feat: WIP telemetry pipeline now incl. fluent-bit and otel

charts/kubezero-operators/README.md

@@ -1,6 +1,6 @@
 # kubezero-operators
 
-![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Various operators supported by KubeZero
 
@@ -19,8 +19,8 @@ Kubernetes: `>= 1.26.0`
 | Repository | Name | Version |
 |------------|------|---------|
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
-| https://helm.elastic.co | eck-operator | 2.12.1 |
+| https://helm.elastic.co | eck-operator | 2.13.0 |
-| https://opensearch-project.github.io/opensearch-k8s-operator/ | opensearch-operator | 2.6.0 |
+| https://opensearch-project.github.io/opensearch-k8s-operator/ | opensearch-operator | 2.6.1 |
 
 ## Values
 

charts/kubezero-operators/charts/eck-operator/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 2.12.1
+appVersion: 2.13.0
 description: Elastic Cloud on Kubernetes (ECK) operator
 home: https://github.com/elastic/cloud-on-k8s
 icon: https://helm.elastic.co/icons/eck.png
@@ -18,4 +18,4 @@ maintainers:
     name: Elastic
 name: eck-operator
 type: application
-version: 2.12.1
+version: 2.13.0

charts/kubezero-operators/charts/eck-operator/crds/all-crds.yaml

@@ -5,12 +5,13 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'logging'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.12.1'
+    app.kubernetes.io/version: '2.13.0'
-    helm.sh/chart: 'eck-operator-crds-2.12.1'
+    helm.sh/chart: 'eck-operator-crds-2.13.0'
   name: agents.agent.k8s.elastic.co
 spec:
   group: agent.k8s.elastic.co
@@ -245,7 +246,8 @@ spec:
                         - `url`: the URL to reach the Elastic resource
                         - `username`: the username of the user to be authenticated to the Elastic resource
                         - `password`: the password of the user to be authenticated to the Elastic resource
-                        - `ca.crt`: the CA certificate in PEM format (optional).
+                        - `ca.crt`: the CA certificate in PEM format (optional)
+                        - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                         This field cannot be used in combination with the other fields name, namespace or serviceName.
                       type: string
                     serviceName:
@@ -280,7 +282,8 @@ spec:
                       - `url`: the URL to reach the Elastic resource
                       - `username`: the username of the user to be authenticated to the Elastic resource
                       - `password`: the password of the user to be authenticated to the Elastic resource
-                      - `ca.crt`: the CA certificate in PEM format (optional).
+                      - `ca.crt`: the CA certificate in PEM format (optional)
+                      - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                       This field cannot be used in combination with the other fields name, namespace or serviceName.
                     type: string
                   serviceName:
@@ -725,7 +728,8 @@ spec:
                       - `url`: the URL to reach the Elastic resource
                       - `username`: the username of the user to be authenticated to the Elastic resource
                       - `password`: the password of the user to be authenticated to the Elastic resource
-                      - `ca.crt`: the CA certificate in PEM format (optional).
+                      - `ca.crt`: the CA certificate in PEM format (optional)
+                      - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                       This field cannot be used in combination with the other fields name, namespace or serviceName.
                     type: string
                   serviceName:
@@ -1132,12 +1136,13 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'logging'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.12.1'
+    app.kubernetes.io/version: '2.13.0'
-    helm.sh/chart: 'eck-operator-crds-2.12.1'
+    helm.sh/chart: 'eck-operator-crds-2.13.0'
   name: apmservers.apm.k8s.elastic.co
 spec:
   group: apm.k8s.elastic.co
@@ -1219,7 +1224,8 @@ spec:
                       - `url`: the URL to reach the Elastic resource
                       - `username`: the username of the user to be authenticated to the Elastic resource
                       - `password`: the password of the user to be authenticated to the Elastic resource
-                      - `ca.crt`: the CA certificate in PEM format (optional).
+                      - `ca.crt`: the CA certificate in PEM format (optional)
+                      - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                       This field cannot be used in combination with the other fields name, namespace or serviceName.
                     type: string
                   serviceName:
@@ -1663,7 +1669,8 @@ spec:
                       - `url`: the URL to reach the Elastic resource
                       - `username`: the username of the user to be authenticated to the Elastic resource
                       - `password`: the password of the user to be authenticated to the Elastic resource
-                      - `ca.crt`: the CA certificate in PEM format (optional).
+                      - `ca.crt`: the CA certificate in PEM format (optional)
