Elasticsearch/Kibana: Update version to 7.1.0

This updates the Elasticsearch and Kibana charts to deploy
version 7.1.0. This move required significant changes to both
charts, including: changing elasticsearch masters to a statefulset
to utilize reliable dns names for the discovery process, config
updates to reflect deprecated/updated/removed values, use the
kibana saved objects api for managing index patterns and setting
the default index, and updating the elasticsearch entrypoint
scripts to reflect the use of elastic-keystore for storing s3
credentials instead of defining them in the configuration file

Change-Id: I270d905f266fc15492e47d8376714ba80603e66d
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This commit is contained in:
Steve Wilkerson 2019-11-14 14:45:46 -06:00
parent ae8a6c5d50
commit 2d3c9575ff
15 changed files with 342 additions and 182 deletions

View File

@ -15,12 +15,21 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
set -ex {{- $envAll := . }}
set -e
COMMAND="${@:-start}" COMMAND="${@:-start}"
function initiate_keystore () {
bin/elasticsearch-keystore create
echo ${S3_ACCESS_KEY} | /usr/share/elasticsearch/bin/elasticsearch-keystore add -xf s3.client.default.access_key
echo ${S3_SECRET_KEY} | /usr/share/elasticsearch/bin/elasticsearch-keystore add -xf s3.client.default.secret_key
}
function start () { function start () {
ulimit -l unlimited ulimit -l unlimited
exec /docker-entrypoint.sh elasticsearch initiate_keystore
exec /usr/local/bin/docker-entrypoint.sh elasticsearch
} }
function stop () { function stop () {
@ -42,10 +51,32 @@ function allocate_data_node () {
echo "Node ${NODE_NAME} is ready to be used" echo "Node ${NODE_NAME} is ready to be used"
} }
function start_master_node () {
ulimit -l unlimited
initiate_keystore
if [ ! -f {{ $envAll.Values.conf.elasticsearch.config.path.data }}/cluster-bootstrap.txt ];
then
{{ if empty $envAll.Values.conf.elasticsearch.config.cluster.initial_master_nodes -}}
{{- $_ := set $envAll.Values "__eligible_masters" ( list ) }}
{{- range $podInt := until ( atoi (print $envAll.Values.pod.replicas.master ) ) }}
{{- $eligibleMaster := printf "elasticsearch-master-%s" (toString $podInt) }}
{{- $__eligible_masters := append $envAll.Values.__eligible_masters $eligibleMaster }}
{{- $_ := set $envAll.Values "__eligible_masters" $__eligible_masters }}
{{- end -}}
{{- $masters := include "helm-toolkit.utils.joinListWithComma" $envAll.Values.__eligible_masters -}}
echo {{$masters}} >> {{ $envAll.Values.conf.elasticsearch.config.path.data }}/cluster-bootstrap.txt
exec /usr/local/bin/docker-entrypoint.sh elasticsearch -Ecluster.initial_master_nodes={{$masters}}
{{- end }}
else
exec /usr/local/bin/docker-entrypoint.sh elasticsearch
fi
}
function start_data_node () { function start_data_node () {
ulimit -l unlimited ulimit -l unlimited
initiate_keystore
allocate_data_node & allocate_data_node &
/docker-entrypoint.sh elasticsearch & /usr/local/bin/docker-entrypoint.sh elasticsearch &
function drain_data_node () { function drain_data_node () {
echo "Prepare to migrate data off node ${NODE_NAME}" echo "Prepare to migrate data off node ${NODE_NAME}"
echo "Move all data from node ${NODE_NAME}" echo "Move all data from node ${NODE_NAME}"

View File

@ -32,9 +32,7 @@ function register_snapshot_repository() {
"settings": { "settings": {
"endpoint": "'"$RGW_HOST"'", "endpoint": "'"$RGW_HOST"'",
"protocol": "http", "protocol": "http",
"bucket": "'"$S3_BUCKET"'", "bucket": "'"$S3_BUCKET"'"
"access_key": "'"$S3_ACCESS_KEY"'",
"secret_key": "'"$S3_SECRET_KEY"'"
} }
}' | python -c "import sys, json; print(json.load(sys.stdin)['acknowledged'])") }' | python -c "import sys, json; print(json.load(sys.stdin)['acknowledged'])")
if [ "$result" == "True" ]; if [ "$result" == "True" ];

