diff --git a/fluentbit/values_overrides/apparmor.yaml b/fluentbit/values_overrides/apparmor.yaml new file mode 100644 index 000000000..2b99c1b60 --- /dev/null +++ b/fluentbit/values_overrides/apparmor.yaml @@ -0,0 +1,5 @@ +pod: + mandatory_access_control: + type: apparmor + fluentbit: + fluentbit: runtime/default diff --git a/fluentd/templates/deployment-fluentd.yaml b/fluentd/templates/deployment-fluentd.yaml index 69bf167bf..32100f52c 100644 --- a/fluentd/templates/deployment-fluentd.yaml +++ b/fluentd/templates/deployment-fluentd.yaml @@ -100,6 +100,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "fluentd" "containerNames" (list "fluentd") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "fluentd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $rcControllerName | quote }} diff --git a/fluentd/values_overrides/apparmor.yaml b/fluentd/values_overrides/apparmor.yaml new file mode 100644 index 000000000..c94b98eb2 --- /dev/null +++ b/fluentd/values_overrides/apparmor.yaml @@ -0,0 +1,11 @@ +pod: + mandatory_access_control: + type: apparmor + fluentd: + fluentd: runtime/default + fluentd-daemonset-fluentd-exporter: + fluentd-exporter: runtime/default + init: runtime/default +monitoring: + prometheus: + enabled: true diff --git a/tools/deployment/common/fluentd-daemonset.sh b/tools/deployment/common/fluentd-daemonset.sh index 985a2a5f4..e523e3f8c 100755 --- a/tools/deployment/common/fluentd-daemonset.sh +++ b/tools/deployment/common/fluentd-daemonset.sh @@ -304,4 +304,4 @@ helm upgrade --install fluentd-daemonset ./fluentd \ ./tools/deployment/common/wait-for-pods.sh osh-infra #NOTE: Validate Deployment info -helm status fluentd-daemonset +helm status fluentd-daemonset \ No newline at end of file diff --git a/tools/deployment/osh-infra-logging/055-fluentbit.sh b/tools/deployment/osh-infra-logging/055-fluentbit.sh new file mode 100755 index 000000000..a8bd6c229 --- /dev/null +++ b/tools/deployment/osh-infra-logging/055-fluentbit.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +set -xe + +#NOTE: Lint and package chart +make fluentbit + +: ${OSH_INFRA_EXTRA_HELM_ARGS_FLUENTBIT:="$(./tools/deployment/common/get-values-overrides.sh fluentbit)"} + + +#NOTE: Deploy command +helm upgrade --install fluentbit ./fluentbit \ + --namespace=osh-infra \ + ${OSH_INFRA_EXTRA_HELM_ARGS} \ + ${OSH_INFRA_EXTRA_HELM_ARGS_FLUENTBIT} + + +#NOTE: Wait for deploy +./tools/deployment/common/wait-for-pods.sh osh-infra + +#NOTE: Validate Deployment info +helm status fluentbit + +helm test fluentbit diff --git a/tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh b/tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh deleted file mode 120000 index af568c5cf..000000000 --- a/tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh +++ /dev/null @@ -1 +0,0 @@ -../common/fluentd-daemonset.sh \ No newline at end of file diff --git a/tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh b/tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh new file mode 100755 index 000000000..2e870af96 --- /dev/null +++ b/tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh @@ -0,0 +1,175 @@ +#!/bin/bash + +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +set -xe + +#NOTE: Lint and package chart +make fluentd + +tee /tmp/fluentd-daemonset.yaml < + bind 0.0.0.0 + port 24220 + @type monitor_agent + + + + + time_format %Y-%m-%dT%H:%M:%S.%NZ + @type json + + path /var/log/containers/*.log + read_from_head true + tag kubernetes.* + @type tail + + + + @type kubernetes_metadata + + + + bind 0.0.0.0 + port "#{ENV['FLUENTD_PORT']}" + @type forward + + + + @type null + + + + + chunk_limit_size 500K + flush_interval 5s + flush_thread_count 8 + queue_limit_length 16 + retry_forever false + retry_max_interval 30 + + host "#{ENV['ELASTICSEARCH_HOST']}" + include_tag_key true + logstash_format true + logstash_prefix libvirt + password "#{ENV['ELASTICSEARCH_PASSWORD']}" + port "#{ENV['ELASTICSEARCH_PORT']}" + @type elasticsearch + user "#{ENV['ELASTICSEARCH_USERNAME']}" + + + + + chunk_limit_size 500K + flush_interval 5s + flush_thread_count 8 + queue_limit_length 