+                      - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                       This field cannot be used in combination with the other fields name, namespace or serviceName.
                     type: string
                   serviceName:
@@ -2352,12 +2359,13 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'logging'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.12.1'
+    app.kubernetes.io/version: '2.13.0'
-    helm.sh/chart: 'eck-operator-crds-2.12.1'
+    helm.sh/chart: 'eck-operator-crds-2.13.0'
   name: beats.beat.k8s.elastic.co
 spec:
   group: beat.k8s.elastic.co
@@ -2592,7 +2600,8 @@ spec:
                       - `url`: the URL to reach the Elastic resource
                       - `username`: the username of the user to be authenticated to the Elastic resource
                       - `password`: the password of the user to be authenticated to the Elastic resource
-                      - `ca.crt`: the CA certificate in PEM format (optional).
+                      - `ca.crt`: the CA certificate in PEM format (optional)
+                      - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                       This field cannot be used in combination with the other fields name, namespace or serviceName.
                     type: string
                   serviceName:
@@ -2626,7 +2635,8 @@ spec:
                       - `url`: the URL to reach the Elastic resource
                       - `username`: the username of the user to be authenticated to the Elastic resource
                       - `password`: the password of the user to be authenticated to the Elastic resource
-                      - `ca.crt`: the CA certificate in PEM format (optional).
+                      - `ca.crt`: the CA certificate in PEM format (optional)
+                      - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                       This field cannot be used in combination with the other fields name, namespace or serviceName.
                     type: string
                   serviceName:
@@ -2670,7 +2680,8 @@ spec:
                                 - `url`: the URL to reach the Elastic resource
                                 - `username`: the username of the user to be authenticated to the Elastic resource
                                 - `password`: the password of the user to be authenticated to the Elastic resource
-                                - `ca.crt`: the CA certificate in PEM format (optional).
+                                - `ca.crt`: the CA certificate in PEM format (optional)
+                                - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                                 This field cannot be used in combination with the other fields name, namespace or serviceName.
                               type: string
                             serviceName:
@@ -2710,7 +2721,8 @@ spec:
                                 - `url`: the URL to reach the Elastic resource
                                 - `username`: the username of the user to be authenticated to the Elastic resource
                                 - `password`: the password of the user to be authenticated to the Elastic resource
-                                - `ca.crt`: the CA certificate in PEM format (optional).
+                                - `ca.crt`: the CA certificate in PEM format (optional)
+                                - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                                 This field cannot be used in combination with the other fields name, namespace or serviceName.
                               type: string
                             serviceName:
@@ -2836,12 +2848,13 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'logging'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.12.1'
+    app.kubernetes.io/version: '2.13.0'
-    helm.sh/chart: 'eck-operator-crds-2.12.1'
+    helm.sh/chart: 'eck-operator-crds-2.13.0'
   name: elasticmapsservers.maps.k8s.elastic.co
 spec:
   group: maps.k8s.elastic.co
@@ -2935,7 +2948,8 @@ spec:
                       - `url`: the URL to reach the Elastic resource
                       - `username`: the username of the user to be authenticated to the Elastic resource
                       - `password`: the password of the user to be authenticated to the Elastic resource
-                      - `ca.crt`: the CA certificate in PEM format (optional).
+                      - `ca.crt`: the CA certificate in PEM format (optional)
+                      - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                       This field cannot be used in combination with the other fields name, namespace or serviceName.
                     type: string
                   serviceName:
@@ -3433,12 +3447,13 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'logging'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.12.1'
+    app.kubernetes.io/version: '2.13.0'
-    helm.sh/chart: 'eck-operator-crds-2.12.1'
+    helm.sh/chart: 'eck-operator-crds-2.13.0'
   name: elasticsearchautoscalers.autoscaling.k8s.elastic.co
 spec:
   group: autoscaling.k8s.elastic.co
@@ -3790,12 +3805,13 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'logging'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.12.1'
+    app.kubernetes.io/version: '2.13.0'
-    helm.sh/chart: 'eck-operator-crds-2.12.1'
+    helm.sh/chart: 'eck-operator-crds-2.13.0'
