry }}
max-concurrent-reconciles: {{ int .Values.config.maxConcurrentReconciles }}
ca-cert-validity: {{ .Values.config.caValidity }}
ca-cert-rotate-before: {{ .Values.config.caRotateBefore }}
cert-validity: {{ .Values.config.certificatesValidity }}
cert-rotate-before: {{ .Values.config.certificatesRotateBefore }}
set-default-security-context: {{ .Values.config.setDefaultSecurityContext }}
kube-client-timeout: {{ .Values.config.kubeClientTimeout }}
elasticsearch-client-timeout: {{ .Values.config.elasticsearchClientTimeout }}
disable-telemetry: {{ .Values.telemetry.disabled }}
{{- if .Values.telemetry.interval }}
telemetry-interval: {{ .Values.telemetry.interval }}
{{- end }}
validate-storage-class: {{ .Values.config.validateStorageClass }}
{{- if .Values.tracing.enabled }}
enable-tracing: true
{{- end }}
{{- if .Values.refs.enforceRBAC }}
enforce-rbac-on-refs: true
{{- end }}
enable-webhook: {{ .Values.webhook.enabled }}
{{- if .Values.webhook.enabled }}
webhook-name: {{ include "eck-operator.webhookName" . }}
{{- if not .Values.webhook.manageCerts }}
manage-webhook-certs: false
webhook-cert-dir: {{ .Values.webhook.certsDir }}
{{- end }}
{{- end }}
{{- if .Values.managedNamespaces }}
namespaces: [{{ join "," .Values.managedNamespaces }}]
{{- end }}

13
charts/kubezero-logging/charts/eck-operator/templates/managed-namespaces.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.softMultiTenancy.enabled -}}
{{- range .Values.managedNamespaces }}
{{- $namespace := . }}
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
eck.k8s.elastic.co/tenant: {{ $namespace }}
{{- end -}}
{{- end -}}

228
charts/kubezero-logging/charts/eck-operator/templates/managed-ns-network-policy.yaml Normal file
View File

@ -0,0 +1,228 @@
{{- if .Values.softMultiTenancy.enabled -}}
{{- $fullName := include "eck-operator.fullname" . -}}
{{- $name := include "eck-operator.name" . -}}
{{- range .Values.managedNamespaces -}}
{{- $namespace := . }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "{{ $name }}-elasticsearch"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
egress:
# Transport port
- ports:
- port: 9300
to:
# Elasticsearch within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
# DNS
- ports:
- port: 53
protocol: UDP
to: []
ingress:
# HTTP Port
- ports:
- port: 9200
from:
# Operator
- namespaceSelector:
matchLabels:
name: "{{ $.Release.Namespace }}"
podSelector:
matchLabels:
{{- include "eck-operator.selectorLabels" $ | nindent 14 }}
# Within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
# Transport port
- ports:
- port: 9300
from:
# Within namespace (from other Elasticsearch nodes)
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "{{ $name }}-kibana"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
common.k8s.elastic.co/type: "kibana"
egress:
# Elasticsearch HTTP port
- ports:
- port: 9200
to:
# Elasticsearch within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
# DNS
- ports:
- port: 53
protocol: UDP
to: []
ingress:
# HTTP Port
- ports:
- port: 5601
from:
# Within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "{{ $name }}-apm-server"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
common.k8s.elastic.co/type: "apm-server"
egress:
# Elasticsearch HTTP port
- ports:
- port: 9200
to:
# Elasticsearch within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
# Kibana HTTP port
- ports:
- port: 5601
to:
# Kibana within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "kibana"
# DNS
- ports:
- port: 53
protocol: UDP
to: []
ingress:
# HTTP Port
- ports:
- port: 8200
from:
# Within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "{{ $name }}-enterprise-search"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
common.k8s.elastic.co/type: "enterprise-search"
egress:
# Elasticsearch HTTP port
- ports:
- port: 9200
to:
# Elasticsearch within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
# DNS
- ports:
- port: 53
protocol: UDP
to: []
ingress:
# HTTP Port
- ports:
- port: 3002
from:
# Within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "{{ $name }}-beats"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
common.k8s.elastic.co/type: "beat"
egress:
# Elasticsearch HTTP port
- ports:
- port: 9200
to:
# Elasticsearch within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
# Kibana HTTP port
- ports:
- port: 5601
to:
# Kibana within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "kibana"
# DNS
- ports:
- port: 53
protocol: UDP
to: []
{{- end }}
{{- end -}}

