This change updates the Elasticsearch chart for compatibility with
the latest version of the Elasticsearch exporter. There are some
breaking changes between v1.0.1 and v1.1.0 - mainly with how arguments
are handled by the program.
All of the configuration options currently available are now exposed
in values.yaml
Change-Id: I8c71d5f6ed4a8360ad886338adb8ad63471eefd1
This patchset adds the ability to define an elasticsearch account to
use for remote logging and centralized logging functions
Change-Id: Iec61a130db6d94218893d3544e5a82c8ca04055b
This change adds a new Deployment to the Elasticsearch chart to add a
set of "gateway" nodes to the Elasticsearch cluster. These nodes will
facilitate Elasticsearch remote cluster, for features such as cross
cluster search.
Co-Authored-By: David Smith <ds3330@att.com>
Change-Id: Ic4ac988a922a12addce3c65e0ef4099d46bbc784
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
This moves from using the docker profile to the default
runtime profile - which allows container engines other than
docker to work out of the box.
Change-Id: Ica5a48f8c43b90f07969b41e10dc472a772b5b43
Signed-off-by: Pete Birley <pete@port.direct>
This is to update ceph images to Nautilus based images since
ceph cluster is now upgraded to Nautilus.
Change-Id: Ib57f29a4dba89de762a9824ba398ad49b0bd397b
This updates the Elasticsearch chart to make the values keys used
for defining node selectors for the various elasticsearch
components more granular
Change-Id: Ic1ac343b1d6ee48fc7cb456afe4cd9588c4aa13b
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This updates the Elasticsearch and Kibana charts to deploy
version 7.1.0. This move required significant changes to both
charts, including: changing elasticsearch masters to a statefulset
to utilize reliable dns names for the discovery process, config
updates to reflect deprecated/updated/removed values, use the
kibana saved objects api for managing index patterns and setting
the default index, and updating the elasticsearch entrypoint
scripts to reflect the use of elastic-keystore for storing s3
credentials instead of defining them in the configuration file
Change-Id: I270d905f266fc15492e47d8376714ba80603e66d
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This updates charts that consume images built from osh-images to
use tags other than the :latest tags. This will be followed up
with the definition of jobs to allow for vetting out of updated
images, as reliance on :latest tags assumes any change merged into
osh-images will result in functionally correct behavior (which has
shown to not be the case traditionally)
Change-Id: I181aa56ed187604dc7583d8081e53cc69eb27310
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintained
Change-Id: I5bfdc156ae228ab16da57569ac6b05a9a125cb6a
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This adds a cron job to manually verify all snapshot repositories
are registered to any active master and data nodes. This is to
address scenarios where master and data nodes do not have the
desired snapshot repositories registered following node outages
or reboots
Change-Id: Ie6f42e95c3ca4dc2ec70f2852a2bde11e59ec097
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This removes ReadonlyRootfs from
Elasticsearch data pods as this is
required in order for the data pods
to recover from outages
Change-Id: I603d3a25b6580eab20e2b20e1b1cd0cf740c7ab2
this updates the Elasticsearch cluster wait and snapshot repo jobs
to include values overrides for the job backoff limits and the
active deadline seconds field. This allows for tweaking beyond the
standard defaults for kubernetes jobs
Change-Id: I1f95a635ab4dfdb3718d5d4fa668c64a9095e899
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This updates the Elasticsearch client and data pod dependencies
to allow for sequential bring up of the cluster components. As
we want the order to be master->client->data, we add the discovery
service endpoint as a dependency for the client pods and add both
the discovery and client service endpoints as dependencies for
the data pods
Change-Id: Iec6d6f259dc8b7b4f2309b492409cc0e5feab669
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This updates the Elastic Curator cron job to include configuration
for successful and failed job history limits, similar to the other
cron jobs we deploy. This also moves the key for configuring the
cron schedule from under .Values.conf.curator to a new top level
jobs key to maintain consistency
This also fixes an indentation issue with the deployment overrides
for Curator as well as adds the overrides for the Armada job
Change-Id: I9c720df9677215bdd2bf18be77959bd5f671c0ca
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This updates the Elasticsearch chart to include a specific start
script for the Elasticsearch data nodes that includes a trap on
signals that removes a data node from allocation eligible nodes
before shutting down. This results in all shards being moved from
a node on shut down to alleviate issues with planned down nodes,
such as during upgrade scenarios
Change-Id: I22f4957f90e4113831a8ddf48691cb14f811c1e5
This begins to split the fluent-logging chart into two separate
charts, one for fluentbit and one for fluentd. This is to help
isolate each chart and its dependencies better, and to treat each
service as its own entity.
This also moves the job for creating Elasticsearch templates to
the Elasticsearch chart, as the elasticsearch chart should have
ownership of creating the templates for its indices.