16 + retry_forever false + retry_max_interval 30 + + host "#{ENV['ELASTICSEARCH_HOST']}" + include_tag_key true + logstash_format true + logstash_prefix qemu + password "#{ENV['ELASTICSEARCH_PASSWORD']}" + port "#{ENV['ELASTICSEARCH_PORT']}" + @type elasticsearch + user "#{ENV['ELASTICSEARCH_USERNAME']}" + + + + + chunk_limit_size 500K + flush_interval 5s + flush_thread_count 8 + queue_limit_length 16 + retry_forever false + retry_max_interval 30 + + host "#{ENV['ELASTICSEARCH_HOST']}" + include_tag_key true + logstash_format true + logstash_prefix journal + password "#{ENV['ELASTICSEARCH_PASSWORD']}" + port "#{ENV['ELASTICSEARCH_PORT']}" + @type elasticsearch + user "#{ENV['ELASTICSEARCH_USERNAME']}" + + + + + chunk_limit_size 500K + flush_interval 5s + flush_thread_count 8 + queue_limit_length 16 + retry_forever false + retry_max_interval 30 + + host "#{ENV['ELASTICSEARCH_HOST']}" + include_tag_key true + logstash_format true + logstash_prefix kernel + password "#{ENV['ELASTICSEARCH_PASSWORD']}" + port "#{ENV['ELASTICSEARCH_PORT']}" + @type elasticsearch + user "#{ENV['ELASTICSEARCH_USERNAME']}" + + + + + chunk_limit_size 500K + flush_interval 5s + flush_thread_count 8 + queue_limit_length 16 + retry_forever false + retry_max_interval 30 + + flush_interval 15s + host "#{ENV['ELASTICSEARCH_HOST']}" + include_tag_key true + logstash_format true + password "#{ENV['ELASTICSEARCH_PASSWORD']}" + port "#{ENV['ELASTICSEARCH_PORT']}" + @type elasticsearch + type_name fluent + user "#{ENV['ELASTICSEARCH_USERNAME']}" + +EOF + +#NOTE: Deploy command +helm upgrade --install fluentd-daemonset ./fluentd \ + --namespace=osh-infra \ + --values=/tmp/fluentd-daemonset.yaml + +#NOTE: Wait for deploy +./tools/deployment/common/wait-for-pods.sh osh-infra + +#NOTE: Validate Deployment info +helm status fluentd-daemonset + +helm test fluentd-daemonset diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 5570510b0..88d84ba3a 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -139,8 +139,8 @@ - ./tools/deployment/osh-infra-logging/030-radosgw-osh-infra.sh - ./tools/deployment/osh-infra-logging/040-ldap.sh - ./tools/deployment/osh-infra-logging/050-elasticsearch.sh + - ./tools/deployment/osh-infra-logging/055-fluentbit.sh - ./tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh - - ./tools/deployment/osh-infra-logging/065-fluentd-deployment.sh - ./tools/deployment/osh-infra-logging/070-kibana.sh - ./tools/deployment/osh-infra-logging/600-kibana-selenium.sh || true @@ -311,39 +311,11 @@ - ./tools/deployment/osh-infra-logging/030-radosgw-osh-infra.sh - ./tools/deployment/osh-infra-logging/040-ldap.sh - ./tools/deployment/osh-infra-logging/050-elasticsearch.sh + - ./tools/deployment/osh-infra-logging/055-fluentbit.sh - ./tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh - - ./tools/deployment/osh-infra-logging/065-fluentd-deployment.sh - ./tools/deployment/osh-infra-logging/070-kibana.sh - ./tools/deployment/osh-infra-logging/600-kibana-selenium.sh || true - - -- job: - name: openstack-helm-infra-aio-logging-apparmor - parent: openstack-helm-infra-functional - timeout: 7200 - pre-run: - - playbooks/osh-infra-upgrade-host.yaml - - playbooks/osh-infra-deploy-selenium.yaml - run: playbooks/osh-infra-gate-runner.yaml - post-run: playbooks/osh-infra-collect-logs.yaml - nodeset: openstack-helm-single-node - vars: - osh_params: - container_distro_name: ubuntu - container_distro_version: bionic - feature_gates: apparmor - gate_scripts: - - ./tools/deployment/osh-infra-logging/000-install-packages.sh - - ./tools/deployment/osh-infra-logging/005-deploy-k8s.sh - - ./tools/deployment/osh-infra-logging/010-ingress.sh - - ./tools/deployment/osh-infra-logging/020-ceph.sh - - ./tools/deployment/osh-infra-logging/025-ceph-ns-activate.sh - - ./tools/deployment/osh-infra-logging/030-radosgw-osh-infra.sh - - ./tools/deployment/osh-infra-logging/040-ldap.sh - - ./tools/deployment/osh-infra-logging/050-elasticsearch.sh - - ./tools/deployment/osh-infra-logging/070-kibana.sh - - job: name: openstack-helm-infra-metacontroller parent: openstack-helm-infra-functional