10
charts/kubezero-logging/charts/eck-operator/templates/operator-namespace.yaml Normal file
View File

@ -0,0 +1,10 @@
{{- if (and .Values.internal.manifestGen .Values.internal.createOperatorNamespace) -}}
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Release.Namespace }}
labels:
name: {{ .Release.Namespace }}
{{- include "eck-operator.labels" $ | nindent 4 }}
{{- end -}}

59
charts/kubezero-logging/charts/eck-operator/templates/operator-network-policy.yaml Normal file
View File

@ -0,0 +1,59 @@
{{- if .Values.softMultiTenancy.enabled -}}
{{- $kubeAPIServerIP := (required "kubeAPIServerIP is required" .Values.kubeAPIServerIP) -}}
{{- $metricsPort := int .Values.config.metricsPort -}}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "eck-operator.fullname" . }}
namespace: {{ .Release.Namespace}}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "eck-operator.selectorLabels" . | nindent 6 }}
egress:
# DNS
- ports:
- port: 53
protocol: UDP
to: []
# API server
- ports:
- port: 443
to:
- ipBlock:
cidr: "{{ $kubeAPIServerIP }}/32"
# Elasticsearch
- ports:
- port: 9200
to:
- namespaceSelector:
matchExpressions:
- key: "eck.k8s.elastic.co/tenant"
operator: In
values:
{{- range .Values.managedNamespaces }}
- {{ . }}
{{- end }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
{{- if or .Values.webhook.enabled (gt $metricsPort 0) }}
ingress:
{{- if .Values.webhook.enabled }}
- ports:
- port: 9443
from:
- ipBlock:
cidr: "{{ $kubeAPIServerIP }}/32"
{{- end }}
{{- if gt $metricsPort 0 }}
# Metrics
- ports:
- port: {{ $metricsPort }}
from: []
{{- end }}
{{- end }}
{{- end -}}

80
charts/kubezero-logging/charts/eck-operator/templates/role-bindings.yaml Normal file
View File

@ -0,0 +1,80 @@
{{- $operatorNSIsManaged := has .Release.Namespace .Values.managedNamespaces -}}
{{- $fullName := include "eck-operator.fullname" . -}}
{{- $svcAccount := include "eck-operator.serviceAccountName" . }}
{{- if not .Values.createClusterScopedResources }}
{{- range .Values.managedNamespaces }}
{{- $namespace := . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "{{ $fullName }}"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
rules:
{{ template "eck-operator.rbacRules" $ | toYaml | indent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ $fullName }}"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ $fullName }}"
subjects:
- kind: ServiceAccount
name: {{ $svcAccount }}
namespace: {{ $.Release.Namespace }}
{{- end }} {{- /* end of range over managed namespaces */}}
{{- /* If createClusterScopedResources is false and operator namespace is not in the managed namespaces list, create additional role binding */}}
{{- if not $operatorNSIsManaged }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $fullName }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
rules:
{{ template "eck-operator.rbacRules" $ | toYaml | indent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ $fullName }}"
namespace: {{ $.Release.Namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ $fullName }}"
subjects:
- kind: ServiceAccount
name: {{ $svcAccount }}
namespace: {{ $.Release.Namespace }}
{{- end }} {{- /* end of operator role binding if operator namespace is not managed */}}
{{- else }} {{- /* we can create cluster-scoped resources so just create a cluster role binding */}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $fullName }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $fullName }}
subjects:
- kind: ServiceAccount
name: {{ $svcAccount }}
namespace: {{ $.Release.Namespace }}
{{- end }}

14
charts/kubezero-logging/charts/eck-operator/templates/service-account.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "eck-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

118
charts/kubezero-logging/charts/eck-operator/templates/statefulset.yaml Normal file
View File