   name: elasticsearches.elasticsearch.k8s.elastic.co
 spec:
   group: elasticsearch.k8s.elastic.co
@@ -3859,6 +3875,10 @@ spec:
                 description: Auth contains user authentication and authorization security
                   settings for Elasticsearch.
                 properties:
+                  disableElasticUser:
+                    description: DisableElasticUser disables the default elastic user
+                      that is created by ECK.
+                    type: boolean
                   fileRealm:
                     description: FileRealm to propagate to the Elasticsearch cluster.
                     items:
@@ -4330,7 +4350,8 @@ spec:
                                 - `url`: the URL to reach the Elastic resource
                                 - `username`: the username of the user to be authenticated to the Elastic resource
                                 - `password`: the password of the user to be authenticated to the Elastic resource
-                                - `ca.crt`: the CA certificate in PEM format (optional).
+                                - `ca.crt`: the CA certificate in PEM format (optional)
+                                - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                                 This field cannot be used in combination with the other fields name, namespace or serviceName.
                               type: string
                             serviceName:
@@ -4370,7 +4391,8 @@ spec:
                                 - `url`: the URL to reach the Elastic resource
                                 - `username`: the username of the user to be authenticated to the Elastic resource
                                 - `password`: the password of the user to be authenticated to the Elastic resource
-                                - `ca.crt`: the CA certificate in PEM format (optional).
+                                - `ca.crt`: the CA certificate in PEM format (optional)
+                                - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                                 This field cannot be used in combination with the other fields name, namespace or serviceName.
                               type: string
                             serviceName:
@@ -6500,12 +6522,13 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'logging'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.12.1'
+    app.kubernetes.io/version: '2.13.0'
-    helm.sh/chart: 'eck-operator-crds-2.12.1'
+    helm.sh/chart: 'eck-operator-crds-2.13.0'
   name: enterprisesearches.enterprisesearch.k8s.elastic.co
 spec:
   group: enterprisesearch.k8s.elastic.co
@@ -6598,7 +6621,8 @@ spec:
                       - `url`: the URL to reach the Elastic resource
                       - `username`: the username of the user to be authenticated to the Elastic resource
                       - `password`: the password of the user to be authenticated to the Elastic resource
-                      - `ca.crt`: the CA certificate in PEM format (optional).
+                      - `ca.crt`: the CA certificate in PEM format (optional)
+                      - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                       This field cannot be used in combination with the other fields name, namespace or serviceName.
                     type: string
                   serviceName:
@@ -7170,7 +7194,8 @@ spec:
                       - `url`: the URL to reach the Elastic resource
                       - `username`: the username of the user to be authenticated to the Elastic resource
                       - `password`: the password of the user to be authenticated to the Elastic resource
-                      - `ca.crt`: the CA certificate in PEM format (optional).
+                      - `ca.crt`: the CA certificate in PEM format (optional)
+                      - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                       This field cannot be used in combination with the other fields name, namespace or serviceName.
                     type: string
                   serviceName:
@@ -7654,12 +7679,13 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'logging'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.12.1'
+    app.kubernetes.io/version: '2.13.0'
-    helm.sh/chart: 'eck-operator-crds-2.12.1'
+    helm.sh/chart: 'eck-operator-crds-2.13.0'
   name: kibanas.kibana.k8s.elastic.co
 spec:
   group: kibana.k8s.elastic.co
@@ -7741,7 +7767,8 @@ spec:
                       - `url`: the URL to reach the Elastic resource
                       - `username`: the username of the user to be authenticated to the Elastic resource
                       - `password`: the password of the user to be authenticated to the Elastic resource
-                      - `ca.crt`: the CA certificate in PEM format (optional).
+                      - `ca.crt`: the CA certificate in PEM format (optional)
+                      - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                       This field cannot be used in combination with the other fields name, namespace or serviceName.
                     type: string
                   serviceName:
@@ -7771,7 +7798,8 @@ spec:
                       - `url`: the URL to reach the Elastic resource