View File

@ -17,23 +17,18 @@ limitations under the License.
{{- if .Values.manifests.configmap_etc_elasticsearch }} {{- if .Values.manifests.configmap_etc_elasticsearch }}
{{- $envAll := . }} {{- $envAll := . }}
{{- if empty .Values.conf.elasticsearch.config.cloud.aws.access_key -}}
{{- set .Values.conf.elasticsearch.config.cloud.aws "access_key" .Values.endpoints.ceph_object_store.auth.elasticsearch.access_key -}}
{{- end -}}
{{- if empty .Values.conf.elasticsearch.config.cloud.aws.secret_key -}}
{{- set .Values.conf.elasticsearch.config.cloud.aws "secret_key" .Values.endpoints.ceph_object_store.auth.elasticsearch.secret_key -}}
{{- end -}}
{{- if empty .Values.endpoints.ceph_object_store.path.default -}} {{- if empty .Values.endpoints.ceph_object_store.path.default -}}
{{- set .Values.endpoints.ceph_object_store.path "default" .Values.conf.elasticsearch.snapshots.bucket -}} {{- set .Values.endpoints.ceph_object_store.path "default" .Values.conf.elasticsearch.snapshots.bucket -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.elasticsearch.config.cloud.aws.s3.endpoint -}} {{- if empty .Values.conf.elasticsearch.config.s3.client.default.endpoint -}}
{{- $radosgw_host := tuple "ceph_object_store" "internal" "api" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}} {{- $radosgw_host := tuple "ceph_object_store" "internal" "api" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
{{- $bucket_path := tuple "ceph_object_store" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}} {{- set .Values.conf.elasticsearch.config.s3.client.default "endpoint" $radosgw_host -}}
{{- $s3_endpoint := printf "%s/%s" $radosgw_host $bucket_path -}} {{- end -}}
{{- set .Values.conf.elasticsearch.config.cloud.aws.s3 "endpoint" $s3_endpoint -}}
{{- if empty .Values.conf.elasticsearch.config.discovery.seed_hosts -}}
{{- $discovery_svc := tuple "elasticsearch" "discovery" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
{{- set .Values.conf.elasticsearch.config.discovery "seed_hosts" $discovery_svc -}}
{{- end -}} {{- end -}}
--- ---
apiVersion: v1 apiVersion: v1
@ -46,4 +41,5 @@ data:
#NOTE(portdirect): this must be last, to work round helm ~2.7 bug. #NOTE(portdirect): this must be last, to work round helm ~2.7 bug.
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }} {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.log4j2 "key" "log4j2.properties" "format" "Secret") | indent 2 }} {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.log4j2 "key" "log4j2.properties" "format" "Secret") | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.jvm_options "key" "jvm.options" "format" "Secret") | indent 2 }}
{{- end }} {{- end }}

View File

@ -18,6 +18,7 @@ limitations under the License.
{{- $envAll := . }} {{- $envAll := . }}
{{- $esUserSecret := .Values.secrets.elasticsearch.user }} {{- $esUserSecret := .Values.secrets.elasticsearch.user }}
{{- $s3UserSecret := .Values.secrets.rgw.elasticsearch }}
{{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }} {{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }}
@ -177,7 +178,7 @@ spec:
- name: NODE_MASTER - name: NODE_MASTER
value: "false" value: "false"
- name: NODE_INGEST - name: NODE_INGEST
value: "false" value: "true"
- name: NODE_DATA - name: NODE_DATA
value: "false" value: "false"
- name: HTTP_ENABLE - name: HTTP_ENABLE
@ -186,6 +187,19 @@ spec:
value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- name: ES_JAVA_OPTS - name: ES_JAVA_OPTS
value: "{{ .Values.conf.elasticsearch.env.java_opts.client }}" value: "{{ .Values.conf.elasticsearch.env.java_opts.client }}"
- name: S3_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ $s3UserSecret }}
key: S3_ACCESS_KEY
- name: S3_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ $s3UserSecret }}
key: S3_SECRET_KEY
{{- if .Values.pod.env.client }}
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.client | indent 12 }}
{{- end }}
volumeMounts: volumeMounts:
- name: pod-tmp - name: pod-tmp
mountPath: /tmp mountPath: /tmp
@ -195,8 +209,6 @@ spec:
mountPath: /tmp/elasticsearch.sh mountPath: /tmp/elasticsearch.sh
subPath: elasticsearch.sh subPath: elasticsearch.sh
readOnly: true readOnly: true
- name: elasticsearch-config
mountPath: /usr/share/elasticsearch/config
- name: elasticsearch-etc - name: elasticsearch-etc
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml subPath: elasticsearch.yml
@ -205,14 +217,16 @@ spec:
mountPath: /usr/share/elasticsearch/config/log4j2.properties mountPath: /usr/share/elasticsearch/config/log4j2.properties
subPath: log4j2.properties subPath: log4j2.properties
readOnly: true readOnly: true
- name: elasticsearch-etc
mountPath: /usr/share/elasticsearch/config/jvm.options
subPath: jvm.options
readOnly: true
- name: storage - name: storage
mountPath: {{ .Values.conf.elasticsearch.config.path.data }} mountPath: {{ .Values.conf.elasticsearch.config.path.data }}
{{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
- name: elasticsearch-config
emptyDir: {}
- name: elasticsearch-logs - name: elasticsearch-logs
emptyDir: {} emptyDir: {}
- name: elasticsearch-bin - name: elasticsearch-bin

