e1f2a3cf78
This adds a basic egress policy to the charts run by the network-policy check. A change was recently merged requiring the eggress tag to be in the chart but did not add it, this addresses that Change-Id: I60669c9351db7854cba8c69723eb783a966d2a56
724 lines
19 KiB
YAML
724 lines
19 KiB
YAML
# Copyright 2017 The Openstack-Helm Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the 'License');
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an 'AS IS' BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for fluentbit and fluentd.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
release_group: null
|
|
|
|
labels:
|
|
fluentd:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
fluentbit:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
prometheus_fluentd_exporter:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
test:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
images:
|
|
tags:
|
|
fluentbit: docker.io/fluent/fluent-bit:0.14.2
|
|
fluentd: docker.io/fluent/fluentd-kubernetes-daemonset:v1.2-debian-elasticsearch
|
|
prometheus_fluentd_exporter: docker.io/bitnami/fluentd-exporter:0.2.0
|
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
|
helm_tests: docker.io/openstackhelm/heat:newton
|
|
elasticsearch_template: docker.io/openstackhelm/heat:newton
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
pull_policy: IfNotPresent
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
secrets:
|
|
elasticsearch:
|
|
user: fluentd-elasticsearch-user
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- fluent-logging-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
static:
|
|
elasticsearch_template:
|
|
services:
|
|
- endpoint: internal
|
|
service: elasticsearch
|
|
fluentbit:
|
|
jobs:
|
|
- elasticsearch-template
|
|
services:
|
|
- endpoint: internal
|
|
service: fluentd
|
|
fluentd:
|
|
jobs:
|
|
- elasticsearch-template
|
|
services:
|
|
- endpoint: internal
|
|
service: elasticsearch
|
|
fluentd_with_kafka:
|
|
services:
|
|
- endpoint: internal
|
|
service: elasticsearch
|
|
- endpoint: public
|
|
service: kafka
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
prometheus_fluentd_exporter:
|
|
services:
|
|
- endpoint: internal
|
|
service: fluentd
|
|
tests:
|
|
services:
|
|
- endpoint: internal
|
|
service: elasticsearch
|
|
- endpoint: internal
|
|
service: fluentd
|
|
|
|
conf:
|
|
fluentbit:
|
|
- service:
|
|
header: service
|
|
Flush: 30
|
|
Daemon: Off
|
|
Log_Level: info
|
|
Parsers_File: parsers.conf
|
|
- kernel_messages:
|
|
header: input
|
|
Name: tail
|
|
Tag: kernel
|
|
Path: /var/log/kern.log
|
|
Mem_Buf_Limit: 5MB
|
|
Buffer_Chunk_Size: 1M
|
|
Buffer_Max_Size: 1M
|
|
- containers_tail:
|
|
header: input
|
|
Name: tail
|
|
Tag: kube.*
|
|
Path: /var/log/containers/*.log
|
|
Parser: docker
|
|
Mem_Buf_Limit: 5MB
|
|
Buffer_Chunk_Size: 1M
|
|
Buffer_Max_Size: 1M
|
|
- libvirt:
|
|
header: input
|
|
Name: tail
|
|
Tag: libvirt
|
|
Path: /var/log/libvirt/libvirtd.log
|
|
Mem_Buf_Limit: 5MB
|
|
Buffer_Chunk_Size: 1M
|
|
Buffer_Max_Size: 1M
|
|
- qemu:
|
|
header: input
|
|
Name: tail
|
|
Tag: qemu
|
|
Path: /var/log/libvirt/qemu/*.log
|
|
Mem_Buf_Limit: 5MB
|
|
Buffer_Chunk_Size: 1M
|
|
Buffer_Max_Size: 1M
|
|
- kubelet:
|
|
header: input
|
|
Name: systemd
|
|
Tag: journal.*
|
|
Path: ${JOURNAL_PATH}
|
|
Systemd_Filter: _SYSTEMD_UNIT=kubelet.service
|
|
Mem_Buf_Limit: 5MB
|
|
Buffer_Chunk_Size: 1M
|
|
Buffer_Max_Size: 1M
|
|
- docker_daemon:
|
|
header: input
|
|
Name: systemd
|
|
Tag: journal.*
|
|
Path: ${JOURNAL_PATH}
|
|
Systemd_Filter: _SYSTEMD_UNIT=docker.service
|
|
Mem_Buf_Limit: 5MB
|
|
Buffer_Chunk_Size: 1M
|
|
Buffer_Max_Size: 1M
|
|
- throttle_filter:
|
|
header: filter
|
|
Name: throttle
|
|
Match: "**"
|
|
Rate: 1000
|
|
Window: 300
|
|
Interval: 1s
|
|
- libvirt_record_modifier:
|
|
header: filter
|
|
Name: record_modifier
|
|
Match: libvirt
|
|
Record: hostname ${HOSTNAME}
|
|
- qemu_record_modifier:
|
|
header: filter
|
|
Name: record_modifier
|
|
Match: qemu
|
|
Record: hostname ${HOSTNAME}
|
|
- kernel_record_modifier:
|
|
header: filter
|
|
Name: record_modifier
|
|
Match: kernel
|
|
Record: hostname ${HOSTNAME}
|
|
- systemd_modify_fields:
|
|
header: filter
|
|
Name: modify
|
|
Match: journal.**
|
|
Rename:
|
|
_BOOT_ID: BOOT_ID
|
|
_CAP_EFFECTIVE: CAP_EFFECTIVE
|
|
_CMDLINE: CMDLINE
|
|
_COMM: COMM
|
|
_EXE: EXE
|
|
_GID: GID
|
|
_HOSTNAME: HOSTNAME
|
|
_MACHINE_ID: MACHINE_ID
|
|
_PID: PID
|
|
_SYSTEMD_CGROUP: SYSTEMD_CGROUP
|
|
_SYSTEMD_SLICE: SYSTEMD_SLICE
|
|
_SYSTEMD_UNIT: SYSTEMD_UNIT
|
|
_UID: UID
|
|
_TRANSPORT: TRANSPORT
|
|
- drop_fluentd_logs:
|
|
header: output
|
|
Name: "null"
|
|
Match: "**.fluentd**"
|
|
- kube_filter:
|
|
header: filter
|
|
Name: kubernetes
|
|
Match: kube.*
|
|
Merge_JSON_Log: On
|
|
- fluentd_output:
|
|
header: output
|
|
Name: forward
|
|
Match: "*"
|
|
Host: ${FLUENTD_HOST}
|
|
Port: ${FLUENTD_PORT}
|
|
parsers:
|
|
- docker:
|
|
header: parser
|
|
Name: docker
|
|
Format: json
|
|
Time_Key: time
|
|
Time_Format: "%Y-%m-%dT%H:%M:%S.%L"
|
|
Time_Keep: On
|
|
Decode_Field_As: escaped_utf8 log
|
|
fluentd:
|
|
- metrics_agent:
|
|
header: source
|
|
type: monitor_agent
|
|
bind: 0.0.0.0
|
|
port: 24220
|
|
- fluentbit_forward:
|
|
header: source
|
|
type: forward
|
|
port: "#{ENV['FLUENTD_PORT']}"
|
|
bind: 0.0.0.0
|
|
- filter_fluentd_logs:
|
|
header: match
|
|
expression: "fluent.**"
|
|
type: "null"
|
|
# NOTE(srwilkers): Look for specific keywords in the log key to determine
|
|
# log level of event
|
|
- tag_kubernetes_log_level:
|
|
header: match
|
|
type: rewrite_tag_filter
|
|
expression: "kube.var.log.containers.**.log"
|
|
rule:
|
|
-
|
|
- header: rule
|
|
key: log
|
|
pattern: /info/i
|
|
tag: info.${tag}
|
|
- header: rule
|
|
key: log
|
|
pattern: /warn/i
|
|
tag: warn.${tag}
|
|
- header: rule
|
|
key: log
|
|
pattern: /error/i
|
|
tag: error.${tag}
|
|
- header: rule
|
|
key: log
|
|
pattern: /critical/i
|
|
tag: critical.${tag}
|
|
- header: rule
|
|
key: log
|
|
pattern: (.+)
|
|
tag: info.${tag}
|
|
# NOTE(srwilkers): Create new key for log level, and use the tag prefix
|
|
# added previously
|
|
- add_kubernetes_log_level_and_application_key:
|
|
header: filter
|
|
type: record_transformer
|
|
enable_ruby: true
|
|
expression: "**.kube.var.log.containers.**.log"
|
|
record:
|
|
-
|
|
- header: record
|
|
level: ${tag_parts[0]}
|
|
application: ${record["kubernetes"]["labels"]["application"]}
|
|
- add_openstack_application_key:
|
|
header: filter
|
|
type: record_transformer
|
|
expression: "openstack.**"
|
|
record:
|
|
-
|
|
- header: record
|
|
application: ${tag_parts[1]}
|
|
#NOTE(srwilkers): This prefixes the tag for oslo.log entries from the
|
|
# fluent handler/formatter with the log level, allowing for lookups on
|
|
# openstack logs with a particular log level (ie: error.openstack.keystone)
|
|
- tag_openstack_log_level:
|
|
header: match
|
|
type: rewrite_tag_filter
|
|
expression: "openstack.**"
|
|
rule:
|
|
-
|
|
- header: rule
|
|
key: level
|
|
pattern: INFO
|
|
tag: info.${tag}
|
|
- header: rule
|
|
key: level
|
|
pattern: WARN
|
|
tag: warn.${tag}
|
|
- header: rule
|
|
key: level
|
|
pattern: ERROR
|
|
tag: error.${tag}
|
|
- header: rule
|
|
key: level
|
|
pattern: CRITICAL
|
|
tag: critical.${tag}
|
|
#NOTE(tp6510): This prefixes the tag for auth entries
|
|
# it allows for lookups on openstack logs with
|
|
# a particular auth log (ie: auth.openstack.keystone)
|
|
- tag_auth_log:
|
|
header: match
|
|
type: rewrite_tag_filter
|
|
expression: "*.openstack.**"
|
|
rule:
|
|
-
|
|
- header: rule
|
|
key: application
|
|
pattern: keystone
|
|
tag: auth.${tag}
|
|
- header: rule
|
|
key: application
|
|
pattern: horizon
|
|
tag: auth.${tag}
|
|
- header: rule
|
|
key: application
|
|
pattern: mariadb
|
|
tag: auth.${tag}
|
|
- header: rule
|
|
key: application
|
|
pattern: memcached
|
|
tag: auth.${tag}
|
|
- header: rule
|
|
key: application
|
|
pattern: rabbitmq
|
|
tag: auth.${tag}
|
|
- libvirt_elasticsearch:
|
|
header: match
|
|
type: elasticsearch
|
|
user: "#{ENV['ELASTICSEARCH_USERNAME']}"
|
|
password: "#{ENV['ELASTICSEARCH_PASSWORD']}"
|
|
expression: "libvirt"
|
|
include_tag_key: true
|
|
host: "#{ENV['ELASTICSEARCH_HOST']}"
|
|
port: "#{ENV['ELASTICSEARCH_PORT']}"
|
|
logstash_format: true
|
|
logstash_prefix: libvirt
|
|
buffer:
|
|
-
|
|
- header: buffer
|
|
flush_thread_count: 8
|
|
flush_interval: "15"
|
|
chunk_limit_size: 8MB
|
|
queue_limit_length: 256
|
|
retry_max_interval: 30
|
|
retry_forever: false
|
|
- qemu_elasticsearch:
|
|
header: match
|
|
type: elasticsearch
|
|
user: "#{ENV['ELASTICSEARCH_USERNAME']}"
|
|
password: "#{ENV['ELASTICSEARCH_PASSWORD']}"
|
|
expression: "qemu"
|
|
include_tag_key: true
|
|
host: "#{ENV['ELASTICSEARCH_HOST']}"
|
|
port: "#{ENV['ELASTICSEARCH_PORT']}"
|
|
logstash_format: true
|
|
logstash_prefix: qemu
|
|
buffer:
|
|
-
|
|
- header: buffer
|
|
flush_thread_count: 8
|
|
flush_interval: "15"
|
|
chunk_limit_size: 8MB
|
|
queue_limit_length: 256
|
|
retry_max_interval: 30
|
|
retry_forever: false
|
|
- journal_elasticsearch:
|
|
header: match
|
|
type: elasticsearch
|
|
user: "#{ENV['ELASTICSEARCH_USERNAME']}"
|
|
password: "#{ENV['ELASTICSEARCH_PASSWORD']}"
|
|
expression: "journal.**"
|
|
include_tag_key: true
|
|
host: "#{ENV['ELASTICSEARCH_HOST']}"
|
|
port: "#{ENV['ELASTICSEARCH_PORT']}"
|
|
logstash_format: true
|
|
logstash_prefix: journal
|
|
buffer:
|
|
-
|
|
- header: buffer
|
|
flush_thread_count: 8
|
|
flush_interval: "15"
|
|
chunk_limit_size: 8MB
|
|
queue_limit_length: 256
|
|
retry_max_interval: 30
|
|
retry_forever: false
|
|
- kernel_elasticsearch:
|
|
header: match
|
|
type: elasticsearch
|
|
user: "#{ENV['ELASTICSEARCH_USERNAME']}"
|
|
password: "#{ENV['ELASTICSEARCH_PASSWORD']}"
|
|
expression: "kernel"
|
|
include_tag_key: true
|
|
host: "#{ENV['ELASTICSEARCH_HOST']}"
|
|
port: "#{ENV['ELASTICSEARCH_PORT']}"
|
|
logstash_format: true
|
|
logstash_prefix: kernel
|
|
buffer:
|
|
-
|
|
- header: buffer
|
|
flush_thread_count: 8
|
|
flush_interval: "15"
|
|
chunk_limit_size: 8MB
|
|
queue_limit_length: 256
|
|
retry_max_interval: 30
|
|
retry_forever: false
|
|
- elasticsearch:
|
|
header: match
|
|
type: elasticsearch
|
|
user: "#{ENV['ELASTICSEARCH_USERNAME']}"
|
|
password: "#{ENV['ELASTICSEARCH_PASSWORD']}"
|
|
expression: "**"
|
|
include_tag_key: true
|
|
host: "#{ENV['ELASTICSEARCH_HOST']}"
|
|
port: "#{ENV['ELASTICSEARCH_PORT']}"
|
|
logstash_format: true
|
|
type_name: fluent
|
|
buffer:
|
|
-
|
|
- header: buffer
|
|
flush_thread_count: 8
|
|
flush_interval: "15"
|
|
chunk_limit_size: 8MB
|
|
queue_limit_length: 256
|
|
retry_max_interval: 30
|
|
retry_forever: false
|
|
flush_interval: "15"
|
|
fluentd_exporter:
|
|
log:
|
|
format: "logger:stdout?json=true"
|
|
level: "info"
|
|
templates:
|
|
fluent:
|
|
template: "logstash-*"
|
|
index_patterns: "logstash-*"
|
|
settings:
|
|
number_of_shards: 1
|
|
mappings:
|
|
fluent:
|
|
properties:
|
|
kubernetes:
|
|
properties:
|
|
container_name:
|
|
type: keyword
|
|
index: false
|
|
docker_id:
|
|
type: keyword
|
|
index: false
|
|
host:
|
|
type: keyword
|
|
index: false
|
|
namespace_name:
|
|
type: keyword
|
|
index: false
|
|
pod_id:
|
|
type: keyword
|
|
index: false
|
|
pod_name:
|
|
type: keyword
|
|
index: false
|
|
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
elasticsearch:
|
|
namespace: null
|
|
name: elasticsearch
|
|
auth:
|
|
admin:
|
|
username: admin
|
|
password: changeme
|
|
hosts:
|
|
data: elasticsearch-data
|
|
default: elasticsearch-logging
|
|
discovery: elasticsearch-discovery
|
|
public: elasticsearch
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: http
|
|
port:
|
|
http:
|
|
default: 80
|
|
kafka:
|
|
namespace: null
|
|
name: kafka
|
|
hosts:
|
|
default: kafka-logging
|
|
public: kafka
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: http
|
|
port:
|
|
service:
|
|
default: 9092
|
|
fluentd:
|
|
namespace: null
|
|
name: fluentd
|
|
hosts:
|
|
default: fluentd-logging
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: http
|
|
port:
|
|
service:
|
|
default: 24224
|
|
metrics:
|
|
default: 24220
|
|
prometheus_fluentd_exporter:
|
|
namespace: null
|
|
hosts:
|
|
default: fluentd-exporter
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /metrics
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
metrics:
|
|
default: 9309
|
|
|
|
monitoring:
|
|
prometheus:
|
|
enabled: false
|
|
fluentd_exporter:
|
|
scrape: true
|
|
|
|
network:
|
|
fluentd:
|
|
node_port:
|
|
enabled: false
|
|
port: 32329
|
|
|
|
network_policy:
|
|
prometheus-fluentd-exporter:
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- {}
|
|
fluentd:
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- {}
|
|
|
|
pod:
|
|
security_context:
|
|
daemon:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
fluentbit:
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: false
|
|
internal:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
fluentd:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: false
|
|
elasticsearch_template:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
elasticsearch_template:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: false
|
|
test:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
helm_test:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: false
|
|
exporter:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
fluentd_exporter:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: false
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
lifecycle:
|
|
upgrades:
|
|
daemonsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
fluentbit:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
termination_grace_period:
|
|
fluentd:
|
|
timeout: 30
|
|
prometheus_fluentd_exporter:
|
|
timeout: 30
|
|
replicas:
|
|
fluentd: 3
|
|
prometheus_fluentd_exporter: 1
|
|
resources:
|
|
enabled: false
|
|
fluentbit:
|
|
limits:
|
|
memory: '400Mi'
|
|
cpu: '400m'
|
|
requests:
|
|
memory: '100Mi'
|
|
cpu: '100m'
|
|
fluentd:
|
|
limits:
|
|
memory: '1024Mi'
|
|
cpu: '2000m'
|
|
requests:
|
|
memory: '128Mi'
|
|
cpu: '500m'
|
|
prometheus_fluentd_exporter:
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "500m"
|
|
jobs:
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tests:
|
|
requests:
|
|
memory: '128Mi'
|
|
cpu: '100m'
|
|
limits:
|
|
memory: '1024Mi'
|
|
cpu: '2000m'
|
|
tolerations:
|
|
fluentbit:
|
|
enabled: false
|
|
tolerations:
|
|
- key: node-role.kubernetes.io/master
|
|
operator: Exists
|
|
- key: node-role.kubernetes.io/node
|
|
operator: Exists
|
|
mounts:
|
|
fluentd:
|
|
fluentd:
|
|
fluentbit:
|
|
fluentbit:
|
|
fluent_tests:
|
|
fluent_tests:
|
|
elasticsearch_template:
|
|
init_container:
|
|
elasticsearch_template:
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
deployment_fluentd: true
|
|
daemonset_fluentbit: true
|
|
job_image_repo_sync: true
|
|
helm_tests: true
|
|
monitoring:
|
|
prometheus:
|
|
configmap_bin_exporter: true
|
|
deployment_exporter: true
|
|
network_policy_exporter: false
|
|
service_exporter: true
|
|
network_policy: false
|
|
secret_elasticsearch: true
|
|
service_fluentd: true
|
|
job_elasticsearch_template: true
|