This updates the Elastic Curator cron job to include configuration
for successful and failed job history limits, similar to the other
cron jobs we deploy. This also moves the key for configuring the
cron schedule from under .Values.conf.curator to a new top level
jobs key to maintain consistency
This also fixes an indentation issue with the deployment overrides
for Curator as well as adds the overrides for the Armada job
Change-Id: I9c720df9677215bdd2bf18be77959bd5f671c0ca
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This fixes typos in the cluster wait script to ensure the messages
reflect the types of nodes being checked
Change-Id: I5964b5517b3099fbfe8d574b2ca869d366c9bb17
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This begins to split the fluent-logging chart into two separate
charts, one for fluentbit and one for fluentd. This is to help
isolate each chart and its dependencies better, and to treat each
service as its own entity.
This also moves the job for creating Elasticsearch templates to
the Elasticsearch chart, as the elasticsearch chart should have
ownership of creating the templates for its indices.
This also performs some general cleanup of values keys that are
not currently used
Change-Id: I827277d5faa62b8b59c5960330703d23c297ca47
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This adds the helm-toolkit function for defining the update
strategy for the elasticsearch-data statefulset and sets the chart
default to RollingUpdate
Change-Id: Ia10ea7bf000474e597bdb36778118a96d85b93c1
This fixes the elasticsearch-logging service by removing the
LoadBalancer type configuration from the service template. This
was mistakenly added in a previous change
Change-Id: Id2f866147c2dcccc10c83bd54094d54cf3bd227b
This updates the Curator image to use version 5.6.0, which adds
additional actions for use, such as the ability to shrink indices.
This also adds a separate configmap and config secret for Curator,
as this allows us to use separate configmap annotations on the
Elasticsearch component pods to prevent Curator config updates
from triggering recreation of Elasticsearch components. This helps
alleviate overhead associated with Elasticsearch service restarts.
Change-Id: I0aec7756b0dc09bc3981ede950dc88f821aeca4b
This updates the Elasticsearch chart to allow for setting the
heap size per node type instead of for all nodes equally. This
also adds the required environment variable to configure whether
a node is an ingest node. This is set to false, as suggested for
elasticsearch versions <= 6.x
This also removes the ES_PLUGINS_INSTALL environment variable as
it is not used for anything in the current charts
Change-Id: I9096774db46dcbcd48b8a5448f0510984bf4108f
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
This reverts commit ab86685bea6df436c93220ce63900549c19effff.
removing readOnlyRootFilesystem flag since pods are running to "crashLoopBackOff" state by implementing HTK functionality
when we have set the readOnly flag at pod without HTK functionality the changes were not effected. That is why it passed the gate.
Change-Id: Iaa6b89a6a19e8f85d02bf6d06f45570469674d4f
This adds ingress network policy for the fluent-logging, kibana
and Elasticsearch charts. This leverages the helm-toolkit template
that was used in openstack-helm for the openstack services
Change-Id: I2a89b62f1002851346e9a25de40113078e9c518f
This indents the closing {{ end }} for the check for executing the
Elasticsearch test that checks the snapshot repositories
Change-Id: I77ebb1af7ee648cc9787665bfb81dfbb1a30663a
This adds the security context snippet for the elasticsearch
prometheus exporter container to set allowPrivilegeEscalation to false
and readOnlyRootFilesystem to true
Change-Id: Ia80aa9cfc837073fae0a884de5245764147d7ded
This adds a job that will query the Elasticsearch HTTP cat API to
determine whether the desired number of nodes have been discovered
via the Zen discovery mechanism to be included in the cluster.