View File

@ -18,6 +18,7 @@ limitations under the License.
{{- $envAll := . }} {{- $envAll := . }}
{{- $esUserSecret := .Values.secrets.elasticsearch.user }} {{- $esUserSecret := .Values.secrets.elasticsearch.user }}
{{- $s3UserSecret := .Values.secrets.rgw.elasticsearch }}
{{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }} {{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }}
@ -70,6 +71,7 @@ metadata:
spec: spec:
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }} {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
serviceName: {{ tuple "elasticsearch" "data" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} serviceName: {{ tuple "elasticsearch" "data" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
podManagementPolicy: "Parallel"
replicas: {{ .Values.pod.replicas.data }} replicas: {{ .Values.pod.replicas.data }}
selector: selector:
matchLabels: matchLabels:
@ -101,6 +103,19 @@ spec:
- sysctl - sysctl
- -w - -w
- vm.max_map_count={{ .Values.conf.init.max_map_count }} - vm.max_map_count={{ .Values.conf.init.max_map_count }}
- name: elasticsearch-perms
{{ tuple $envAll "elasticsearch" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.prometheus | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: 0
command:
- chown
- -R
- "elasticsearch:"
- {{ .Values.conf.elasticsearch.config.path.data }}
volumeMounts:
- name: storage
mountPath: {{ .Values.conf.elasticsearch.config.path.data }}
containers: containers:
- name: elasticsearch-data - name: elasticsearch-data
{{ tuple $envAll "elasticsearch" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "elasticsearch" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -148,8 +163,21 @@ spec:
value: "false" value: "false"
- name: ES_JAVA_OPTS - name: ES_JAVA_OPTS
value: "{{ .Values.conf.elasticsearch.env.java_opts.data }}" value: "{{ .Values.conf.elasticsearch.env.java_opts.data }}"
- name: S3_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ $s3UserSecret }}
key: S3_ACCESS_KEY
- name: S3_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ $s3UserSecret }}
key: S3_SECRET_KEY
- name: DISCOVERY_SERVICE - name: DISCOVERY_SERVICE
value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
{{- if .Values.pod.env.data }}
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.data | indent 12 }}
{{- end }}
volumeMounts: volumeMounts:
- name: pod-tmp - name: pod-tmp
mountPath: /tmp mountPath: /tmp
@ -159,8 +187,6 @@ spec:
mountPath: /tmp/elasticsearch.sh mountPath: /tmp/elasticsearch.sh
subPath: elasticsearch.sh subPath: elasticsearch.sh
readOnly: true readOnly: true
- name: elasticsearch-config
mountPath: /usr/share/elasticsearch/config
- name: elasticsearch-etc - name: elasticsearch-etc
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml subPath: elasticsearch.yml
@ -169,6 +195,10 @@ spec:
mountPath: /usr/share/elasticsearch/config/log4j2.properties mountPath: /usr/share/elasticsearch/config/log4j2.properties
subPath: log4j2.properties subPath: log4j2.properties
readOnly: true readOnly: true
- name: elasticsearch-etc
mountPath: /usr/share/elasticsearch/config/jvm.options
subPath: jvm.options
readOnly: true
- name: storage - name: storage
mountPath: {{ .Values.conf.elasticsearch.config.path.data }} mountPath: {{ .Values.conf.elasticsearch.config.path.data }}
{{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }}
@ -177,8 +207,6 @@ spec:
emptyDir: {} emptyDir: {}
- name: elasticsearch-logs - name: elasticsearch-logs
emptyDir: {} emptyDir: {}
- name: elasticsearch-config
emptyDir: {}
- name: elasticsearch-bin - name: elasticsearch-bin
configMap: configMap:
name: elasticsearch-bin name: elasticsearch-bin
@ -188,7 +216,7 @@ spec:
secretName: elasticsearch-etc secretName: elasticsearch-etc
defaultMode: 0444 defaultMode: 0444
{{ if $mounts_elasticsearch.volumes }}{{ toYaml $mounts_elasticsearch.volumes | indent 8 }}{{ end }} {{ if $mounts_elasticsearch.volumes }}{{ toYaml $mounts_elasticsearch.volumes | indent 8 }}{{ end }}
{{- if not .Values.storage.enabled }} {{- if not .Values.storage.data.enabled }}
- name: storage - name: storage
emptyDir: {} emptyDir: {}
{{- else }} {{- else }}
@ -196,10 +224,10 @@ spec:
- metadata: - metadata:
name: storage name: storage
spec: spec:
accessModes: {{ .Values.storage.pvc.access_mode }} accessModes: {{ .Values.storage.data.pvc.access_mode }}
resources: resources:
requests: requests:
storage: {{ .Values.storage.requests.storage }} storage: {{ .Values.storage.data.requests.storage }}
storageClassName: {{ .Values.storage.storage_class }} storageClassName: {{ .Values.storage.data.storage_class }}
{{- end }} {{- end }}
{{- end }} {{- end }}