@ -0,0 +1,118 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "eck-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "eck-operator.selectorLabels" . | nindent 6 }}
serviceName: {{ include "eck-operator.fullname" . }}
replicas: {{ .Values.replicaCount }}
template:
metadata:
annotations:
# Rename the fields "error" to "error.message" and "source" to "event.source"
# This is to avoid a conflict with the ECS "error" and "source" documents.
"co.elastic.logs/raw": "[{\"type\":\"container\",\"json.keys_under_root\":true,\"paths\":[\"/var/log/containers/*${data.kubernetes.container.id}.log\"],\"processors\":[{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"error\",\"to\":\"_error\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_error\",\"to\":\"error.message\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"source\",\"to\":\"_source\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_source\",\"to\":\"event.source\"}]}}]}]"
"checksum/config": {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "eck-operator.selectorLabels" . | nindent 8 }}
spec:
terminationGracePeriodSeconds: 10
serviceAccountName: {{ include "eck-operator.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: manager
args:
- "manager"
- "--config=/conf/eck.yaml"
- "--distribution-channel={{ .Values.telemetry.distributionChannel }}"
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.webhook.enabled }}
- name: WEBHOOK_SECRET
value: {{ include "eck-operator.webhookSecretName" . }}
{{- end }}
{{- with .Values.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.tracing.enabled -}}
{{- range $name, $value := .Values.tracing.config }}
- name: {{ $name }}
value: {{ $value }}
{{- end }}
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.webhook.enabled }}
ports:
- containerPort: 9443
name: https-webhook
protocol: TCP
{{- end }}
volumeMounts:
- mountPath: "/conf"
name: conf
readOnly: true
{{- if .Values.webhook.enabled }}
- mountPath: {{ .Values.webhook.certsDir }}
name: cert
readOnly: true
{{- end }}
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: conf
configMap:
name: {{ include "eck-operator.fullname" . }}
{{- if .Values.webhook.enabled }}
- name: cert
secret:
defaultMode: 420
secretName: {{ include "eck-operator.webhookSecretName" . }}
{{- end }}
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 12 }}
{{- end }}

23
charts/kubezero-logging/charts/eck-operator/templates/validate-chart.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.softMultiTenancy.enabled -}}
{{- if has .Release.Namespace .Values.managedNamespaces -}}
{{- fail "Operator namespace cannot be in managed namespaces when soft multi-tenancy is enabled" -}}
{{- end -}}
{{- if empty .Values.managedNamespaces -}}
{{- fail "Managed namespaces must be defined when soft multi-tenancy is enabled" -}}
{{- end -}}
{{- if empty .Values.kubeAPIServerIP -}}
{{- fail "Soft multi-tenancy requires kubeAPIServerIP to be defined" -}}
{{- end -}}
{{- end -}}
{{- if (not .Values.createClusterScopedResources) -}}
{{- if .Values.webhook.enabled -}}
{{- fail "Webhook cannot be enabled when cluster-scoped resource creation is disabled" -}}
{{- end -}}
{{- if .Values.config.validateStorageClass -}}
{{- fail "Storage class validation cannot be enabled when cluster-scoped resource creation is disabled" -}}
{{- end -}}
{{- end -}}

329
charts/kubezero-logging/charts/eck-operator/templates/webhook.yaml Normal file
View File

