From 2e8c96a6232f53f3392b19eebaf0c33d26134ff0 Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Wed, 30 Jan 2019 16:02:39 -0600 Subject: [PATCH] Elasticsearch, Fluent-logging, Kibana Ingress Policy This adds ingress network policy for the fluent-logging, kibana and Elasticsearch charts. This leverages the helm-toolkit template that was used in openstack-helm for the openstack services Change-Id: I2a89b62f1002851346e9a25de40113078e9c518f --- .../prometheus/exporter-deployment.yaml | 6 +- .../prometheus/exporter-network-policy.yaml | 20 +++ .../prometheus/exporter-service.yaml | 4 +- ...etwork_policy.yaml => network-policy.yaml} | 0 elasticsearch/values.yaml | 9 ++ .../templates/job-elasticsearch-template.yaml | 2 +- .../prometheus/exporter-configmap-bin.yaml | 2 +- .../prometheus/exporter-deployment.yaml | 6 +- .../prometheus/exporter-network-policy.yaml | 20 +++ .../prometheus/exporter-service.yaml | 4 +- ...etwork_policy.yaml => network-policy.yaml} | 6 - fluent-logging/templates/pod-helm-tests.yaml | 2 +- fluent-logging/values.yaml | 11 +- kibana/values.yaml | 5 + .../network-policy/120-elasticsearch.sh | 53 ++++++- .../network-policy/130-fluent-logging.sh | 149 ++++++++++++++++-- tools/deployment/network-policy/140-kibana.sh | 22 ++- .../network-policy/901-test-networkpolicy.sh | 7 + 18 files changed, 281 insertions(+), 47 deletions(-) create mode 100644 elasticsearch/templates/monitoring/prometheus/exporter-network-policy.yaml rename elasticsearch/templates/{network_policy.yaml => network-policy.yaml} (100%) create mode 100644 fluent-logging/templates/monitoring/prometheus/exporter-network-policy.yaml rename fluent-logging/templates/{network_policy.yaml => network-policy.yaml} (62%) diff --git a/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml b/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml index 463942b94..18253e154 100644 --- a/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml +++ b/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml @@ -27,17 +27,17 @@ kind: Deployment metadata: name: prometheus-elasticsearch-exporter labels: -{{ tuple $envAll "elasticsearch" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: replicas: {{ .Values.pod.replicas.prometheus_elasticsearch_exporter }} selector: matchLabels: -{{ tuple $envAll "elasticsearch" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} template: metadata: labels: -{{ tuple $envAll "elasticsearch" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} spec: diff --git a/elasticsearch/templates/monitoring/prometheus/exporter-network-policy.yaml b/elasticsearch/templates/monitoring/prometheus/exporter-network-policy.yaml new file mode 100644 index 000000000..ff274c7ed --- /dev/null +++ b/elasticsearch/templates/monitoring/prometheus/exporter-network-policy.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.monitoring.prometheus.network_policy_exporter .Values.monitoring.prometheus.enabled -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus-elasticsearch-exporter" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/elasticsearch/templates/monitoring/prometheus/exporter-service.yaml b/elasticsearch/templates/monitoring/prometheus/exporter-service.yaml index 1d04b4aa5..8e471a31f 100644 --- a/elasticsearch/templates/monitoring/prometheus/exporter-service.yaml +++ b/elasticsearch/templates/monitoring/prometheus/exporter-service.yaml @@ -23,7 +23,7 @@ kind: Service metadata: name: {{ tuple "prometheus_elasticsearch_exporter" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} labels: -{{ tuple $envAll "elasticsearch-exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{ tuple $envAll "prometheus-elasticsearch-exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} annotations: {{- if .Values.monitoring.prometheus.enabled }} {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_service_annotations" | indent 4 }} @@ -33,5 +33,5 @@ spec: - name: metrics port: {{ tuple "prometheus_elasticsearch_exporter" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} selector: -{{ tuple $envAll "elasticsearch" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{- end }} diff --git a/elasticsearch/templates/network_policy.yaml b/elasticsearch/templates/network-policy.yaml similarity index 100% rename from elasticsearch/templates/network_policy.yaml rename to elasticsearch/templates/network-policy.yaml diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index 