View File

@ -14,9 +14,11 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
{{- if .Values.manifests.deployment_master }} {{- if .Values.manifests.statefulset_master }}
{{- $envAll := . }} {{- $envAll := . }}
{{- $s3UserSecret := .Values.secrets.rgw.elasticsearch }}
{{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }} {{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }}
{{- $serviceAccountName := "elasticsearch-master" }} {{- $serviceAccountName := "elasticsearch-master" }}
@ -58,7 +60,7 @@ rules:
- get - get
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: StatefulSet
metadata: metadata:
name: elasticsearch-master name: elasticsearch-master
annotations: annotations:
@ -66,6 +68,8 @@ metadata:
labels: labels:
{{ tuple $envAll "elasticsearch" "master" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "elasticsearch" "master" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec: spec:
serviceName: {{ tuple "elasticsearch" "discovery" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
podManagementPolicy: "Parallel"
replicas: {{ .Values.pod.replicas.master }} replicas: {{ .Values.pod.replicas.master }}
selector: selector:
matchLabels: matchLabels:
@ -98,6 +102,19 @@ spec:
- sysctl - sysctl
- -w - -w
- vm.max_map_count={{ .Values.conf.init.max_map_count }} - vm.max_map_count={{ .Values.conf.init.max_map_count }}
- name: elasticsearch-perms
{{ tuple $envAll "elasticsearch" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.prometheus | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: 0
command:
- chown
- -R
- "elasticsearch:"
- {{ .Values.conf.elasticsearch.config.path.data }}
volumeMounts:
- name: storage
mountPath: {{ .Values.conf.elasticsearch.config.path.data }}
containers: containers:
- name: elasticsearch-master - name: elasticsearch-master
{{ dict "envAll" $envAll "application" "master" "container" "elasticsearch_master" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "master" "container" "elasticsearch_master" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
@ -105,7 +122,7 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.master | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.master | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command: command:
- /tmp/elasticsearch.sh - /tmp/elasticsearch.sh
- start - start_master_node
lifecycle: lifecycle:
preStop: preStop:
exec: exec:
@ -141,6 +158,19 @@ spec:
value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- name: ES_JAVA_OPTS - name: ES_JAVA_OPTS
value: "{{ .Values.conf.elasticsearch.env.java_opts.master }}" value: "{{ .Values.conf.elasticsearch.env.java_opts.master }}"
- name: S3_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ $s3UserSecret }}
key: S3_ACCESS_KEY
- name: S3_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ $s3UserSecret }}
key: S3_SECRET_KEY
{{- if .Values.pod.env.master }}
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.master | indent 12 }}
{{- end }}
volumeMounts: volumeMounts:
- name: pod-tmp - name: pod-tmp
mountPath: /tmp mountPath: /tmp
@ -150,8 +180,6 @@ spec:
mountPath: /tmp/elasticsearch.sh mountPath: /tmp/elasticsearch.sh
subPath: elasticsearch.sh subPath: elasticsearch.sh
readOnly: true readOnly: true
- name: elasticsearch-config
mountPath: /usr/share/elasticsearch/config
- name: elasticsearch-etc - name: elasticsearch-etc
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml subPath: elasticsearch.yml
@ -160,6 +188,10 @@ spec:
mountPath: /usr/share/elasticsearch/config/log4j2.properties mountPath: /usr/share/elasticsearch/config/log4j2.properties
subPath: log4j2.properties subPath: log4j2.properties
readOnly: true readOnly: true
- name: elasticsearch-etc
mountPath: /usr/share/elasticsearch/config/jvm.options
subPath: jvm.options
readOnly: true
- name: storage - name: storage
mountPath: {{ .Values.conf.elasticsearch.config.path.data }} mountPath: {{ .Values.conf.elasticsearch.config.path.data }}
{{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }}
@ -168,8 +200,6 @@ spec:
emptyDir: {} emptyDir: {}
- name: elasticsearch-logs - name: elasticsearch-logs
emptyDir: {} emptyDir: {}
- name: elasticsearch-config
emptyDir: {}
- name: elasticsearch-bin - name: elasticsearch-bin
configMap: configMap:
name: elasticsearch-bin name: elasticsearch-bin
@ -178,7 +208,19 @@ spec:
secret: secret:
secretName: elasticsearch-etc secretName: elasticsearch-etc
defaultMode: 0444 defaultMode: 0444
{{ if $mounts_elasticsearch.volumes }}{{ toYaml $mounts_elasticsearch.volumes | indent 8 }}{{ end }}
{{- if not .Values.storage.master.enabled }}
- name: storage - name: storage
emptyDir: {} emptyDir: {}
{{ if $mounts_elasticsearch.volumes }}{{ toYaml $mounts_elasticsearch.volumes | indent 8 }}{{ end }} {{- else }}
volumeClaimTemplates:
- metadata:
name: storage
spec:
accessModes: {{ .Values.storage.master.pvc.access_mode }}
resources:
requests:
storage: {{ .Values.storage.master.requests.storage }}
storageClassName: {{ .Values.storage.master.storage_class }}
{{- end }}
{{- end }} {{- end }}

