openstack/openstack-helm-infra
Code Issues Proposed changes

Elasticsearch, Fluent-logging, Kibana Ingress Policy

Browse Source 
This adds ingress network policy for the fluent-logging, kibana
and Elasticsearch charts. This leverages the helm-toolkit template
that was used in openstack-helm for the openstack services

Change-Id: I2a89b62f1002851346e9a25de40113078e9c518f
This commit is contained in:
Steve Wilkerson 2019-01-30 16:02:39 -06:00
parent 8f7acd5ebc
commit 2e8c96a623
18 changed files with 281 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml
View File

@ -27,17 +27,17 @@ kind: Deployment
metadata: metadata:
name: prometheus-elasticsearch-exporter name: prometheus-elasticsearch-exporter
labels: labels:
{{ tuple $envAll "elasticsearch" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec: spec:
replicas: {{ .Values.pod.replicas.prometheus_elasticsearch_exporter }} replicas: {{ .Values.pod.replicas.prometheus_elasticsearch_exporter }}
selector: selector:
matchLabels: matchLabels:
{{ tuple $envAll "elasticsearch" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} {{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
template: template:
metadata: metadata:
labels: labels:
{{ tuple $envAll "elasticsearch" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec: spec:

20
elasticsearch/templates/monitoring/prometheus/exporter-network-policy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.monitoring.prometheus.network_policy_exporter .Values.monitoring.prometheus.enabled -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus-elasticsearch-exporter" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

4
elasticsearch/templates/monitoring/prometheus/exporter-service.yaml
View File

@ -23,7 +23,7 @@ kind: Service
metadata: metadata:
name: {{ tuple "prometheus_elasticsearch_exporter" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} name: {{ tuple "prometheus_elasticsearch_exporter" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
labels: labels:
{{ tuple $envAll "elasticsearch-exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "prometheus-elasticsearch-exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations: annotations:
{{- if .Values.monitoring.prometheus.enabled }} {{- if .Values.monitoring.prometheus.enabled }}
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_service_annotations" | indent 4 }} {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_service_annotations" | indent 4 }}
@ -33,5 +33,5 @@ spec:
- name: metrics - name: metrics
port: {{ tuple "prometheus_elasticsearch_exporter" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple "prometheus_elasticsearch_exporter" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
selector: selector:
{{ tuple $envAll "elasticsearch" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- end }} {{- end }}

0
elasticsearch/templates/network_policy.yaml → elasticsearch/templates/network-policy.yaml
View File

9
elasticsearch/values.yaml
View File

@ -249,6 +249,14 @@ pod:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"
network_policy:
elasticsearch:
ingress:
- {}
prometheus-elasticsearch-exporter:
ingress:
- {}
secrets: secrets:
rgw: rgw:
admin: radosgw-s3-admin-creds admin: radosgw-s3-admin-creds
@ -703,6 +711,7 @@ manifests:
prometheus: prometheus:
configmap_bin_exporter: true configmap_bin_exporter: true
deployment_exporter: true deployment_exporter: true
network_policy_exporter: false
service_exporter: true service_exporter: true
network_policy: false network_policy: false
service_data: true service_data: true

2
fluent-logging/templates/job-elasticsearch-template.yaml
View File

@ -33,7 +33,7 @@ spec:
template: template:
metadata: metadata:
labels: labels:
{{ tuple $envAll "fluent" "elasticsearch-template" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "fluentd" "elasticsearch-template" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec: spec:
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure restartPolicy: OnFailure

2
fluent-logging/templates/monitoring/prometheus/exporter-configmap-bin.yaml
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
{{- if and .Values.manifests.monitoring.prometheus.configmap_bin .Values.monitoring.prometheus.enabled }} {{- if and .Values.manifests.monitoring.prometheus.configmap_bin_exporter .Values.monitoring.prometheus.enabled }}
{{- $envAll := . }} {{- $envAll := . }}
--- ---
apiVersion: v1 apiVersion: v1

6
fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml
View File

@ -29,17 +29,17 @@ kind: Deployment
metadata: metadata:
name: prometheus-fluentd-exporter name: prometheus-fluentd-exporter
labels: labels:
{{ tuple $envAll "prometheus_fluentd_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "prometheus-fluentd-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec: spec:
replicas: {{ .Values.pod.replicas.prometheus_fluentd_exporter }} replicas: {{ .Values.pod.replicas.prometheus_fluentd_exporter }}
selector: selector:
matchLabels: matchLabels:
{{ tuple $envAll "prometheus_fluentd_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} {{ tuple $envAll "prometheus-fluentd-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
template: template:
metadata: metadata:
labels: labels:
{{ tuple $envAll "prometheus_fluentd_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "prometheus-fluentd-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}

