From cea4e9af6148a1da2abe6d1460a5cf536fbd6551 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Fri, 10 Apr 2020 18:43:36 +0200 Subject: [PATCH 01/15] [metricbeat] split configmap for daemonset and deployment --- metricbeat/README.md | 70 ++++---- .../examples/6.x/test/goss-metrics.yaml | 3 +- .../examples/default/test/goss-metrics.yaml | 3 +- .../examples/oss/test/goss-metrics.yaml | 3 +- .../examples/security/test/goss-metrics.yaml | 3 +- metricbeat/examples/security/values.yaml | 152 +++++++++--------- metricbeat/templates/configmap.yaml | 36 +++++ metricbeat/templates/daemonset.yaml | 12 ++ metricbeat/templates/deployment.yaml | 14 +- metricbeat/tests/metricbeat_test.py | 113 ++++++++++++- metricbeat/values.yaml | 140 ++++++++-------- 11 files changed, 367 insertions(+), 182 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index bf804138f..32100045b 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -65,38 +65,44 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 ## Configuration -| Parameter | Description | Default | -| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- | -| `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml`. See [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) for an example of the formatting with the default configuration. | see [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) | -| `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | -| `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | -| `extraEnvs` | Extra [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config) which will be appended to the `env:` definition for the container | `[]` | -| `extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function | `""` | -| `extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function | `""` | -| `envFrom` | Templatable string of envFrom to be passed to the [environment from variables](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables) which will be appended to the `envFrom:` definition for the container | `[]` | -| `hostPathRoot` | Fully-qualified [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) that will be used to persist Metricbeat registry data | `/var/lib` | -| `image` | The Metricbeat docker image | `docker.elastic.co/beats/metricbeat` | -| `imageTag` | The Metricbeat docker image tag | `7.6.2` | -| `imagePullPolicy` | The Kubernetes [imagePullPolicy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) value | `IfNotPresent` | -| `imagePullSecrets` | Configuration for [imagePullSecrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) so that you can use a private registry for your image | `[]` | -| `labels` | Configurable [label](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) applied to all Metricbeat pods | `{}` | -| `managedServiceAccount` | Whether the `serviceAccount` should be managed by this helm chart. Set this to `false` in order to manage your own service account and related roles. | `true` | -| `clusterRoleRules` | Configurable [cluster role rules](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) that Metricbeat uses to access Kubernetes resources. | see [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) | -| `podAnnotations` | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Metricbeat pods | `{}` | -| `podSecurityContext` | Configurable [podSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Metricbeat pod execution environment | `runAsUser: 0`
`privileged: false` | -| `livenessProbe` | Parameters to pass to [liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | -| `readinessProbe` | Parameters to pass to [readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | -| `resources` | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the `DaemonSet` | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | -| `serviceAccount` | Custom [serviceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` | -| `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) for an example | `[]` | -| `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | -| `tolerations` | Configurable [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | -| `nodeSelector` | Configurable [nodeSelector](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | `{}` | -| `affinity` | Configurable [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) | `{}` | -| `updateStrategy` | The [updateStrategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually. | `RollingUpdate` | -| `priorityClassName` | The [name of the PriorityClass](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). No default is supplied as the PriorityClass must be created first. | `""` | -| `replicas` | The replica count for the metricbeat deployment talking to kube-state-metrics | `1` | -| `fullnameOverride` | Overrides the full name of the resources. If not set the name will default to "`.Release.Name`-`.Values.nameOverride or .Chart.Name`" | `""` | +| Parameter | Description | Default | +| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- | +| `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) | +| `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) | +| `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | +| `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | +| `extraEnvs` | Extra [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config) which will be appended to the `env:` definition for the container | `[]` | +| `extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function | `""` | +| `extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function | `""` | +| `envFrom` | Templatable string of envFrom to be passed to the [environment from variables](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables) which will be appended to the `envFrom:` definition for the container | `[]` | +| `hostPathRoot` | Fully-qualified [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) that will be used to persist Metricbeat registry data | `/var/lib` | +| `image` | The Metricbeat docker image | `docker.elastic.co/beats/metricbeat` | +| `imageTag` | The Metricbeat docker image tag | `7.6.2` | +| `imagePullPolicy` | The Kubernetes [imagePullPolicy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) value | `IfNotPresent` | +| `imagePullSecrets` | Configuration for [imagePullSecrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) so that you can use a private registry for your image | `[]` | +| `labels` | Configurable [label](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) applied to all Metricbeat pods | `{}` | +| `managedServiceAccount` | Whether the `serviceAccount` should be managed by this helm chart. Set this to `false` in order to manage your own service account and related roles. | `true` | +| `clusterRoleRules` | Configurable [cluster role rules](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) that Metricbeat uses to access Kubernetes resources. | see [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) | +| `podAnnotations` | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Metricbeat pods | `{}` | +| `podSecurityContext` | Configurable [podSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Metricbeat pod execution environment | `runAsUser: 0`
`privileged: false` | +| `livenessProbe` | Parameters to pass to [liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | +| `readinessProbe` | Parameters to pass to [readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | +| `resources` | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the `DaemonSet` | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | +| `serviceAccount` | Custom [serviceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` | +| `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) for an example | `[]` | +| `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | +| `tolerations` | Configurable [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | +| `nodeSelector` | Configurable [nodeSelector](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | `{}` | +| `affinity` | Configurable [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) | `{}` | +| `updateStrategy` | The [updateStrategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually. | `RollingUpdate` | +| `priorityClassName` | The [name of the PriorityClass](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). No default is supplied as the PriorityClass must be created first. | `""` | +| `replicas` | The replica count for the metricbeat deployment talking to kube-state-metrics | `1` | +| `fullnameOverride` | Overrides the full name of the resources. If not set the name will default to "`.Release.Name`-`.Values.nameOverride or .Chart.Name`" | `""` | + +### Deprecated +| Parameter | Description | Default | +| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | +| `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) | ## Examples diff --git a/metricbeat/examples/6.x/test/goss-metrics.yaml b/metricbeat/examples/6.x/test/goss-metrics.yaml index 8f60496c0..b255e48d1 100644 --- a/metricbeat/examples/6.x/test/goss-metrics.yaml +++ b/metricbeat/examples/6.x/test/goss-metrics.yaml @@ -5,7 +5,7 @@ port: - '127.0.0.1' mount: - /usr/share/metricbeat/kube-state-metrics-metricbeat.yml: + /usr/share/metricbeat/metricbeat.yml: exists: true opts: - ro @@ -32,7 +32,6 @@ file: /usr/share/metricbeat/metricbeat.yml: exists: true contains: - - 'add_kubernetes_metadata' - 'output.elasticsearch' command: diff --git a/metricbeat/examples/default/test/goss-metrics.yaml b/metricbeat/examples/default/test/goss-metrics.yaml index e079450d6..a6a81a47a 100644 --- a/metricbeat/examples/default/test/goss-metrics.yaml +++ b/metricbeat/examples/default/test/goss-metrics.yaml @@ -5,7 +5,7 @@ port: - '127.0.0.1' mount: - /usr/share/metricbeat/kube-state-metrics-metricbeat.yml: + /usr/share/metricbeat/metricbeat.yml: exists: true opts: - ro @@ -33,7 +33,6 @@ file: /usr/share/metricbeat/metricbeat.yml: exists: true contains: - - 'add_kubernetes_metadata' - 'output.elasticsearch' - 'elasticsearch-master:9200' diff --git a/metricbeat/examples/oss/test/goss-metrics.yaml b/metricbeat/examples/oss/test/goss-metrics.yaml index 251165a9a..3b665cbf2 100644 --- a/metricbeat/examples/oss/test/goss-metrics.yaml +++ b/metricbeat/examples/oss/test/goss-metrics.yaml @@ -5,7 +5,7 @@ port: - '127.0.0.1' mount: - /usr/share/metricbeat/kube-state-metrics-metricbeat.yml: + /usr/share/metricbeat/metricbeat.yml: exists: true opts: - ro @@ -32,7 +32,6 @@ file: /usr/share/metricbeat/metricbeat.yml: exists: true contains: - - 'add_kubernetes_metadata' - 'output.elasticsearch' command: diff --git a/metricbeat/examples/security/test/goss-metrics.yaml b/metricbeat/examples/security/test/goss-metrics.yaml index 1b8e35c69..4f08a9f6c 100644 --- a/metricbeat/examples/security/test/goss-metrics.yaml +++ b/metricbeat/examples/security/test/goss-metrics.yaml @@ -5,7 +5,7 @@ port: - '127.0.0.1' mount: - /usr/share/metricbeat/kube-state-metrics-metricbeat.yml: + /usr/share/metricbeat/metricbeat.yml: exists: true opts: - ro @@ -38,7 +38,6 @@ file: /usr/share/metricbeat/metricbeat.yml: exists: true contains: - - 'add_kubernetes_metadata' - 'output.elasticsearch' command: diff --git a/metricbeat/examples/security/values.yaml b/metricbeat/examples/security/values.yaml index 8b48e814e..51db92312 100644 --- a/metricbeat/examples/security/values.yaml +++ b/metricbeat/examples/security/values.yaml @@ -1,77 +1,83 @@ -metricbeatConfig: - metricbeat.yml: | - metricbeat.modules: - - module: kubernetes - metricsets: - - container - - node - - pod - - system - - volume - period: 10s - host: "${NODE_NAME}" - hosts: ["https://${NODE_NAME}:10250"] - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - ssl.verification_mode: "none" - # If using Red Hat OpenShift remove ssl.verification_mode entry and - # uncomment these settings: - #ssl.certificate_authorities: - #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - processors: - - add_kubernetes_metadata: ~ - - module: kubernetes - enabled: true - metricsets: - - event - - module: system - period: 10s - metricsets: - - cpu - - load - - memory - - network - - process - - process_summary - processes: ['.*'] - process.include_top_n: - by_cpu: 5 - by_memory: 5 - - module: system - period: 1m - metricsets: - - filesystem - - fsstat - processors: - - drop_event.when.regexp: - system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib)($|/)' +daemonset: + # Allows you to add any config files in /usr/share/metricbeat + # such as metricbeat.yml for daemonset + metricbeatConfig: + metricbeat.yml: | + metricbeat.modules: + - module: kubernetes + metricsets: + - container + - node + - pod + - system + - volume + period: 10s + host: "${NODE_NAME}" + hosts: ["https://${NODE_NAME}:10250"] + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + ssl.verification_mode: "none" + # If using Red Hat OpenShift remove ssl.verification_mode entry and + # uncomment these settings: + #ssl.certificate_authorities: + #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + processors: + - add_kubernetes_metadata: ~ + - module: kubernetes + enabled: true + metricsets: + - event + - module: system + period: 10s + metricsets: + - cpu + - load + - memory + - network + - process + - process_summary + processes: ['.