@ -0,0 +1,329 @@
{{- if .Values.webhook.enabled -}}
---
apiVersion: {{ include "eck-operator.webhookAPIVersion" $ }}
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "eck-operator.webhookName" . }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
{{- if .Values.webhook.certManagerCert }}
annotations:
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ .Values.webhook.certManagerCert }}"
{{- end }}
webhooks:
- clientConfig:
caBundle: {{ .Values.webhook.caBundle }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-agent-k8s-elastic-co-v1alpha1-agent
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-agent-validation-v1alpha1.k8s.elastic.co
{{- include "eck-operator.webhookMatchPolicy" $ | indent 2 }}
{{- include "eck-operator.webhookAdmissionReviewVersions" $ | indent 2 }}
{{- include "eck-operator.webhookSideEffects" $ | indent 2 }}
rules:
- apiGroups:
- agent.k8s.elastic.co
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- agents
- clientConfig:
caBundle: {{ .Values.webhook.caBundle }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-apm-k8s-elastic-co-v1-apmserver
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-apm-validation-v1.k8s.elastic.co
{{- include "eck-operator.webhookMatchPolicy" $ | indent 2 }}
{{- include "eck-operator.webhookAdmissionReviewVersions" $ | indent 2 }}
{{- include "eck-operator.webhookSideEffects" $ | indent 2 }}
rules:
- apiGroups:
- apm.k8s.elastic.co
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- apmservers
- clientConfig:
caBundle: {{ .Values.webhook.caBundle }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-apm-k8s-elastic-co-v1beta1-apmserver
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-apm-validation-v1beta1.k8s.elastic.co
{{- include "eck-operator.webhookMatchPolicy" $ | indent 2 }}
{{- include "eck-operator.webhookAdmissionReviewVersions" $ | indent 2 }}
{{- include "eck-operator.webhookSideEffects" $ | indent 2 }}
rules:
- apiGroups:
- apm.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- apmservers
- clientConfig:
caBundle: {{ .Values.webhook.caBundle }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-beat-k8s-elastic-co-v1beta1-beat
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-beat-validation-v1beta1.k8s.elastic.co
{{- include "eck-operator.webhookMatchPolicy" $ | indent 2 }}
{{- include "eck-operator.webhookAdmissionReviewVersions" $ | indent 2 }}
{{- include "eck-operator.webhookSideEffects" $ | indent 2 }}
rules:
- apiGroups:
- beat.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- beats
- clientConfig:
caBundle: {{ .Values.webhook.caBundle }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-enterprisesearch-k8s-elastic-co-v1-enterprisesearch
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-ent-validation-v1.k8s.elastic.co
{{- include "eck-operator.webhookMatchPolicy" $ | indent 2 }}
{{- include "eck-operator.webhookAdmissionReviewVersions" $ | indent 2 }}
{{- include "eck-operator.webhookSideEffects" $ | indent 2 }}
rules:
- apiGroups:
- enterprisesearch.k8s.elastic.co
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- enterprisesearches
- clientConfig:
caBundle: {{ .Values.webhook.caBundle }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-enterprisesearch-k8s-elastic-co-v1beta1-enterprisesearch
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-ent-validation-v1beta1.k8s.elastic.co
{{- include "eck-operator.webhookMatchPolicy" $ | indent 2 }}
{{- include "eck-operator.webhookAdmissionReviewVersions" $ | indent 2 }}
{{- include "eck-operator.webhookSideEffects" $ | indent 2 }}
rules:
- apiGroups:
- enterprisesearch.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- enterprisesearches
- clientConfig:
caBundle: {{ .Values.webhook.caBundle }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-es-validation-v1.k8s.elastic.co
{{- include "eck-operator.webhookMatchPolicy" $ | indent 2 }}
{{- include "eck-operator.webhookAdmissionReviewVersions" $ | indent 2 }}
{{- include "eck-operator.webhookSideEffects" $ | indent 2 }}
rules:
- apiGroups:
- elasticsearch.k8s.elastic.co
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- elasticsearches
- clientConfig:
caBundle: {{ .Values.webhook.caBundle }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-es-validation-v1beta1.k8s.elastic.co
{{- include "eck-operator.webhookMatchPolicy" $ | indent 2 }}
{{- include "eck-operator.webhookAdmissionReviewVersions" $ | indent 2 }}
{{- include "eck-operator.webhookSideEffects" $ | indent 2 }}
rules:
- apiGroups:
- elasticsearch.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- elasticsearches
- clientConfig:
caBundle: {{ .Values.webhook.caBundle }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-kibana-k8s-elastic-co-v1-kibana
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-kb-validation-v1.k8s.elastic.co
{{- include "eck-operator.webhookMatchPolicy" $ | indent 2 }}
{{- include "eck-operator.webhookAdmissionReviewVersions" $ | indent 2 }}
{{- include "eck-operator.webhookSideEffects" $ | indent 2 }}
rules:
- apiGroups:
- kibana.k8s.elastic.co
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- kibanas
- clientConfig:
caBundle: {{ .Values.webhook.caBundle }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-kibana-k8s-elastic-co-v1beta1-kibana
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-kb-validation-v1beta1.k8s.elastic.co
{{- include "eck-operator.webhookMatchPolicy" $ | indent 2 }}
{{- include "eck-operator.webhookAdmissionReviewVersions" $ | indent 2 }}
{{- include "eck-operator.webhookSideEffects" $ | indent 2 }}
rules:
- apiGroups:
- kibana.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- kibanas
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
spec:
ports:
- name: https
port: 443
targetPort: 9443
selector:
{{- include "eck-operator.selectorLabels" . | nindent 4 }}
{{- if .Values.webhook.manageCerts }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "eck-operator.webhookSecretName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
{{- end }}
{{- end -}}