This aims to address issues seen when upgrading Elasticsearch,
where the snapshot repository job may trigger due to endpoints
from older pods being present. This new job will be the dependency
required by the snapshot repository job to ensure the ES cluster
has the desired number of nodes before attempting to register a
snapshot repository or interact with the cluster
Change-Id: I94fbbfdec7ca66d04acca9558e56dca3b2bc7d52
This adds the release-annotation to the pod spec for the charts in
openstack-helm-infra. This also adds missing configmap annotations
to charts in openstack-helm-infra
Change-Id: Ie23f0c16a7a21d3929e98928db2bbcef69ae6490
This removes the insertion of test dummy data and the following
query for it from the Elasticsearch helm tests. Upon upgrades,
it's possible for Elasticsearch to refuse the direct insertion of
data due to shard reallocation and due to full bulk endpoint
queues. These refusals should not be seen as test failures
Change-Id: Id53d53a7aa2b58e64932d50ca3e7a4fb1141bb3a
This updates the script used to register the elasticsearch
snapshot repositories. It will first gather a list of all
currently registered repositories, then check for the existence
of each configured repository. If the repository exists, the job
will not attempt to register the repository again. If it doesn't
exist, the job will then register the desired repository
Change-Id: I2cfd3c44f1b2b4a54c9b07be79c2c87af77c540e
This updates the helm-toolkit manifest template and scipts for
creating an S3 bucket and linking it to a user. This moves away
from the previous python implementation that used rgwadmin, and
instead uses s3cmd for a cleaner approach that can support more
recent versions of ceph
Change-Id: I305062a5daa063bfe21a12448d7a3957bca00bf4
This removes unused pod-etc-apache volumes from the charts that
use an apache sidecar container as a reverse proxy.
Change-Id: Ibafff3b53f9d3c20f5aed30d40ee6470cb515a8a
This adds the security context snippet for the elasticsearch
prometheus exporter pod. This changes the pod's user from root to
the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: If692fccaf4dd362b28fecb4656036289a3a97122
This adds a simple check to the Elasticsearch snapshot repo job
that will cause the job to fail if the repository isn't added
successfully
Change-Id: I9dca6ef545b43c52a37542319fa2f706b174c44b
This updates the Elasticsearch helm test to execute a clean on the
test index before attempting to create it, in cases where a
stranded test index may exist
Change-Id: I87533f94f6ea55b0b2f929543f8d3e75baa81bed
This patch set implements the helm toolkit function to generate a
kubernetes network policy manifest based on overrideable values.
This also adds a chart that shuts down all the ingress and egress
traffics in the namespace. This can be used to ensure the
whitelisted network policy works as intended.
Additionally, implementation is done for some infrastructure charts.
Change-Id: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This updates the helm test pod templates in the charts with helm
tests defined. This change includes the addition of:
- Generate test pod cluster roles and role bindings
- Generate service accounts for test pods
- Add node selectors to the test pods
- Add service accounts to the test pods
- Addition of entrypoint container to the test pods
- Indentation fix for rabbitmq test pod template
Change-Id: I9a0dd8a1a87bfe5eaf1362e92b37bc004f9c2cdb
This adds the node selector key and value configuration to the
Curator cron job for Elasticsearch, as it was previously omitted
Change-Id: Id702007fa827a1e1f90dee9b2a855e4197f4567c
This ps adds the ability to use the ceph radosgw s3 api for
snapshot repositories. It removes the ability to use a RWM pvc, as
the radosgw solution provides a more robust approach for storing
index snapshots
Change-Id: Ie56ac41ccdc61bfadcac52b400cceb35403e9fae
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Change-Id: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Signed-off-by: Pete Birley <pete@port.direct>
This adds an ingress to the Elasticsearch chart, allowing for the
exposure of the Elasticsearch cluster externally if required.
This also removes the node ports from the data and discovery
services, as these ports should not be used beyond service
discovery by the elasticsearch nodes. It moves the node port for
the client service under the network.elasticsearch key to match
the network tree for the other services
Change-Id: Ia989eff87b8c9f112c697ae309bbb971dc699aa5
This updates the osh-infra charts to use a secret for their
configuration files instead of a configmap, allowing for the
storage of sensitive information
Change-Id: Ia32587162288df0b297c45fd43b55cef381cb064
In most cases, the ingress controller's nodeSelector key and value
are "node-role.kubernetes.io/ingress" and "true".
Using quote to treat the nodeSelector value as a string.
Change-Id: Ie1745629b90795e4d888d85f35565e6d6350e09b
This proposes defining the apache proxy hosts entirely via values
templates. While complicated on its face, this gives flexibility
by allowing the ability to define the desired authentication
mechanism via values templates. These options can range from
using http basic auth for development purposes to defining more
complex ldap configurations without a need to modify the chart
directly
Change-Id: Ief1b6890444ff90cc9c0ca872087af74836c0771
Signed-off-by: Pete Birley <pete@port.direct>
This fixes the resource trees for the fluent-logging and
openstack-exporter charts to match the other charts. This
also fixes the elasticsearch master template to use the
correct indentation level for the resource template
Change-Id: Ic6ec270a880216daff10d1f22128c6377ebf9933