                       - `username`: the username of the user to be authenticated to the Elastic resource
                       - `password`: the password of the user to be authenticated to the Elastic resource
-                      - `ca.crt`: the CA certificate in PEM format (optional).
+                      - `ca.crt`: the CA certificate in PEM format (optional)
+                      - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                       This field cannot be used in combination with the other fields name, namespace or serviceName.
                     type: string
                   serviceName:
@@ -8229,7 +8257,8 @@ spec:
                                 - `url`: the URL to reach the Elastic resource
                                 - `username`: the username of the user to be authenticated to the Elastic resource
                                 - `password`: the password of the user to be authenticated to the Elastic resource
-                                - `ca.crt`: the CA certificate in PEM format (optional).
+                                - `ca.crt`: the CA certificate in PEM format (optional)
+                                - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                                 This field cannot be used in combination with the other fields name, namespace or serviceName.
                               type: string
                             serviceName:
@@ -8269,7 +8298,8 @@ spec:
                                 - `url`: the URL to reach the Elastic resource
                                 - `username`: the username of the user to be authenticated to the Elastic resource
                                 - `password`: the password of the user to be authenticated to the Elastic resource
-                                - `ca.crt`: the CA certificate in PEM format (optional).
+                                - `ca.crt`: the CA certificate in PEM format (optional)
+                                - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                                 This field cannot be used in combination with the other fields name, namespace or serviceName.
                               type: string
                             serviceName:
@@ -8952,12 +8982,13 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'logging'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.12.1'
+    app.kubernetes.io/version: '2.13.0'
-    helm.sh/chart: 'eck-operator-crds-2.12.1'
+    helm.sh/chart: 'eck-operator-crds-2.13.0'
   name: logstashes.logstash.k8s.elastic.co
 spec:
   group: logstash.k8s.elastic.co
@@ -9063,7 +9094,8 @@ spec:
                         - `url`: the URL to reach the Elastic resource
                         - `username`: the username of the user to be authenticated to the Elastic resource
                         - `password`: the password of the user to be authenticated to the Elastic resource
-                        - `ca.crt`: the CA certificate in PEM format (optional).
+                        - `ca.crt`: the CA certificate in PEM format (optional)
+                        - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                         This field cannot be used in combination with the other fields name, namespace or serviceName.
                       type: string
                     serviceName:
@@ -9112,7 +9144,8 @@ spec:
                                 - `url`: the URL to reach the Elastic resource
                                 - `username`: the username of the user to be authenticated to the Elastic resource
                                 - `password`: the password of the user to be authenticated to the Elastic resource
-                                - `ca.crt`: the CA certificate in PEM format (optional).
+                                - `ca.crt`: the CA certificate in PEM format (optional)
+                                - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                                 This field cannot be used in combination with the other fields name, namespace or serviceName.
                               type: string
                             serviceName:
@@ -9152,7 +9185,8 @@ spec:
                                 - `url`: the URL to reach the Elastic resource
                                 - `username`: the username of the user to be authenticated to the Elastic resource
                                 - `password`: the password of the user to be authenticated to the Elastic resource
-                                - `ca.crt`: the CA certificate in PEM format (optional).
+                                - `ca.crt`: the CA certificate in PEM format (optional)
+                                - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec)
                                 This field cannot be used in combination with the other fields name, namespace or serviceName.
                               type: string
                             serviceName:
@@ -10172,12 +10206,13 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'logging'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.12.1'
+    app.kubernetes.io/version: '2.13.0'
-    helm.sh/chart: 'eck-operator-crds-2.12.1'
+    helm.sh/chart: 'eck-operator-crds-2.13.0'
   name: stackconfigpolicies.stackconfigpolicy.k8s.elastic.co
 spec:
   group: stackconfigpolicy.k8s.elastic.co