View File

@ -20,8 +20,8 @@ images:
tags: tags:
apache_proxy: docker.io/httpd:2.4 apache_proxy: docker.io/httpd:2.4
memory_init: docker.io/openstackhelm/heat:newton-ubuntu_xenial memory_init: docker.io/openstackhelm/heat:newton-ubuntu_xenial
elasticsearch: docker.io/openstackhelm/elasticsearch-s3:7_1_0-20191119
curator: docker.io/bobrik/curator:5.6.0 curator: docker.io/bobrik/curator:5.6.0
elasticsearch: docker.io/openstackhelm/elasticsearch-s3:5_6_4-20191119
ceph_key_placement: docker.io/openstackhelm/ceph-config-helper:ubuntu_xenial-20191119 ceph_key_placement: docker.io/openstackhelm/ceph-config-helper:ubuntu_xenial-20191119
s3_bucket: docker.io/openstackhelm/ceph-daemon:ubuntu_xenial-20191119 s3_bucket: docker.io/openstackhelm/ceph-daemon:ubuntu_xenial-20191119
s3_user: docker.io/openstackhelm/ceph-config-helper:ubuntu_xenial-20191119 s3_user: docker.io/openstackhelm/ceph-config-helper:ubuntu_xenial-20191119
@ -123,6 +123,10 @@ dependencies:
- elasticsearch-register-snapshot-repository - elasticsearch-register-snapshot-repository
pod: pod:
env:
client: null
data: null
master: null
mandatory_access_control: mandatory_access_control:
type: apparmor type: apparmor
elasticsearch-master: elasticsearch-master:
@ -154,7 +158,7 @@ pod:
add: add:
- IPC_LOCK - IPC_LOCK
- SYS_RESOURCE - SYS_RESOURCE
readOnlyRootFilesystem: true readOnlyRootFilesystem: false
master: master:
pod: pod:
runAsUser: 0 runAsUser: 0
@ -168,7 +172,7 @@ pod:
add: add:
- IPC_LOCK - IPC_LOCK
- SYS_RESOURCE - SYS_RESOURCE
readOnlyRootFilesystem: true readOnlyRootFilesystem: false
es_cluster_wait: es_cluster_wait:
pod: pod:
runAsUser: 0 runAsUser: 0
@ -418,6 +422,7 @@ conf:
LoadModule unixd_module modules/mod_unixd.so LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so LoadModule autoindex_module modules/mod_autoindex.so
LoadModule rewrite_module modules/mod_rewrite.so
<IfModule unixd_module> <IfModule unixd_module>
User daemon User daemon
@ -480,10 +485,6 @@ conf:
Require valid-user Require valid-user
</Location> </Location>
# Restrict access to the Elasticsearch Update API endpoint to prevent modification of indexed documents
<Location /*/_doc/*/_update*>
Require all denied
</Location>
# Restrict access to the Elasticsearch Update By Query API Endpoint to prevent modification of indexed documents # Restrict access to the Elasticsearch Update By Query API Endpoint to prevent modification of indexed documents
<Location /*/_update_by_query*> <Location /*/_update_by_query*>
Require all denied Require all denied
@ -492,30 +493,49 @@ conf:
<Location /*/_delete_by_query*> <Location /*/_delete_by_query*>
Require all denied Require all denied
</Location> </Location>
# Prohibit DELETE methods on the document API endpoint
<Location /*/_doc/*>
AllowMethods GET POST OPTIONS
ProxyPass http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
ProxyPassReverse http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
AuthName "Elasticsearch"
AuthType Basic
AuthBasicProvider file ldap
AuthUserFile /usr/local/apache2/conf/.htpasswd
AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
Require valid-user
</Location>
</VirtualHost> </VirtualHost>
log4j2: | log4j2: |
status = error status = error
appender.console.type = Console appender.console.type = Console
appender.console.name = console appender.console.name = console
appender.console.layout.type = PatternLayout appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker%m%n