This also performs some general cleanup of values keys that are
not currently used
Change-Id: I827277d5faa62b8b59c5960330703d23c297ca47
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This adds the helm-toolkit function for defining the update
strategy for the elasticsearch-data statefulset and sets the chart
default to RollingUpdate
Change-Id: Ia10ea7bf000474e597bdb36778118a96d85b93c1
This updates the Elasticsearch chart to use the elasticsearch-s3
image built from the openstack-helm-images Dockerfile instead of
using the previous image from a personal repository
Change-Id: I4d6b18aea11920de33ce1f4b63d39c18cd2b98d3
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use (and completely opaque to deployers), and updating the
osh-images process or patching its code has no impact on OSH.
This should fix it.
Change-Id: Ic00bd98c151669dc2485cd88e0e8c2ab05445959
This ps exposes the anti-affinity weight value, including
default, that will be consumed by the updated htk function.
Change-Id: Id8eb303674764ef8b0664f62040723aaf77e0a54
This adds a basic egress policy to the charts run by the
network-policy check. A change was recently merged requiring
the eggress tag to be in the chart but did not add it, this
addresses that
Change-Id: I60669c9351db7854cba8c69723eb783a966d2a56
This updates the Curator image to use version 5.6.0, which adds
additional actions for use, such as the ability to shrink indices.
This also adds a separate configmap and config secret for Curator,
as this allows us to use separate configmap annotations on the
Elasticsearch component pods to prevent Curator config updates
from triggering recreation of Elasticsearch components. This helps
alleviate overhead associated with Elasticsearch service restarts.
Change-Id: I0aec7756b0dc09bc3981ede950dc88f821aeca4b
This updates the Elasticsearch chart to allow for setting the
heap size per node type instead of for all nodes equally. This
also adds the required environment variable to configure whether
a node is an ingest node. This is set to false, as suggested for
elasticsearch versions <= 6.x
This also removes the ES_PLUGINS_INSTALL environment variable as
it is not used for anything in the current charts
Change-Id: I9096774db46dcbcd48b8a5448f0510984bf4108f
This adds ingress network policy for the fluent-logging, kibana
and Elasticsearch charts. This leverages the helm-toolkit template
that was used in openstack-helm for the openstack services
Change-Id: I2a89b62f1002851346e9a25de40113078e9c518f
This adds the security context snippet for the elasticsearch
prometheus exporter container to set allowPrivilegeEscalation to false
and readOnlyRootFilesystem to true
Change-Id: Ia80aa9cfc837073fae0a884de5245764147d7ded
This adds a job that will query the Elasticsearch HTTP cat API to
determine whether the desired number of nodes have been discovered
via the Zen discovery mechanism to be included in the cluster.
This aims to address issues seen when upgrading Elasticsearch,
where the snapshot repository job may trigger due to endpoints
from older pods being present. This new job will be the dependency
required by the snapshot repository job to ensure the ES cluster
has the desired number of nodes before attempting to register a
snapshot repository or interact with the cluster
Change-Id: I94fbbfdec7ca66d04acca9558e56dca3b2bc7d52
This updates the dependencies for the Elasticsearch chart to be
more cautious before proceeding. For example, this updates the
dependencies for the register snapshot job to wait until all
ES components have registered endpoints, and also updates the helm
test pod to wait for all components to have registered endpoints
and the snapshot job to have completed
Change-Id: Ie4e92bba4ae33b33cadb921bdda91ceb813e29e1
This updates the script used to register the elasticsearch
snapshot repositories. It will first gather a list of all
currently registered repositories, then check for the existence
of each configured repository. If the repository exists, the job
will not attempt to register the repository again. If it doesn't
exist, the job will then register the desired repository
Change-Id: I2cfd3c44f1b2b4a54c9b07be79c2c87af77c540e
This begins to break out the various location paths for the
Elasticsearch apache-proxy virtual host. These include:
- Deny all access to the update document api
- Deny all access to the update by query api
- Deny all access to the delete by query api
- Prohibit the DELETE method on all document api endpoints
This helps ensure that documents can't be updated or deleted once
indexed into Elasticsearch
Change-Id: Iaa97a9f7699a47d13c25b9e2e4249c37c29e4559
This updates the logging format and configuration for the apache
reverse proxies used for elasticsearch, kibana, nagios and
prometheus to enable logging of the remote clients used to access
these services
Change-Id: Id07e4294ea18203fbb890b78424a232c2d59cb82
This PS udpates the default image in the chart to the latest OSH image.
Change-Id: Ib8d2a72ad48049fe02560dc4405f0088890b6f64
Signed-off-by: Pete Birley <pete@port.direct>
This updates the Elasticsearch image used for s3 bucket creation
to use the same ceph daemon image used in the ceph-rgw chart now
that the Mimic release is supported
Change-Id: I416a283b8ac41f6b360d20aac1be8374c07badcd
This updates the helm-toolkit manifest template and scipts for
creating an S3 bucket and linking it to a user. This moves away
from the previous python implementation that used rgwadmin, and
instead uses s3cmd for a cleaner approach that can support more
recent versions of ceph
Change-Id: I305062a5daa063bfe21a12448d7a3957bca00bf4
This adds the security context snippet for the elasticsearch
prometheus exporter pod. This changes the pod's user from root to
the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: If692fccaf4dd362b28fecb4656036289a3a97122