charts/kubezero-operators/charts/eck-operator/profile-disable-automounting-api.yaml

@@ -0,0 +1,29 @@
+automountServiceAccountToken: false
+
+serviceAccount:
+  automountServiceAccountToken: false
+
+volumeMounts:
+- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+  name: serviceaccount-token
+  readOnly: true
+
+volumes:
+- name: serviceaccount-token
+  projected:
+    defaultMode: 0444
+    sources:
+    - serviceAccountToken:
+        expirationSeconds: 3607
+        path: token
+    - configMap:
+        name: kube-root-ca.crt
+        items:
+        - key: ca.crt
+          path: ca.crt
+    - downwardAPI:
+        items:
+        - path: namespace
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace

charts/kubezero-operators/charts/eck-operator/templates/_helpers.tpl

@@ -96,6 +96,8 @@ Determine the name for the webhook secret
 {{- define "eck-operator.webhookSecretName" -}}
 {{- if .Values.global.manifestGen -}}
 elastic-webhook-server-cert
+{{- else if .Values.webhook.certsSecret -}}
+{{- .Values.webhook.certsSecret }}
 {{- else -}}
 {{- $name := include "eck-operator.name" . -}}
 {{ printf "%s-webhook-cert" $name | trunc 63 }}

charts/kubezero-operators/charts/eck-operator/templates/configmap.yaml

@@ -79,6 +79,6 @@ data:
     {{- if not .Values.config.containerSuffix }}
     ubi-only: {{ .Values.config.ubiOnly }}
     {{- end }}
-    {{- with .Values.webhook.secret }}
+    {{- with .Values.webhook.certsSecret }}
     webhook-secret: {{ . }}
     {{- end }}

charts/kubezero-operators/charts/eck-operator/templates/service-account.yaml

@@ -2,6 +2,7 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ include "eck-operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}

charts/kubezero-operators/charts/eck-operator/templates/statefulset.yaml

@@ -5,8 +5,15 @@ kind: StatefulSet
 metadata:
   name: {{ include "eck-operator.fullname" . }}
   namespace: {{ .Release.Namespace }}
+  {{- with .Values.statefulsetAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   labels:
     {{- include "eck-operator.labels" . | nindent 4 }}
+    {{- with .Values.statefulsetLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   selector:
     matchLabels:
@@ -31,6 +38,7 @@ spec:
     spec:
       terminationGracePeriodSeconds: 10
       serviceAccountName: {{ include "eck-operator.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- with .Values.priorityClassName }}
       priorityClassName: {{ . }}
       {{- end }}
@@ -121,11 +129,16 @@ spec:
           - "--tls-cert-file=/tls/tls.crt"
           - "--tls-private-key-file=/tls/tls.key"
           {{- end }}
-          {{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
+          {{- if or .Values.config.metrics.secureMode.tls.certificateSecret .Values.config.metrics.secureMode.volumeMounts }}
           volumeMounts:
-          - mountPath: "/tls"
+            {{- with .Values.config.metrics.secureMode.volumeMounts }}
-            name: tls-certificate
+              {{- toYaml . | nindent 12 }}
-            readOnly: true
+            {{- end }}
+            {{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
+            - mountPath: "/tls"
+              name: tls-certificate
+              readOnly: true
+            {{- end }}
           {{- end }}
           ports:
           - containerPort: {{ $metricsPort }}

charts/kubezero-operators/charts/eck-operator/values.yaml

@@ -40,6 +40,12 @@ resources:
     cpu: 100m
     memory: 150Mi
 
+# statefulsetAnnotations define the annotations that should be added to the operator StatefulSet.
+statefulsetAnnotations: {}
+
+# statefulsetLabels define additional labels that should be added to the operator StatefulSet.
+statefulsetLabels: {}
+
 # podAnnotations define the annotations that should be added to the operator pod.
 podAnnotations: {}
 
@@ -87,9 +93,14 @@ volumes: []
 # createClusterScopedResources determines whether cluster-scoped resources (ClusterRoles, ClusterRoleBindings) should be created.
 createClusterScopedResources: true
 
+# Automount API credentials for the Service Account into the pod.
+automountServiceAccountToken: true
+
 serviceAccount:
   # create specifies whether a service account should be created for the operator.
   create: true
+  # Specifies whether a service account should automount API credentials.
+  automountServiceAccountToken: true
   # annotations to add to the service account
   annotations: {}
   # name of the service account to use. If not set and create is true, a name is generated using the fullname template.
@@ -129,7 +140,7 @@ webhook:
   # port is the port that the validating webhook binds to.
   port: 9443
   # secret specifies the Kubernetes secret to be mounted into the path designated by the certsDir value to be used for webhook certificates.
-  secret: ""
+  certsSecret: ""
 
 # hostNetwork allows a Pod to use the Node network namespace.
 # This is required to allow for communication with the kube API when using some alternate CNIs in conjunction with webhook enabled.
@@ -188,6 +199,8 @@ config:
       #       serviceMonitorNamespaceSelector: {}
       #       serviceMonitorSelectorNilUsesHelmValues: false
       enabled: false
+      # additional volume mounts for the kube-rbac-proxy container.
+      volumeMounts: []
       tls:
         # certificateSecret is the name of the tls secret containing the custom TLS certificate and key for the secure metrics endpoint.
         #

charts/kubezero-telemetry/README.md

@@ -1,6 +1,6 @@
 # kubezero-telemetry
 
-![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.3.3](https://img.shields.io/badge/Version-0.3.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero Umbrella Chart for OpenTelemetry, Jaeger etc.
 
@@ -19,10 +19,10 @@ Kubernetes: `>= 1.26.0`
 | Repository | Name | Version |
 |------------|------|---------|
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
-| https://fluent.github.io/helm-charts | fluent-bit | 0.46.2 |
+| https://fluent.github.io/helm-charts | fluent-bit | 0.47.1 |
 | https://fluent.github.io/helm-charts | fluentd | 0.5.2 |
-| https://jaegertracing.github.io/helm-charts | jaeger | 3.0.8 |
+| https://jaegertracing.github.io/helm-charts | jaeger | 3.1.1 |
-| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.92.0 |
+| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.97.1 |
 
 ## Values
 
@@ -100,6 +100,7 @@ Kubernetes: `>= 1.26.0`
 | fluentd.volumes[0].secret.items[0].path | string | `"ca.crt"` |  |
 | fluentd.volumes[0].secret.secretName | string | `"telemetry-nodes-http-tls"` |  |
 | jaeger.agent.enabled | bool | `false` |  |
+| jaeger.collector.enabled | bool | `false` |  |
 | jaeger.collector.extraEnv[0].name | string | `"ES_TAGS_AS_FIELDS_ALL"` |  |
 | jaeger.collector.extraEnv[0].value | string | `"true"` |  |
 | jaeger.collector.service.otlp.grpc.name | string | `"otlp-grpc"` |  |
@@ -128,9 +129,41 @@ Kubernetes: `>= 1.26.0`
 | opensearch.dashboard.istio.url | string | `"telemetry-dashboard.example.com"` |  |
 | opensearch.nodeSets | list | `[]` |  |
 | opensearch.prometheus | bool | `false` |  |
-| opensearch.version | string | `"2.14.0"` |  |
+| opensearch.version | string | `"2.15.0"` |  |
+| opentelemetry-collector.config.exporters.opensearch/trace.http.auth.authenticator | string | `"basicauth/client"` |  |
+| opentelemetry-collector.config.exporters.opensearch/trace.http.endpoint | string | `"https://telemetry:9200"` |  |
+| opentelemetry-collector.config.exporters.opensearch/trace.http.tls.insecure | bool | `false` |  |
+| opentelemetry-collector.config.exporters.opensearch/trace.http.tls.insecure_skip_verify | bool | `true` |  |
+| opentelemetry-collector.config.extensions.basicauth/client.client_auth.password | string | `"admin"` |  |
+| opentelemetry-collector.config.extensions.basicauth/client.client_auth.username | string | `"admin"` |  |
+| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"${env:MY_POD_IP}:13133"` |  |
+| opentelemetry-collector.config.extensions.memory_ballast | object | `{}` |  |
+| opentelemetry-collector.config.processors.batch | object | `{}` |  |
+| opentelemetry-collector.config.processors.memory_limiter | string | `nil` |  |
+| opentelemetry-collector.config.receivers.jaeger | string | `nil` |  |
+| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` |  |
+| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` |  |
+| opentelemetry-collector.config.receivers.zipkin | string | `nil` |  |
+| opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` |  |
+| opentelemetry-collector.config.service.extensions[1] | string | `"memory_ballast"` |  |
+| opentelemetry-collector.config.service.extensions[2] | string | `"basicauth/client"` |  |
+| opentelemetry-collector.config.service.pipelines.logs | string | `nil` |  |
+| opentelemetry-collector.config.service.pipelines.metrics | string | `nil` |  |
+| opentelemetry-collector.config.service.pipelines.traces.exporters[0] | string | `"opensearch/trace"` |  |
+| opentelemetry-collector.config.service.pipelines.traces.processors[0] | string | `"memory_limiter"` |  |
+| opentelemetry-collector.config.service.pipelines.traces.processors[1] | string | `"batch"` |  |
+| opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"otlp"` |  |
+| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"${env:MY_POD_IP}:8888"` |  |
 | opentelemetry-collector.enabled | bool | `false` |  |
+| opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` |  |
 | opentelemetry-collector.mode | string | `"deployment"` |  |
+| opentelemetry-collector.podDisruptionBudget.enabled | bool | `false` |  |
+| opentelemetry-collector.ports.jaeger-compact.enabled | bool | `false` |  |
+| opentelemetry-collector.ports.jaeger-grpc.enabled | bool | `false` |  |
+| opentelemetry-collector.ports.jaeger-thrift.enabled | bool | `false` |  |
+| opentelemetry-collector.ports.metrics.enabled | bool | `true` |  |
+| opentelemetry-collector.ports.zipkin.enabled | bool | `false` |  |
+| opentelemetry-collector.serviceMonitor.enabled | bool | `false` |  |
 