rootLogger.level = info rootLogger.level = info
rootLogger.appenderRef.console.ref = console rootLogger.appenderRef.console.ref = console
jvm_options: |
-Xms1g
-Xmx1g
-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly
-Des.networkaddress.cache.ttl=60
-Des.networkaddress.cache.negative.ttl=10
-XX:+AlwaysPreTouch
-Xss1m
-Djava.awt.headless=true
-Dfile.encoding=UTF-8
-Djna.nosys=true
-XX:-OmitStackTraceInFastThrow
-Dio.netty.noUnsafe=true
-Dio.netty.noKeySetOptimization=true
-Dio.netty.recycler.maxCapacityPerThread=0
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Djava.io.tmpdir=${ES_TMPDIR}
-XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=data
-XX:ErrorFile=logs/hs_err_pid%p.log
8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:logs/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m
9-:-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m
9-:-Djava.locale.providers=COMPAT
10-:-XX:UseAVX=2
init: init:
max_map_count: 262144 max_map_count: 262144
ceph: ceph:
@ -636,21 +656,17 @@ conf:
cluster: cluster:
name: elasticsearch name: elasticsearch
discovery: discovery:
zen: # NOTE(srwilkers): This gets configured dynamically via endpoint lookups
ping.unicast.hosts: ${DISCOVERY_SERVICE} seed_hosts: null
minimum_master_nodes: 2
http:
enabled: ${HTTP_ENABLE}
compression: true
network: network:
host: 0.0.0.0 host: 0.0.0.0
cloud:
aws:
protocol: http
s3: s3:
client:
default:
# NOTE(srwilkers): This gets configured dynamically via endpoint # NOTE(srwilkers): This gets configured dynamically via endpoint
# lookups # lookups
endpoint: null endpoint: null
protocol: http
node: node:
ingest: ${NODE_INGEST} ingest: ${NODE_INGEST}
master: ${NODE_MASTER} master: ${NODE_MASTER}
@ -658,8 +674,8 @@ conf:
name: ${NODE_NAME} name: ${NODE_NAME}
max_local_storage_nodes: 3 max_local_storage_nodes: 3
path: path:
data: /usr/share/elasticsearch/data data: /data
logs: /usr/share/elasticsearch/logs logs: /logs
snapshots: snapshots:
enabled: false enabled: false
# NOTE(srwilkers): The path for the radosgw s3 endpoint gets populated # NOTE(srwilkers): The path for the radosgw s3 endpoint gets populated
@ -680,12 +696,11 @@ conf:
timeout: 20s timeout: 20s
templates: templates:
fluent: fluent:
template: "logstash-*"
index_patterns: "logstash-*" index_patterns: "logstash-*"
settings: settings:
index:
number_of_shards: 1 number_of_shards: 1
mappings: mappings:
fluent:
properties: properties:
kubernetes: kubernetes:
properties: properties:
@ -829,6 +844,7 @@ network:
port: 30920 port: 30920
storage: storage:
data:
enabled: true enabled: true
pvc: pvc:
name: pvc-elastic name: pvc-elastic
@ -836,6 +852,14 @@ storage:
requests: requests:
storage: 5Gi storage: 5Gi
storage_class: general storage_class: general
master:
enabled: true
pvc:
name: pvc-elastic
access_mode: [ "ReadWriteOnce" ]
requests:
storage: 1Gi
storage_class: general
manifests: manifests:
@ -847,7 +871,6 @@ manifests:
cron_curator: true cron_curator: true
cron_verify_repositories: true cron_verify_repositories: true
deployment_client: true deployment_client: true
deployment_master: true
ingress: true ingress: true
job_cluster_wait: true job_cluster_wait: true
job_elasticsearch_templates: true job_elasticsearch_templates: true
@ -870,3 +893,4 @@ manifests:
service_ingress: true service_ingress: true
service_logging: true service_logging: true
statefulset_data: true statefulset_data: true
statefulset_master: true