20
fluent-logging/templates/monitoring/prometheus/exporter-network-policy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.monitoring.prometheus.network_policy_exporter .Values.monitoring.prometheus.enabled -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus-fluentd-exporter" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

4
fluent-logging/templates/monitoring/prometheus/exporter-service.yaml
View File

@ -23,7 +23,7 @@ kind: Service
metadata: metadata:
name: {{ tuple "prometheus_fluentd_exporter" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} name: {{ tuple "prometheus_fluentd_exporter" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
labels: labels:
{{ tuple $envAll "prometheus_fluentd_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "prometheus-fluentd-exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations: annotations:
{{- if .Values.monitoring.prometheus.enabled }} {{- if .Values.monitoring.prometheus.enabled }}
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_service_annotations" | indent 4 }} {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_service_annotations" | indent 4 }}
@ -33,5 +33,5 @@ spec:
- name: metrics - name: metrics
port: {{ tuple "prometheus_fluentd_exporter" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple "prometheus_fluentd_exporter" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
selector: selector:
{{ tuple $envAll "prometheus_fluentd_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "prometheus-fluentd-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- end }} {{- end }}

6
fluent-logging/templates/network_policy.yaml → fluent-logging/templates/network-policy.yaml
View File

@ -14,12 +14,6 @@ See the License for the specific language governing permissions and
limitations under the License. */}} limitations under the License. */}}
{{- if .Values.manifests.network_policy -}} {{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "fluentbit" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluentd" }} {{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluentd" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} {{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent-logging" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}} {{- end -}}

2
fluent-logging/templates/pod-helm-tests.yaml
View File

@ -26,7 +26,7 @@ kind: Pod
metadata: metadata:
name: "{{.Release.Name}}-test" name: "{{.Release.Name}}-test"
labels: labels:
{{ tuple $envAll "fluent-logging" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "fluentd" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations: annotations:
"helm.sh/hook": test-success "helm.sh/hook": test-success
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}

11
fluent-logging/values.yaml
View File

@ -570,6 +570,14 @@ network:
enabled: false enabled: false
port: 32329 port: 32329
network_policy:
prometheus-fluentd-exporter:
ingress:
- {}
fluentd:
ingress:
- {}
pod: pod:
security_context: security_context:
fluentd: fluentd:
@ -678,8 +686,9 @@ manifests:
helm_tests: true helm_tests: true
monitoring: monitoring:
prometheus: prometheus:
configmap_bin: true configmap_bin_exporter: true
deployment_exporter: true deployment_exporter: true
network_policy_exporter: false
service_exporter: true service_exporter: true
network_policy: false network_policy: false
secret_elasticsearch: true secret_elasticsearch: true

5
kibana/values.yaml
View File

@ -83,6 +83,11 @@ pod:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"
network_policy:
kibana:
ingress:
- {}
secrets: secrets:
elasticsearch: elasticsearch:
user: kibana-elasticsearch-user user: kibana-elasticsearch-user

53
tools/deployment/network-policy/120-elasticsearch.sh
View File

@ -21,9 +21,46 @@ make elasticsearch
#NOTE: Deploy command #NOTE: Deploy command
tee /tmp/elasticsearch.yaml << EOF tee /tmp/elasticsearch.yaml << EOF
monitoring: network_policy:
prometheus: prometheus-elasticsearch-exporter:
enabled: true ingress:
- from:
- podSelector:
matchLabels:
application: prometheus
ports:
- protocol: TCP
port: 9108
elasticsearch:
ingress:
- from:
- podSelector:
matchLabels:
application: elasticsearch
- podSelector:
matchLabels:
application: prometheus-elasticsearch-exporter
- podSelector:
matchLabels:
application: fluentd
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: kibana
- podSelector:
matchLabels:
application: nagios
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- protocol: TCP
port: 9200
- protocol: TCP
port: 9300
pod: pod:
replicas: replicas:
data: 1 data: 1
@ -53,12 +90,14 @@ conf:
timestring: '%Y.%m.%d' timestring: '%Y.%m.%d'
unit: days unit: days
unit_count: 365 unit_count: 365
monitoring:
prometheus:
enabled: true
manifests: manifests:
network_policy: true network_policy: true
network_policy: monitoring:
elasticsearch: prometheus:
ingress: network_policy_exporter: true
- from:
EOF EOF
helm upgrade --install elasticsearch ./elasticsearch \ helm upgrade --install elasticsearch ./elasticsearch \