 ## Resources
 - https://opensearch.org/docs/latest/dashboards/branding/#condensed-header

charts/kubezero-telemetry/charts/fluent-bit/Chart.yaml

@@ -1,9 +1,9 @@
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: "Updated _Fluent Bit_ OCI image to [v3.0.2](https://github.com/fluent/fluent-bit/releases/tag/v3.0.2)."
+      description: "Updated Fluent Bit OCI image to v3.1.1."
 apiVersion: v1
-appVersion: 3.0.2
+appVersion: 3.1.1
 description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD
   family operating systems.
 home: https://fluentbit.io/
@@ -24,4 +24,4 @@ maintainers:
 name: fluent-bit
 sources:
 - https://github.com/fluent/fluent-bit/
-version: 0.46.2
+version: 0.47.1

charts/kubezero-telemetry/charts/fluent-bit/dashboards/fluent-bit.json

@@ -1559,7 +1559,7 @@
   },
   "timezone": "",
   "title": "{{ include "fluent-bit.fullname" . }}",
-  "uid": "d557c8f6-cac1-445f-8ade-4c351a9076b1",
+  "uid": null,
   "version": 7,
   "weekStart": ""
-}
+}

charts/kubezero-telemetry/charts/fluent-bit/templates/_pod.tpl

@@ -119,7 +119,11 @@ containers:
     {{- end }}
 {{- end }}
 {{- if .Values.extraContainers }}
-  {{- toYaml .Values.extraContainers | nindent 2 }}
+  {{- if kindIs "string" .Values.extraContainers }}
+    {{- tpl .Values.extraContainers $ | nindent 2 }}
+  {{- else }}
+    {{-  toYaml .Values.extraContainers | nindent 2 }}
+  {{- end -}}
 {{- end }}
 volumes:
   - name: config

charts/kubezero-telemetry/charts/fluent-bit/templates/service.yaml

@@ -17,6 +17,9 @@ spec:
   {{- if and (eq .Values.service.type "ClusterIP") (.Values.service.clusterIP) }}
   clusterIP: {{ .Values.service.clusterIP }}
   {{- end }}
+  {{- if .Values.service.externalIPs }}
+  externalIPs: {{- toYaml .Values.service.externalIPs | nindent 4 }}
+  {{- end }}
   {{- if (eq .Values.kind "DaemonSet") }}
   {{- with .Values.service.internalTrafficPolicy }}
   internalTrafficPolicy: {{ . }}

charts/kubezero-telemetry/charts/fluent-bit/values.yaml

@@ -101,6 +101,10 @@ service:
 #   prometheus.io/path: "/api/v1/metrics/prometheus"
 #   prometheus.io/port: "2020"
 #   prometheus.io/scrape: "true"
+  externalIPs: []
+  # externalIPs:
+  #  - 2.2.2.2
+
 
 serviceMonitor:
   enabled: false
@@ -314,11 +318,21 @@ envWithTpl: []
 
 envFrom: []
 
+# This supports either a structured array or a templatable string
 extraContainers: []
+
+# Array mode
+# extraContainers:
 #   - name: do-something
 #     image: busybox
 #     command: ['do', 'something']
 
+# String mode
+# extraContainers: |-
+#   - name: do-something
+#     image: bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}
+#     command: ['kubectl', 'version']
+
 flush: 1
 
 metricsPort: 2020

charts/kubezero-telemetry/dashboards.yaml

@@ -3,11 +3,11 @@ gzip: true
 folder: Telemetry
 #condition: '.Values.telemetry.metrics.enabled'
 dashboards:
-- name: jaeger
+#- name: jaeger
-  url: https://grafana.com/api/dashboards/10001/revisions/2/download
+#  url: https://grafana.com/api/dashboards/10001/revisions/2/download
-  tags:
+#  tags:
-  - Jaeger
+#  - Jaeger
-  - Telemetry
+#  - Telemetry
 - name: opensearch
   url: https://grafana.com/api/dashboards/15178/revisions/2/download
   tags:

charts/kubezero-telemetry/values.yaml

@@ -3,6 +3,74 @@ opentelemetry-collector:
 