View File

@ -18,9 +18,13 @@ set -ex
{{- range .Values.conf.create_kibana_indexes.indexes }} {{- range .Values.conf.create_kibana_indexes.indexes }}
curl -K- <<< "--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" \ curl -K- <<< "--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" \
-XPOST "${ELASTICSEARCH_ENDPOINT}/.kibana/index-pattern/{{ . }}-*" -H 'Content-Type: application/json' \ -XPOST "${KIBANA_ENDPOINT}/api/saved_objects/index-pattern/{{ . }}*" -H 'kbn-xsrf: true' \
-d '{"title":"{{ . }}-*","timeFieldName":"@timestamp","notExpandable":true}' -H 'Content-Type: application/json' -d \
{{- end }} '{"attributes":{"title":"{{ . }}-*","timeFieldName":"@timestamp"}}'
{{ end }}
curl -K- <<< "--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" \ curl -K- <<< "--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" \
-XPOST "${ELASTICSEARCH_ENDPOINT}/.kibana/config/5.6.4" -H 'Content-Type: application/json' \ -XPOST "${KIBANA_ENDPOINT}/api/kibana/settings/defaultIndex" -H 'kbn-xsrf: true' \
-d '{"defaultIndex" : "{{ .Values.conf.create_kibana_indexes.default_index }}-*"}' -H 'Content-Type: application/json' -d \
'{"value" : "{{ .Values.conf.create_kibana_indexes.default_index }}*"}'

View File

@ -15,14 +15,14 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
set -ex set -e
COMMAND="${@:-start}" COMMAND="${@:-start}"
function start () { function start () {
exec kibana \ exec /usr/share/kibana/bin/kibana \
--elasticsearch.url="$ELASTICSEARCH_URL" \ --elasticsearch.hosts="${ELASTICSEARCH_HOSTS}" \
--elasticsearch.username="$ELASTICSEARCH_USERNAME" \ --elasticsearch.username="${ELASTICSEARCH_USERNAME}" \
--elasticsearch.password="$ELASTICSEARCH_PASSWORD" --elasticsearch.password="${ELASTICSEARCH_PASSWORD}"
} }
function stop () { function stop () {

View File

@ -18,6 +18,13 @@ limitations under the License.
{{- $envAll := . }} {{- $envAll := . }}
{{- $esUserSecret := .Values.secrets.elasticsearch.user }} {{- $esUserSecret := .Values.secrets.elasticsearch.user }}
{{- $esUser := .Values.endpoints.elasticsearch.auth.admin.username }}
{{- $esPass := .Values.endpoints.elasticsearch.auth.admin.password }}
{{- $authHeader := printf "%s:%s" $esUser $esPass | b64enc }}
{{- $esScheme := tuple "elasticsearch" "internal" "http" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
{{- $esSvc := tuple "elasticsearch" "default" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{- $esHosts := printf "%s://%s" $esScheme $esSvc }}
{{- $serviceAccountName := "kibana" }} {{- $serviceAccountName := "kibana" }}
{{ tuple $envAll "kibana" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} {{ tuple $envAll "kibana" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@ -101,9 +108,18 @@ spec:
ports: ports:
- name: kibana - name: kibana
containerPort: {{ tuple "kibana" "internal" "kibana" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} containerPort: {{ tuple "kibana" "internal" "kibana" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
readinessProbe:
httpGet:
path: /status
port: {{ tuple "kibana" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
httpHeaders:
- name: Authorization
value: Basic {{ $authHeader }}
initialDelaySeconds: 20
periodSeconds: 10
env: env:
- name: ELASTICSEARCH_URL - name: ELASTICSEARCH_HOSTS
value: {{ tuple "elasticsearch" "default" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} value: {{ $esHosts }}
- name: ELASTICSEARCH_USERNAME - name: ELASTICSEARCH_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@ -124,6 +140,8 @@ spec:
subPath: kibana.sh subPath: kibana.sh
readOnly: true readOnly: true
- name: pod-etc-kibana - name: pod-etc-kibana
mountPath: /usr/share/kibana/config
- name: pod-optimize-kibana
mountPath: /usr/share/kibana/optimize mountPath: /usr/share/kibana/optimize
- name: kibana-etc - name: kibana-etc
mountPath: /usr/share/kibana/config/kibana.yml mountPath: /usr/share/kibana/config/kibana.yml
@ -137,6 +155,8 @@ spec:
medium: "Memory" medium: "Memory"
- name: pod-etc-kibana - name: pod-etc-kibana
emptyDir: {} emptyDir: {}
- name: pod-optimize-kibana
emptyDir: {}
- name: kibana-bin - name: kibana-bin
configMap: configMap:
name: kibana-bin name: kibana-bin