177
charts/kubezero-logging/charts/eck-operator/values.yaml Normal file
View File

@ -0,0 +1,177 @@
# nameOverride is the short name for the deployment. Leave empty to let Helm generate a name using chart values.
nameOverride: "elastic-operator"
# fullnameOverride is the full name for the deployment. Leave empty to let Helm generate a name using chart values.
fullnameOverride: "elastic-operator"
# managedNamespaces is the set of namespaces that the operator manages. Leave empty to manage all namespaces.
managedNamespaces: []
# installCRDs determines whether Custom Resource Definitions (CRD) are installed by the chart.
# Note that CRDs are global resources and require cluster admin privileges to install.
# If you are sharing a cluster with other users who may want to install ECK on their own namespaces, setting this to true can have unintended consequences.
# 1. Upgrades will overwrite the global CRDs and could disrupt the other users of ECK who may be running a different version.
# 2. Uninstalling the chart will delete the CRDs and potentially cause Elastic resources deployed by other users to be removed as well.
installCRDs: true
# replicaCount is the number of operator pods to run.
replicaCount: 1
image:
# repository is the container image prefixed by the registry name.
repository: docker.elastic.co/eck/eck-operator
# pullPolicy is the container image pull policy.
pullPolicy: IfNotPresent
# tag is the container image tag. If not defined, defaults to chart appVersion.
tag: null
# imagePullSecrets defines the secrets to use when pulling the operator container image.
imagePullSecrets: []
# resources define the container resource limits for the operator.
resources:
limits:
cpu: 1
memory: 512Mi
requests:
cpu: 100m
memory: 150Mi
# podAnnotations define the annotations that should be added to the operator pod.
podAnnotations: {}
# podSecurityContext defines the pod security context for the operator pod.
podSecurityContext:
runAsNonRoot: true
# securityContext defines the security context of the operator container.
securityContext: {}
# nodeSelector defines the node selector for the operator pod.
nodeSelector: {}
# tolerations defines the node tolerations for the operator pod.
tolerations: []
# affinity defines the node affinity rules for the operator pod.
affinity: {}
# additional environment variables for the operator container.
env: []
# additional volume mounts for the operator container.
volumeMounts: []
# additional volumes to add to the operator pod.
volumes: []
# createClusterScopedResources determines whether cluster-scoped resources (ClusterRoles, ClusterRoleBindings) should be created.
createClusterScopedResources: true
serviceAccount:
# create specifies whether a service account should be created for the operator.
create: true
# annotations to add to the service account
annotations: {}
# name of the service account to use. If not set and create is true, a name is generated using the fullname template.
name: ""
tracing:
# enabled specifies whether APM tracing is enabled for the operator.
enabled: false
# config is a map of APM Server configuration variables that should be set in the environment.
config:
ELASTIC_APM_SERVER_URL: http://localhost:8200
ELASTIC_APM_SERVER_TIMEOUT: 30s
refs:
# enforceRBAC specifies whether RBAC should be enforced for cross-namespace associations between resources.
enforceRBAC: false
webhook:
# enabled determines whether the webhook is installed.
enabled: true
# caBundle is the PEM-encoded CA trust bundle for the webhook certificate. Only required if manageCerts is false and certManagerCert is null.
caBundle: Cg==
# certManagerCert is the name of the cert-manager certificate to use with the webhook.
certManagerCert: null
# certsDir is the directory to mount the certificates.
certsDir: "/tmp/k8s-webhook-server/serving-certs"
# failurePolicy of the webhook.
failurePolicy: Ignore
# manageCerts determines whether the operator manages the webhook certificates automatically.
manageCerts: true