59c5f0ca9..fa74c74e7 100644 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -249,6 +249,14 @@ pod: memory: "1024Mi" cpu: "2000m" +network_policy: + elasticsearch: + ingress: + - {} + prometheus-elasticsearch-exporter: + ingress: + - {} + secrets: rgw: admin: radosgw-s3-admin-creds @@ -703,6 +711,7 @@ manifests: prometheus: configmap_bin_exporter: true deployment_exporter: true + network_policy_exporter: false service_exporter: true network_policy: false service_data: true diff --git a/fluent-logging/templates/job-elasticsearch-template.yaml b/fluent-logging/templates/job-elasticsearch-template.yaml index 406daf015..ef60ecd28 100644 --- a/fluent-logging/templates/job-elasticsearch-template.yaml +++ b/fluent-logging/templates/job-elasticsearch-template.yaml @@ -33,7 +33,7 @@ spec: template: metadata: labels: -{{ tuple $envAll "fluent" "elasticsearch-template" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{ tuple $envAll "fluentd" "elasticsearch-template" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure diff --git a/fluent-logging/templates/monitoring/prometheus/exporter-configmap-bin.yaml b/fluent-logging/templates/monitoring/prometheus/exporter-configmap-bin.yaml index 584ae5a1b..2f6c8f58b 100644 --- a/fluent-logging/templates/monitoring/prometheus/exporter-configmap-bin.yaml +++ b/fluent-logging/templates/monitoring/prometheus/exporter-configmap-bin.yaml @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and .Values.manifests.monitoring.prometheus.configmap_bin .Values.monitoring.prometheus.enabled }} +{{- if and .Values.manifests.monitoring.prometheus.configmap_bin_exporter .Values.monitoring.prometheus.enabled }} {{- $envAll := . }} --- apiVersion: v1 diff --git a/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml b/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml index d35be2b5e..65caec9bc 100644 --- a/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml +++ b/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml @@ -29,17 +29,17 @@ kind: Deployment metadata: name: prometheus-fluentd-exporter labels: -{{ tuple $envAll "prometheus_fluentd_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{ tuple $envAll "prometheus-fluentd-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: replicas: {{ .Values.pod.replicas.prometheus_fluentd_exporter }} selector: matchLabels: -{{ tuple $envAll "prometheus_fluentd_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll "prometheus-fluentd-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} template: metadata: labels: -{{ tuple $envAll "prometheus_fluentd_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{ tuple $envAll "prometheus-fluentd-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/fluent-logging/templates/monitoring/prometheus/exporter-network-policy.yaml b/fluent-logging/templates/monitoring/prometheus/exporter-network-policy.yaml new file mode 100644 index 000000000..b101d9fd5 --- /dev/null +++ b/fluent-logging/templates/monitoring/prometheus/exporter-network-policy.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.monitoring.prometheus.network_policy_exporter .Values.monitoring.prometheus.enabled -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus-fluentd-exporter" }} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/fluent-logging/templates/monitoring/prometheus/exporter-service.yaml b/fluent-logging/templates/monitoring/prometheus/exporter-service.yaml index 4c829682b..db6fdce04 100644 --- a/fluent-logging/templates/monitoring/prometheus/exporter-service.yaml +++ b/fluent-logging/templates/monitoring/prometheus/exporter-service.yaml @@ -23,7 +23,7 @@ kind: Service metadata: name: {{ tuple "prometheus_fluentd_exporter" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} labels: -{{ tuple $envAll "prometheus_fluentd_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{ tuple $envAll "prometheus-fluentd-exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} annotations: {{- if .Values.monitoring.prometheus.enabled }} {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_service_annotations" | indent 4 }} @@ -33,5 +33,5 @@ spec: - name: metrics port: {{ tuple "prometheus_fluentd_exporter" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} selector: -{{ tuple $envAll "prometheus_fluentd_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{ tuple $envAll "prometheus-fluentd-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{- end }} diff --git a/fluent-logging/templates/network_policy.yaml b/fluent-logging/templates/network-policy.yaml similarity index 62% rename from fluent-logging/templates/network_policy.yaml rename to fluent-logging/templates/network-policy.yaml index 5391bdfc1..b16d48764 100644 --- a/fluent-logging/templates/network_policy.yaml +++ b/fluent-logging/templates/network-policy.yaml @@ -14,12 +14,6 @@ See the License for the specific language governing permissions and limitations under the License. */}} {{- if .Values.manifests.network_policy -}} -{{- $netpol_opts := dict "envAll" . "name" "application" "label" "fluentbit" }} -{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} {{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluentd" }} {{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} -{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent" }} -{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} -{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent-logging" }} -{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} {{- end -}} diff --git a/fluent-logging/templates/pod-helm-tests.yaml b/fluent-logging/templates/pod-helm-tests.yaml index 6d762d57b..74853e5d5 100644 --- a/fluent-logging/templates/pod-helm-tests.yaml +++ b/fluent-logging/templates/pod-helm-tests.yaml @@ -26,7 +26,7 @@ kind: Pod metadata: name: "{{.Release.Name}}-test" labels: -{{ tuple $envAll "fluent-logging" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{ tuple $envAll "fluentd" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} annotations: "helm.sh/hook": test-success {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} diff --git a/fluent-logging/values.yaml b/fluent-logging/values.yaml index 18210d992..5c043cb63 100644 --- a/fluent-logging/values.yaml +++ b/fluent-logging/values.yaml @@ -570,6 +570,14 @@ network: enabled: false port: 32329 +network_policy: + prometheus-fluentd-exporter: + ingress: + - {} + fluentd: + ingress: + - {} + pod: security_context: fluentd: @@ -678,8 +686,9 @@ manifests: helm_tests: true monitoring: prometheus: - configmap_bin: true + configmap_bin_exporter: true deployment_exporter: true + network_policy_exporter: false service_exporter: true network_policy: false secret_elasticsearch: true diff --git a/kibana/values.yaml b/kibana/values.yaml index 2a6094076..89b1a579c 100644 --- a/kibana/values.yaml +++ b/kibana/values.yaml @@ -83,6 +83,11 @@ pod: memory: "1024Mi" cpu: "2000m" +network_policy: + kibana: + ingress: + - {} + secrets: elasticsearch: user: kibana-elasticsearch-user diff --git a/tools/deployment/network-policy/120-elasticsearch.sh b/tools/deployment/network-policy/120-elasticsearch.sh index 0f2aa2a28..fd1517808 100755 --- a/tools/deployment/network-policy/120-elasticsearch.sh +++ b/tools/deployment/network-policy/120-elasticsearch.sh @@ -21,9 +21,46 @@ make elasticsearch #NOTE: Deploy command tee /tmp/elasticsearch.yaml << EOF -monitoring: - prometheus: - enabled: true +network_policy: + prometheus-elasticsearch-exporter: + ingress: + - from: + - podSelector: + matchLabels: + application: prometheus + ports: + - protocol: TCP + port: 9108 + elasticsearch: + ingress: + - from: + - podSelector: + matchLabels: + application: elasticsearch + - podSelector: + matchLabels: + application: prometheus-elasticsearch-exporter + - podSelector: + matchLabels: + application: fluentd + - podSelector: + matchLabels: + application: ingress + - podSelector: + matchLabels: + application: kibana + - podSelector: + matchLabels: + application: nagios + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + - protocol: TCP + port: 9200 + - protocol: TCP + port: 9300 pod: replicas: data: 1 @@ -53,12 +90,14 @@ conf: timestring: '%Y.%m.%d' unit: days unit_count: 365 +monitoring: + prometheus: + enabled: true manifests: network_policy: true -network_policy: - elasticsearch: - ingress: - - from: + monitoring: + prometheus: + network_policy_exporter: true EOF helm upgrade --install elasticsearch ./elasticsearch \ diff --git a/tools/deployment/network-policy/130-fluent-logging.sh b/tools/deployment/network-policy/130-fluent-logging.sh index 3adb4e851..08259c6f2 100755 --- a/tools/deployment/network-policy/130-fluent-logging.sh +++ b/tools/deployment/network-policy/130-fluent-logging.sh @@ -19,30 +19,153 @@ set -xe #NOTE: Lint and package chart make fluent-logging -tee /tmp/fluent-logging.yaml <