149
tools/deployment/network-policy/130-fluent-logging.sh
View File

@ -19,30 +19,153 @@ set -xe
#NOTE: Lint and package chart #NOTE: Lint and package chart
make fluent-logging make fluent-logging
tee /tmp/fluent-logging.yaml <<EOF if [ ! -d "/var/log/journal" ]; then
tee /tmp/fluent-logging.yaml << EOF
pod:
replicas:
fluentd: 1
monitoring:
prometheus:
enabled: true
manifests: manifests:
network_policy: true network_policy: true
network_policy: monitoring:
prometheus:
network_policy_exporter: true
mounts:
fluentbit: fluentbit:
fluentbit:
volumes:
- name: runlog
hostPath:
path: /run/log
volumeMounts:
- name: runlog
mountPath: /run/log
network_policy:
prometheus-fluentd-exporter:
ingress: ingress:
- from: - from:
- podSelector:
matchLabels:
application: prometheus
ports:
- protocol: TCP
port: 9309
fluentd: fluentd:
ingress: ingress:
- from: - from:
fluent: - podSelector:
ingress: matchLabels:
- from: application: fluentbit
fluent-logging: - podSelector:
ingress: matchLabels:
- from: application: prometheus-fluentd-exporter
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: placement
ports:
- protocol: TCP
port: 24224
- protocol: TCP
port: 24220
EOF EOF
#NOTE: Deploy command
helm upgrade --install fluent-logging ./fluent-logging \ helm upgrade --install fluent-logging ./fluent-logging \
--namespace=osh-infra \ --namespace=osh-infra \
--values=/tmp/fluent-logging.yaml \ --values=/tmp/fluent-logging.yaml
--set pod.replicas.fluentd=1 else
tee /tmp/fluent-logging.yaml << EOF
pod:
replicas:
fluentd: 1
monitoring:
prometheus:
enabled: true
manifests:
network_policy: true
monitoring:
prometheus:
network_policy_exporter: true
network_policy:
prometheus-fluentd-exporter:
ingress:
- from:
- podSelector:
matchLabels:
application: prometheus
ports:
- protocol: TCP
port: 9309
fluentd:
ingress:
- from:
- podSelector:
matchLabels:
application: fluentbit
- podSelector:
matchLabels:
application: prometheus-fluentd-exporter
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: placement
ports:
- protocol: TCP
port: 24224
- protocol: TCP
port: 24220
EOF
helm upgrade --install fluent-logging ./fluent-logging \
--namespace=osh-infra \
--values=/tmp/fluent-logging.yaml
fi
#NOTE: Wait for deploy #NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh osh-infra ./tools/deployment/common/wait-for-pods.sh osh-infra

22
tools/deployment/network-policy/140-kibana.sh
View File

@ -19,27 +19,35 @@ set -xe
#NOTE: Lint and package chart #NOTE: Lint and package chart
make kibana make kibana
tee /tmp/kibana.yaml <<EOF #NOTE: Deploy command
manifests: tee /tmp/kibana.yaml << EOF
network_policy: true
network_policy: network_policy:
kibana: kibana:
ingress: ingress:
- from: - from:
- podSelector:
matchLabels:
application: elasticsearch
- podSelector: - podSelector:
matchLabels: matchLabels:
application: kibana application: kibana
- podSelector:
matchLabels:
application: ingress
ports: ports:
- protocol: TCP
port: 5601
- protocol: TCP - protocol: TCP
port: 80 port: 80
- protocol: TCP
port: 443
- protocol: TCP
port: 5601
manifests:
network_policy: true
EOF EOF
#NOTE: Deploy command
helm upgrade --install kibana ./kibana \ helm upgrade --install kibana ./kibana \
--namespace=osh-infra \ --namespace=osh-infra \
--values=/tmp/kibana.yaml --values=/tmp/kibana.yaml
#NOTE: Wait for deploy #NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh osh-infra ./tools/deployment/common/wait-for-pods.sh osh-infra

7
tools/deployment/network-policy/901-test-networkpolicy.sh
View File

@ -55,6 +55,13 @@ test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb server openstack-metrics.openstack.svc.cluster.local:9103 fail test_netpol osh-infra mariadb server openstack-metrics.openstack.svc.cluster.local:9103 fail
test_netpol osh-infra mariadb server kibana.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb server fluentd-logging.osh-infra.svc.cluster.local:24224 fail
test_netpol osh-infra fluentbit daemon prometheus.osh-infra.svc.cluster.local fail
# Doing positive tests # Doing positive tests
test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success
test_netpol osh-infra elasticsearch client kibana-dash.osh-infra.svc.cluster.local success
test_netpol osh-infra fluentd internal elasticsearch-logging.osh-infra.svc.cluster.local success
test_netpol osh-infra prometheus api fluentd-exporter.osh-infra.svc.cluster.local:9309/metrics success
test_netpol osh-infra prometheus api elasticsearch-exporter.osh-infra.svc.cluster.local:9108/metrics success