# namespaceSelector corresponds to the namespaceSelector property of the webhook.
# Setting this restricts the webhook to act only on objects submitted to namespaces that match the selector.
namespaceSelector: {}
# objectSelector corresponds to the objectSelector property of the webhook.
# Setting this restricts the webhook to act only on objects that match the selector.
objectSelector: {}
softMultiTenancy:
# enabled determines whether the operator is installed with soft multi-tenancy extensions.
# This requires network policies to be enabled on the Kubernetes cluster.
enabled: false
# kubeAPIServerIP is required when softMultiTenancy is enabled.
kubeAPIServerIP: null
telemetry:
# disabled determines whether the operator periodically updates ECK telemetry data for Kibana to consume.
disabled: false
# distibutionChannel denotes which distribution channel was used to install the operator.
distributionChannel: "helm"
# config values for the operator.
config:
# logVerbosity defines the logging level. Valid values are as follows:
# -2: Errors only
# -1: Errors and warnings
# 0: Errors, warnings, and information
# number greater than 0: Errors, warnings, information, and debug details.
logVerbosity: "0"
# metricsPort defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
metricsPort: "0"
# containerRegistry to use for pulling Elasticsearch and other application container images.
containerRegistry: docker.elastic.co
# maxConcurrentReconciles is the number of concurrent reconciliation operations to perform per controller.
maxConcurrentReconciles: "3"
# caValidity defines the validity period of the CA certificates generated by the operator.
caValidity: 8760h
# caRotateBefore defines when to rotate a CA certificate that is due to expire.
caRotateBefore: 24h
# certificatesValidity defines the validity period of certificates generated by the operator.
certificatesValidity: 8760h
# certificatesRotateBefore defines when to rotate a certificate that is due to expire.
certificatesRotateBefore: 24h
# setDefaultSecurityContext determines whether a default security context is set on application containers created by the operator.
setDefaultSecurityContext: true
# kubeClientTimeout sets the request timeout for Kubernetes API calls made by the operator.
kubeClientTimeout: 60s
# elasticsearchClientTimeout sets the request timeout for Elasticsearch API calls made by the operator.
elasticsearchClientTimeout: 180s
# validateStorageClass specifies whether storage classes volume expansion support should be verified.
# Can be disabled if cluster-wide storage class RBAC access is not available.
validateStorageClass: true
# Internal use only
internal:
# manifestGen specifies whether the chart is running under manifest generator.
# This is used for tasks specific to generating the all-in-one.yaml file.
manifestGen: false
# createOperatorNamespace defines whether the operator namespace manifest should be generated when in manifestGen mode.
# Usually we do want that to happen (e.g. all-in-one.yaml) but, sometimes we don't (e.g. E2E tests).
createOperatorNamespace: true
# kubeVersion is the effective Kubernetes version we target when generating the all-in-one.yaml.
kubeVersion: 1.12.0

11
charts/kubezero-logging/update.sh
View File

@ -1,8 +1,19 @@
#!/bin/bash
ECK_VERSION=1.5.0
FLUENT_BIT_VERSION=0.15.4
FLUENTD_VERSION=0.2.2
# fix ECK crds handling to adhere to proper helm v3 support which also fixes ArgoCD applyong updates on upgrades
helm repo list | grep elastic -qc || { helm repo add elastic https://helm.elastic.co; helm repo update; }
rm -rf charts/eck-operator && helm pull elastic/eck-operator --untar --untardir charts --version $ECK_VERSION
mkdir charts/eck-operator/crds
helm template charts/eck-operator/charts/eck-operator-crds --name-template logging > charts/eck-operator/crds/all-crds.yaml
rm -rf charts/eck-operator/charts
yq d charts/eck-operator/Chart.yaml dependencies -i
# Fluent Bit
rm -rf charts/fluent-bit
curl -L -s -o - https://github.com/fluent/helm-charts/releases/download/fluent-bit-${FLUENT_BIT_VERSION}/fluent-bit-${FLUENT_BIT_VERSION}.tgz | tar xfz - -C charts