   mode: deployment
 
+  image:
+    repository: "otel/opentelemetry-collector-contrib"
+
+  config:
+    extensions:
+      health_check:
+        endpoint: ${env:MY_POD_IP}:13133
+      memory_ballast: {}
+
+    exporters:
+      otlp/jaeger:
+        endpoint: telemetry-jaeger-collector:4317
+        tls:
+          insecure: true
+
+    processors:
+      batch: {}
+      # If set to null, will be overridden with values based on k8s resource limits
+      memory_limiter: null
+
+    receivers:
+      jaeger: null
+      zipkin: null
+      otlp:
+        protocols:
+          grpc:
+            endpoint: ${env:MY_POD_IP}:4317
+          http:
+            endpoint: ${env:MY_POD_IP}:4318
+    service:
+      telemetry:
+        metrics:
+          address: ${env:MY_POD_IP}:8888
+      extensions:
+        - health_check
+        - memory_ballast
+      pipelines:
+        metrics: null
+        logs: null
+        traces:
+          exporters:
+            - otlp/jaeger
+          processors:
+            - memory_limiter
+            - batch
+          receivers:
+            - otlp
+
+  ports:
+    jaeger-compact:
+      enabled: false
+    jaeger-thrift:
+      enabled: false
+    jaeger-grpc:
+      enabled: false
+    zipkin:
+      enabled: false
+    metrics:
+      enabled: true
+
+  serviceMonitor:
+    enabled: false
+
+  podDisruptionBudget:
+    enabled: false
+    # minAvailable: 2
+    # maxUnavailable: 1
+
 jaeger:
   enabled: false
 
@@ -15,12 +83,12 @@ jaeger:
         grpc:
           name: otlp-grpc
           port: 4317
-        http:
+   #    http:
-          name: otlp-http
+   #      name: otlp-http
-          port: 4318
+   #      port: 4318
-    extraEnv:
+   #extraEnv:
-      - name: ES_TAGS_AS_FIELDS_ALL
+   #  - name: ES_TAGS_AS_FIELDS_ALL
-        value: "true"
+   #    value: "true"
     serviceMonitor:
       enabled: false
 
@@ -52,7 +120,7 @@ jaeger:
     url: jaeger.example.com
 
 opensearch:
-  version: 2.14.0
+  version: 2.15.0
   prometheus: false
 
   # custom cluster settings
@@ -302,6 +370,15 @@ fluent-bit:
   testFramework:
     enabled: false
 
+  service:
+    internalTrafficPolicy: Local
+
+  extraPorts:
+    - name: otel
+      port: 4318
+      containerPort: 4318
+      protocol: TCP
+
   serviceMonitor:
     enabled: false
 
@@ -327,6 +404,9 @@ fluent-bit:
       sharedKey: secretref+k8s://v1/Secret/kube-system/kubezero-secrets/telemetry.fluentd.source.sharedKey
       tls: false
 
+    output_otel:
+      host: telemetry-opentelemetry-collector
+
     input:
       memBufLimit: 16MB
       refreshInterval: 5
@@ -353,6 +433,7 @@ fluent-bit:
           Name tail
           Path /var/log/containers/*.log
           # Exclude ourselves to current error spam, https://github.com/fluent/fluent-bit/issues/5769
+          # Todo: Rather limit / filter spam message than exclude all together -> ideally locally, next dataprepper
           Exclude_Path *logging-fluent-bit*
           multiline.parser cri
           Tag cri.*
@@ -363,10 +444,14 @@ fluent-bit:
           DB.locking true
           # Buffer_Max_Size 1M
           {{- with .Values.config.input }}
-          Mem_Buf_Limit {{ default "16MB" .memBufLimit }}
+          Mem_Buf_Limit {{ .memBufLimit }}
-          Refresh_Interval {{ default 5 .refreshInterval }}
+          Refresh_Interval {{ .refreshInterval }}
           {{- end }}
 
+      [INPUT]
+          Name opentelemetry
+          Tag otel
+
     filters: |
       [FILTER]
           Name parser
@@ -411,7 +496,7 @@ fluent-bit:
 
     outputs: |
       [OUTPUT]
-          Match *
+          Match kube.*
           Name forward
           Host {{ .Values.config.output.host }}
           Port 24224
@@ -420,6 +505,15 @@ fluent-bit:
           Send_options true
           Require_ack_response true
 
+      [OUTPUT]
+          Name opentelemetry
+          Match otel
+          Host {{ .Values.config.output_otel.host }}
+          Port 4318
+          #Metrics_uri /v1/metrics
+          Traces_uri   /v1/traces
+          #Logs_uri    /v1/logs
+
     customParsers: |
       [PARSER]
           Name cri-log