View File

@ -53,6 +53,8 @@ spec:
secretKeyRef: secretKeyRef:
name: {{ $esUserSecret }} name: {{ $esUserSecret }}
key: ELASTICSEARCH_PASSWORD key: ELASTICSEARCH_PASSWORD
- name: KIBANA_ENDPOINT
value: {{ tuple "kibana" "internal" "http" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
- name: ELASTICSEARCH_ENDPOINT - name: ELASTICSEARCH_ENDPOINT
value: {{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} value: {{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
command: command:

View File

@ -23,7 +23,7 @@ labels:
images: images:
tags: tags:
apache_proxy: docker.io/httpd:2.4 apache_proxy: docker.io/httpd:2.4
kibana: docker.io/kibana:5.6.4 kibana: docker.elastic.co/kibana/kibana-oss:7.1.0
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0 image_repo_sync: docker.io/docker:17.07.0
register_kibana_indexes: docker.io/openstackhelm/heat:newton-ubuntu_xenial register_kibana_indexes: docker.io/openstackhelm/heat:newton-ubuntu_xenial
@ -38,17 +38,19 @@ pod:
security_context: security_context:
dashboard: dashboard:
pod: pod:
runAsUser: 999 runAsUser: 1000
container: container:
apache_proxy: apache_proxy:
runAsUser: 0 runAsUser: 0
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
kibana: kibana:
fsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: false
register_kibana_indexes: register_kibana_indexes:
pod: pod:
runAsUser: 999 runAsUser: 1000
container: container:
register_kibana_indexes: register_kibana_indexes:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@ -250,7 +252,6 @@ conf:
startupTimeout: 5000 startupTimeout: 5000
kibana: kibana:
defaultAppId: discover defaultAppId: discover
index: .kibana
logging: logging:
quiet: false quiet: false
silent: false silent: false
@ -258,13 +259,16 @@ conf:
ops: ops:
interval: 5000 interval: 5000
server: server:
rewriteBasePath: false
host: localhost host: localhost
name: kibana
maxPayloadBytes: 1048576 maxPayloadBytes: 1048576
port: 5601 port: 5601
ssl: ssl:
enabled: false enabled: false
create_kibana_indexes: create_kibana_indexes:
enabled: true enabled: true
version: 7.1.0
indexes: indexes:
- logstash - logstash
- openstack - openstack

View File

@ -316,7 +316,7 @@ data:
secret_key: ${RADOSGW_S3_ELASTICSEARCH_SECRET_KEY} secret_key: ${RADOSGW_S3_ELASTICSEARCH_SECRET_KEY}
pod: pod:
replicas: replicas:
data: 1 data: 2
master: 2 master: 2
labels: labels:
elasticsearch: elasticsearch:
@ -341,7 +341,6 @@ data:
settings: settings:
number_of_shards: 1 number_of_shards: 1
mappings: mappings:
syslog:
properties: properties:
cluster: cluster:
type: keyword type: keyword
@ -359,7 +358,6 @@ data:
settings: settings:
number_of_shards: 1 number_of_shards: 1
mappings: mappings:
oslo_openstack_fluentd:
properties: properties:
extra: extra:
properties: properties:
@ -387,7 +385,6 @@ data:
settings: settings:
number_of_shards: 1 number_of_shards: 1
mappings: mappings:
docker_fluentd:
properties: properties:
kubernetes: kubernetes:
properties: properties:

View File

@ -26,7 +26,7 @@ jobs:
cron: "*/3 * * * *" cron: "*/3 * * * *"
pod: pod:
replicas: replicas:
data: 1 data: 2
master: 2 master: 2
conf: conf:
elasticsearch: elasticsearch:

View File

@ -29,7 +29,7 @@ monitoring:
enabled: true enabled: true
pod: pod:
replicas: replicas:
data: 1 data: 2
master: 2 master: 2
conf: conf:
elasticsearch: elasticsearch: