feat: version upgrades for opensearch and operators

charts/kubezero-operators/README.md

@@ -1,6 +1,6 @@
 # kubezero-operators
 
-![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Various operators supported by KubeZero
 
@@ -19,7 +19,7 @@ Kubernetes: `>= 1.26.0`
 | Repository | Name | Version |
 |------------|------|---------|
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
-| https://helm.elastic.co | eck-operator | 2.11.1 |
+| https://helm.elastic.co | eck-operator | 2.12.1 |
 | https://opensearch-project.github.io/opensearch-k8s-operator/ | opensearch-operator | 2.5.1 |
 
 ## Values
@@ -34,6 +34,8 @@ Kubernetes: `>= 1.26.0`
 | opensearch-operator.enabled | bool | `false` |  |
 | opensearch-operator.fullnameOverride | string | `"opensearch-operator"` |  |
 | opensearch-operator.kubeRbacProxy.enable | bool | `false` |  |
+| opensearch-operator.manager.extraEnv[0].name | string | `"SKIP_INIT_CONTAINER"` |  |
+| opensearch-operator.manager.extraEnv[0].value | string | `"true"` |  |
 | opensearch-operator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
 | opensearch-operator.tolerations[0].effect | string | `"NoSchedule"` |  |
 | opensearch-operator.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` |  |

charts/kubezero-operators/charts/eck-operator/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 2.11.1
+appVersion: 2.12.1
 description: Elastic Cloud on Kubernetes (ECK) operator
 home: https://github.com/elastic/cloud-on-k8s
 icon: https://helm.elastic.co/icons/eck.png
@@ -18,4 +18,4 @@ maintainers:
     name: Elastic
 name: eck-operator
 type: application
-version: 2.11.1
+version: 2.12.1

charts/kubezero-operators/charts/eck-operator/templates/_helpers.tpl

@@ -114,6 +114,19 @@ elastic-webhook-server
 {{- end -}}
 {{- end -}}
 
+{{/*
+Determine the metrics port
+*/}}
+{{- define "eck-operator.metrics.port" -}}
+{{- if .Values.config.metrics.port -}}
+{{- .Values.config.metrics.port -}}
+{{- else if .Values.config.metricsPort -}}
+{{- .Values.config.metricsPort -}}
+{{- else -}}
+0
+{{- end -}}
+{{- end -}}
+
 {{/*
 RBAC permissions
 NOTE - any changes made to RBAC permissions below require

charts/kubezero-operators/charts/eck-operator/templates/auth-proxy-service.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.config.metrics.secureMode.enabled }}
+{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ include "eck-operator.name" . }}-metrics-service
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+    helm.sh/chart: {{ include "eck-operator.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: "{{ include "eck-operator.fullname" . }}-metrics"
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - name: https
+    port: {{ $metricsPort }}
+    protocol: TCP
+    targetPort: metrics
+  selector:
+    {{- include "eck-operator.selectorLabels" . | nindent 4 }}
+{{- end }}

charts/kubezero-operators/charts/eck-operator/templates/cluster-roles.yaml

@@ -1,3 +1,6 @@
+{{- if and (not .Values.createClusterScopedResources) (.Values.config.metrics.secureMode.enabled) -}}
+{{ fail "createClusterScopedResources is required to set config.metrics.secureMode.enabled to true" }}
+{{- end }}
 {{- if .Values.createClusterScopedResources -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -93,4 +96,26 @@ rules:
   - apiGroups: ["logstash.k8s.elastic.co"]
     resources: ["logstashes"]
     verbs: ["create", "delete", "deletecollection", "patch", "update"]
+{{- if .Values.config.metrics.secureMode.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "eck-operator.labels" . | nindent 4 }}
+  name: "{{ include "eck-operator.fullname" . }}-proxy-role"
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+{{- end }}
 {{- end -}}

charts/kubezero-operators/charts/eck-operator/templates/configmap.yaml

@@ -8,8 +8,16 @@ metadata:
     {{- include "eck-operator.labels" . | nindent 4 }}
 data:
   eck.yaml: |-
+    {{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
     log-verbosity: {{ int .Values.config.logVerbosity }}
-    metrics-port: {{ int .Values.config.metricsPort }}
+    {{- if and .Values.config.metrics.secureMode.enabled (eq $metricsPort 0) }}
+    {{- fail "config.metrics.port must be greater than 0 when config.metrics.secureMode.enabled is true" }}
+    {{- end }}
+    {{- if .Values.config.metrics.secureMode.enabled }}
+    metrics-port: {{ add $metricsPort 1 }}
+    {{- else }}
+    metrics-port: {{ $metricsPort }}
+    {{- end }}
     container-registry: {{ .Values.config.containerRegistry }}
     {{- with .Values.config.containerSuffix }}
     container-suffix: {{ . }}

charts/kubezero-operators/charts/eck-operator/templates/operator-network-policy.yaml

@@ -1,6 +1,6 @@
 {{- if .Values.softMultiTenancy.enabled -}}
 {{- $kubeAPIServerIP := (required "kubeAPIServerIP is required" .Values.kubeAPIServerIP) -}}
-{{- $metricsPort := int .Values.config.metricsPort -}}
+{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

charts/kubezero-operators/charts/eck-operator/templates/podMonitor.yaml

@@ -1,10 +1,16 @@
-{{- $metricsPort := int .Values.config.metricsPort -}}
+{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
+{{- if and .Values.config.metrics.secureMode.enabled (eq $metricsPort 0) }}
+{{- fail "config.metrics.port must be greater than 0 when config.metrics.secureMode.enabled is true" }}
+{{- end }}
 {{- if and .Values.podMonitor.enabled (gt $metricsPort 0) }}
+{{- if and .Values.podMonitor.enabled .Values.config.metrics.secureMode.enabled }}
+{{- fail "podMonitor and config.metrics.secureMode are mutually exclusive" }}
+{{- end }}
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
   name: {{ include "eck-operator.fullname" . }}
-  namespace: {{ ternary .Values.podMonitor.namespace .Release.Namespace (not (empty .Values.podMonitor.namespace)) }}
+  namespace: {{ ternary .Values.podMonitor.namespace .Release.Namespace (not (and (.Values.podMonitor) (empty .Values.podMonitor.namespace))) }}
   labels: {{- include "eck-operator.labels" . | nindent 4 }}
   {{- with .Values.podMonitor.labels }}
     {{- toYaml . | nindent 4 }}
@@ -33,4 +39,4 @@ spec:
       - {{ .Release.Namespace }}
   selector:
     matchLabels: {{- include "eck-operator.selectorLabels" . | nindent 6 }}
-{{- end }}
+{{- end }}

charts/kubezero-operators/charts/eck-operator/templates/role-bindings.yaml

@@ -1,6 +1,7 @@
 {{- $operatorNSIsManaged := has .Release.Namespace .Values.managedNamespaces -}}
 {{- $fullName := include "eck-operator.fullname" . -}}
 {{- $svcAccount := include "eck-operator.serviceAccountName" . }}
+{{- $enableSecureMetrics := .Values.config.metrics.secureMode.enabled -}}
 
 {{- if not .Values.createClusterScopedResources }}
 {{- range .Values.managedNamespaces }}
@@ -74,7 +75,24 @@ roleRef:
   kind: ClusterRole
   name: {{ $fullName }}
 subjects:
+- kind: ServiceAccount
+  name: {{ $svcAccount }}
+  namespace: {{ $.Release.Namespace }}
+{{- if $enableSecureMetrics }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    {{- include "eck-operator.labels" $ | nindent 4 }}
+  name: "{{ include "eck-operator.fullname" . }}-proxy-rolebinding"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "{{ include "eck-operator.fullname" . }}-proxy-role"
+subjects:
 - kind: ServiceAccount
   name: {{ $svcAccount }}
   namespace: {{ $.Release.Namespace }}
 {{- end }}
+{{- end }}

charts/kubezero-operators/charts/eck-operator/templates/serviceMonitor.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.config.metrics.secureMode.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "eck-operator.fullname" . }}
+  namespace: {{ ternary .Values.serviceMonitor.namespace .Release.Namespace (not (and (.Values.serviceMonitor) (empty .Values.serviceMonitor.namespace))) }}
+  labels: {{- include "eck-operator.labels" . | nindent 4 }}
+spec:
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "eck-operator.name" . }}-metrics-service
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  endpoints:
+  - port: https
+    path: /metrics
+    scheme: https
+    interval: 30s
+    tlsConfig:
+      insecureSkipVerify: {{ .Values.config.metrics.secureMode.tls.insecureSkipVerify | default false }}
+      {{- if (not .Values.config.metrics.secureMode.tls.insecureSkipVerify) }}
+      {{- with .Values.config.metrics.secureMode.tls.caSecret }}
+      {{- $leading_path := trimSuffix "/" .Values.config.metrics.secureMode.tls.caMountDirectory }}
+      caFile: "{{ $leading_path }}/{{ . }}/ca.crt"
+      {{- end }}
+      serverName: "{{ include "eck-operator.fullname" . }}-metrics.{{ .Release.Namespace }}.svc"
+      {{- end }}
+    bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+{{- end }}

charts/kubezero-operators/charts/eck-operator/templates/statefulset.yaml

@@ -1,5 +1,5 @@
-{{- $metricsPort := int .Values.config.metricsPort -}}
 ---
+{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -43,7 +43,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
-        - image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
+        - image: "{{ .Values.image.repository }}{{- if .Values.config.ubiOnly -}}-ubi{{- end -}}:{{ default .Chart.AppVersion .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           name: manager
           args:
@@ -79,10 +79,10 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- if or (gt $metricsPort 0) .Values.webhook.enabled }}
+          {{- if or .Values.webhook.enabled (gt $metricsPort 0) }}
           ports:
-            {{- if (gt $metricsPort 0) }}
+            {{- if and (gt $metricsPort 0) (not .Values.config.metrics.secureMode.enabled) }}
-            - containerPort: {{ .Values.config.metricsPort }}
+            - containerPort: {{ $metricsPort }}
               name: metrics
               protocol: TCP
             {{- end }}
@@ -104,6 +104,41 @@ spec:
             {{- with .Values.volumeMounts }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
+        {{- if .Values.config.metrics.secureMode.enabled }}
+        - name: kube-rbac-proxy
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+          args:
+          - "--secure-listen-address=0.0.0.0:{{ $metricsPort }}"
+          - "--upstream=http://127.0.0.1:{{ add $metricsPort 1 }}/"
+          - "--logtostderr=true"
+          - "--v=0"
+          {{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
+          - "--tls-cert-file=/tls/tls.crt"
+          - "--tls-private-key-file=/tls/tls.key"
+          {{- end }}
+          {{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
+          volumeMounts:
+          - mountPath: "/tls"
+            name: tls-certificate
+            readOnly: true
+          {{- end }}
+          ports:
+          - containerPort: {{ $metricsPort }}
+            protocol: TCP
+            name: metrics
+          resources:
+            limits:
+              cpu: 500m
+              memory: 128Mi
+            requests:
+              cpu: 5m
+              memory: 64Mi
+        {{- end }}
       volumes:
         - name: conf
           configMap:
@@ -114,6 +149,12 @@ spec:
             defaultMode: 420
             secretName: {{ include "eck-operator.webhookSecretName" . }}
         {{- end }}
+        {{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
+        - name: tls-certificate
+          secret:
+            defaultMode: 420
+            secretName: {{ .Values.config.metrics.secureMode.tls.certificateSecret  }}
+        {{- end }}
         {{- with .Values.volumes }}
           {{- toYaml . | nindent 8 }}
         {{- end }}

charts/kubezero-operators/charts/eck-operator/values.yaml

@@ -159,8 +159,67 @@ config:
   #  number greater than 0: Errors, warnings, information, and debug details.
   logVerbosity: "0"
 
-  # metricsPort defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
+  # (Deprecated: use metrics.port: will be removed in v2.14.0) metricsPort defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
-  metricsPort: "0"
+  metricsPort: 0
+
+  metrics:
+    # port defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
+    port: "0"
+    # secureMode contains the options for enabling and configuring RBAC and TLS/HTTPs for the metrics endpoint.
+    secureMode:
+      # secureMode.enabled specifies whether to enable RBAC and TLS/HTTPs for the metrics endpoint. (Will be enabled by default in v2.14.0)
+      # * This option requires using a ServiceMonitor to scrape the metrics and as such is mutually exclusive with the podMonitor.enabled option.
+      # * This option also requires using cluster scoped resources (ClusterRole, ClusterRoleBinding) to
+      #   grant access to the /metrics endpoint. (createClusterScopedResources: true is required)
+      #
+      # This option requires the following settings within Prometheus to function:
+      # 1. RBAC settings for the Prometheus instance to access the metrics endpoint.
+      #
+      # - nonResourceURLs:
+      #   - /metrics
+      #   verbs:
+      #   - get
+      #
+      # 2. If using the Prometheus Operator and your Prometheus instance is not in the same namespace as the operator you will need
+      #    the Prometheus Operator configured with the following Helm values:
+      #
+      #   prometheus:
+      #     prometheusSpec:
+      #       serviceMonitorNamespaceSelector: {}
+      #       serviceMonitorSelectorNilUsesHelmValues: false
+      enabled: false
+      tls:
+        # certificateSecret is the name of the tls secret containing the custom TLS certificate and key for the secure metrics endpoint.
+        #
+        # * This is an optional setting and is only required if you are using a custom TLS certificate. A self-signed certificate will be generated by default.
+        # * TLS secret key must be named tls.crt.
+        # * TLS key's secret key must be named tls.key.
+        # * It is assumed to be in the same namespace as the ServiceMonitor.
+        #
+        # example: kubectl create secret tls eck-metrics-tls-certificate -n elastic-system \
+        #            --cert=/path/to/tls.crt --key=/path/to/tls.key
+        certificateSecret: ""
+        # caSecret is the name of the secret containing the custom CA certificate used to generate the custom TLS certificate for the secure metrics endpoint.
+        #
+        # * This *must* be the name of the secret containing the CA certificate used to sign the custom TLS certificate.
+        # * This secret *must* be in the same namespace as the Prometheus instance that will scrape the metrics.
+        # * If using the Prometheus operator this secret must be within the `spec.secrets` field of the `Prometheus` custom resource such that it is mounted into the Prometheus pod at `caMountDirectory`, which defaults to /etc/prometheus/secrets/{secret-name}.
+        # * This is an optional setting and is only required if you are using a custom TLS certificate.
+        # * Key must be named ca.crt.
+        #
+        # example: kubectl create secret generic eck-metrics-tls-ca -n monitoring \
+        #            --from-file=ca.crt=/path/to/ca.pem
+        caSecret: ""
+        # caMountDirectory is the directory at which the CA certificate is mounted within the Prometheus pod.
+        #
+        # * You should only need to adjust this if you are *not* using the Prometheus operator.
+        caMountDirectory: "/etc/prometheus/secrets/"
+        # insecureSkipVerify specifies whether to skip verification of the TLS certificate for the secure metrics endpoint.
+        #
+        # * If this setting is set to false, then the following settings are required:
+        #   - certificateSecret
+        #   - caSecret
+        insecureSkipVerify: true
 
   # containerRegistry to use for pulling Elasticsearch and other application container images.
   containerRegistry: docker.elastic.co
@@ -223,7 +282,7 @@ config:
   # Interval between observations of Elasticsearch health, non-positive values disable asynchronous observation.
   elasticsearchObservationInterval: 10s
 
-  # ubiOnly specifies whether the operator will use only UBI container images to deploy Elastic Stack applications. UBI images are only available from 7.10.0 onward.
+  # ubiOnly specifies whether the operator will use only UBI container images to deploy Elastic Stack applications as well as for its own StatefulSet image. UBI images are only available from 7.10.0 onward.
   # Cannot be combined with the containerSuffix value.
   ubiOnly: false
 
@@ -232,7 +291,7 @@ config:
 podMonitor:
 
   # enabled determines whether a podMonitor should deployed to scrape the eck metrics.
-  # This requires the prometheus operator and the config.metricsPort not to be 0
+  # This requires the prometheus operator and the config.metrics.port not to be 0
   enabled: false
 
   # labels adds additional labels to the podMonitor
@@ -258,6 +317,15 @@ podMonitor:
   podMetricsEndpointConfig: {}
   # honorTimestamps: true
 
+# Prometheus ServiceMonitor configuration
+# Only used when config.enableSecureMetrics is true
+# Reference: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#servicemonitor
+serviceMonitor: {}
+
+  # namespace determines in which namespace the serviceMonitor will be deployed.
+  # If not set the serviceMonitor will be created in the namespace where the Helm release is installed into
+  # namespace: monitoring
+
 # Globals meant for internal use only
 global:
   # manifestGen specifies whether the chart is running under manifest generator.

charts/kubezero-telemetry/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-telemetry
 description: KubeZero Umbrella Chart for OpenTelemetry, Jaeger etc.
 type: application
-version: 0.1.3
+version: 0.2.0
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -18,7 +18,7 @@ dependencies:
     version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: opentelemetry-collector
-    version: 0.80.1
+    version: 0.86.0
     repository: https://open-telemetry.github.io/opentelemetry-helm-charts
     condition: opentelemetry-collector.enabled
   - name: jaeger

charts/kubezero-telemetry/values.yaml

@@ -49,11 +49,11 @@ jaeger:
     url: jaeger.example.com
 
 opensearch:
-  version: 2.11.1
+  version: 2.12.0
   prometheus: false
 
   nodeSets: []
-  #- name: default-nodes 
+  #- name: default-nodes
   #  replicas: 2
   #  storage:
   #    size: 16Gi

charts/kubezero/values.yaml

@@ -85,12 +85,12 @@ falco:
 telemetry:
   enabled: false
   namespace: telemetry
-  targetRevision: 0.1.0
+  targetRevision: 0.2.0
 
 operators:
   enabled: false
   namespace: operators
-  targetRevision: 0.1.0
+  targetRevision: 0.1.2
 
 metrics:
   enabled: false