*'] + process.include_top_n: + by_cpu: 5 + by_memory: 5 + - module: system + period: 1m + metricsets: + - filesystem + - fsstat + processors: + - drop_event.when.regexp: + system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib)($|/)' + output.elasticsearch: + username: '${ELASTICSEARCH_USERNAME}' + password: '${ELASTICSEARCH_PASSWORD}' + protocol: https + hosts: ["security-master:9200"] + ssl.certificate_authorities: + - /usr/share/metricbeat/config/certs/elastic-certificate.pem - output.elasticsearch: - username: '${ELASTICSEARCH_USERNAME}' - password: '${ELASTICSEARCH_PASSWORD}' - protocol: https - hosts: ["security-master:9200"] - ssl.certificate_authorities: - - /usr/share/metricbeat/config/certs/elastic-certificate.pem - - kube-state-metrics-metricbeat.yml: | - metricbeat.modules: - - module: kubernetes - enabled: true - metricsets: - - state_node - - state_deployment - - state_replicaset - - state_pod - - state_container - period: 10s - hosts: ["${KUBE_STATE_METRICS_HOSTS}"] - output.elasticsearch: - username: '${ELASTICSEARCH_USERNAME}' - password: '${ELASTICSEARCH_PASSWORD}' - protocol: https - hosts: ["security-master:9200"] - ssl.certificate_authorities: - - /usr/share/metricbeat/config/certs/elastic-certificate.pem +deployment: + # Allows you to add any config files in /usr/share/metricbeat + # such as metricbeat.yml for deployment + metricbeatConfig: + metricbeat.yml: | + metricbeat.modules: + - module: kubernetes + enabled: true + metricsets: + - state_node + - state_deployment + - state_replicaset + - state_pod + - state_container + period: 10s + hosts: ["${KUBE_STATE_METRICS_HOSTS}"] + output.elasticsearch: + username: '${ELASTICSEARCH_USERNAME}' + password: '${ELASTICSEARCH_PASSWORD}' + protocol: https + hosts: ["security-master:9200"] + ssl.certificate_authorities: + - /usr/share/metricbeat/config/certs/elastic-certificate.pem secretMounts: - name: elastic-certificate-pem diff --git a/metricbeat/templates/configmap.yaml b/metricbeat/templates/configmap.yaml index 09e381ce7..eb0e88885 100644 --- a/metricbeat/templates/configmap.yaml +++ b/metricbeat/templates/configmap.yaml @@ -15,3 +15,39 @@ data: {{ $config | indent 4 -}} {{- end -}} {{- end -}} + +{{- if .Values.daemonset.metricbeatConfig }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "metricbeat.fullname" . }}-daemonset-config + labels: + app: "{{ template "metricbeat.fullname" . }}" + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} +data: +{{- range $path, $config := .Values.daemonset.metricbeatConfig }} + {{ $path }}: | +{{ $config | indent 4 -}} +{{- end -}} +{{- end -}} + +{{- if .Values.deployment.metricbeatConfig }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "metricbeat.fullname" . }}-deployment-config + labels: + app: "{{ template "metricbeat.fullname" . }}" + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} +data: +{{- range $path, $config := .Values.deployment.metricbeatConfig }} + {{ $path }}: | +{{ $config | indent 4 -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index 4ef74e6b9..3a7e4ddfb 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -63,6 +63,11 @@ spec: configMap: defaultMode: 0600 name: {{ template "metricbeat.fullname" . }}-config + {{- else if .Values.daemonset.metricbeatConfig }} + - name: metricbeat-config + configMap: + defaultMode: 0600 + name: {{ template "metricbeat.fullname" . }}-daemonset-config {{- end }} - name: data hostPath: @@ -136,6 +141,13 @@ spec: mountPath: /usr/share/metricbeat/{{ $path }} readOnly: true subPath: {{ $path }} + {{ else }} + {{- range $path, $config := .Values.daemonset.metricbeatConfig }} + - name: metricbeat-config + mountPath: /usr/share/metricbeat/{{ $path }} + readOnly: true + subPath: {{ $path }} + {{- end }} {{- end }} - name: data mountPath: /usr/share/metricbeat/data diff --git a/metricbeat/templates/deployment.yaml b/metricbeat/templates/deployment.yaml index 225160b47..3847f64dd 100644 --- a/metricbeat/templates/deployment.yaml +++ b/metricbeat/templates/deployment.yaml @@ -52,6 +52,11 @@ spec: configMap: defaultMode: 0600 name: {{ template "metricbeat.fullname" . }}-config + {{- else if .Values.deployment.metricbeatConfig }} + - name: metricbeat-config + configMap: + defaultMode: 0600 + name: {{ template "metricbeat.fullname" . }}-deployment-config {{- end }} {{- if .Values.extraVolumes }} {{ toYaml .Values.extraVolumes | indent 6 }} @@ -69,8 +74,6 @@ spec: image: "{{ .Values.image }}:{{ .Values.imageTag }}" imagePullPolicy: "{{ .Values.imagePullPolicy }}" args: - - "-c" - - "/usr/share/metricbeat/kube-state-metrics-metricbeat.yml" - "-e" - "-E" - "http.enabled=true" @@ -111,6 +114,13 @@ spec: mountPath: /usr/share/metricbeat/{{ $path }} readOnly: true subPath: {{ $path }} + {{ else }} + {{- range $path, $config := .Values.deployment.metricbeatConfig }} + - name: metricbeat-config + mountPath: /usr/share/metricbeat/{{ $path }} + readOnly: true + subPath: {{ $path }} + {{- end }} {{- end }} {{- if .Values.extraVolumeMounts }} {{ toYaml .Values.extraVolumeMounts | indent 8 }} diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index 447f5cf3f..aec5195e9 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -37,14 +37,66 @@ def test_defaults(): r["daemonset"][name]["spec"]["template"]["spec"]["serviceAccountName"] == name ) - volumes = r["daemonset"][name]["spec"]["template"]["spec"]["volumes"] + cfg = r["configmap"] + + assert name + "-config" not in cfg + assert name + "-daemonset-config" in cfg + assert name + "-deployment-config" in cfg + + assert "metricbeat.yml" in cfg[name + "-daemonset-config"]["data"] + assert "metricbeat.yml" in cfg[name + "-deployment-config"]["data"] + + assert "module: system" in cfg[name + "-daemonset-config"]["data"]["metricbeat.yml"] + assert ( + "module: system" + not in cfg[name + "-deployment-config"]["data"]["metricbeat.yml"] + ) + assert "state_pod" not in cfg[name + "-daemonset-config"]["data"]["metricbeat.yml"] + assert "state_pod" in cfg[name + "-deployment-config"]["data"]["metricbeat.yml"] + + daemonset = r["daemonset"][name]["spec"]["template"]["spec"] + + assert { + "configMap": {"name": name + "-config", "defaultMode": 0o600}, + "name": project + "-config", + } not in daemonset["volumes"] + assert { + "configMap": {"name": name + "-daemonset-config", "defaultMode": 0o600}, + "name": project + "-config", + } in daemonset["volumes"] + assert { "name": "data", "hostPath": { "path": "/var/lib/" + name + "-default-data", "type": "DirectoryOrCreate", }, - } in volumes + } in daemonset["volumes"] + + assert { + "mountPath": "/usr/share/metricbeat/metricbeat.yml", + "name": project + "-config", + "subPath": "metricbeat.yml", + "readOnly": True, + } in daemonset["containers"][0]["volumeMounts"] + + deployment = r["deployment"][name + "-metrics"]["spec"]["template"]["spec"] + + assert { + "configMap": {"name": name + "-config", "defaultMode": 0o600}, + "name": project + "-config", + } not in deployment["volumes"] + assert { + "configMap": {"name": name + "-deployment-config", "defaultMode": 0o600}, + "name": project + "-config", + } in deployment["volumes"] + + assert { + "mountPath": "/usr/share/metricbeat/metricbeat.yml", + "name": project + "-config", + "subPath": "metricbeat.yml", + "readOnly": True, + } in deployment["containers"][0]["volumeMounts"] def test_adding_a_extra_container(): @@ -184,6 +236,63 @@ def test_setting_pod_security_context(): def test_adding_in_metricbeat_config(): config = """ +daemonset: + metricbeatConfig: + metricbeat.yml: | + key: daemonset + daemonset-config.yml: | + hello = daemonset + +deployment: + metricbeatConfig: + metricbeat.yml: | + key: deployment + deployment-config.yml: | + hello = deployment +""" + r = helm_template(config) + cfg = r["configmap"] + + assert "metricbeat.yml" in cfg[name + "-daemonset-config"]["data"] + assert "daemonset-config.yml" in cfg[name + "-daemonset-config"]["data"] + assert "deployment-config.yml" not in cfg[name + "-daemonset-config"]["data"] + assert "metricbeat.yml" in cfg[name + "-deployment-config"]["data"] + assert "deployment-config.yml" in cfg[name + "-deployment-config"]["data"] + assert "daemonset-config.yml" not in cfg[name + "-deployment-config"]["data"] + + assert "key: daemonset" in cfg[name + "-daemonset-config"]["data"]["metricbeat.yml"] + assert ( + "key: deployment" in cfg[name + "-deployment-config"]["data"]["metricbeat.yml"] + ) + + assert ( + "hello = daemonset" + in cfg[name + "-daemonset-config"]["data"]["daemonset-config.yml"] + ) + assert ( + "hello = deployment" + in cfg[name + "-deployment-config"]["data"]["deployment-config.yml"] + ) + + daemonset = r["daemonset"][name]["spec"]["template"]["spec"] + assert { + "mountPath": "/usr/share/metricbeat/daemonset-config.yml", + "name": project + "-config", + "subPath": "daemonset-config.yml", + "readOnly": True, + } in daemonset["containers"][0]["volumeMounts"] + + deployment = r["deployment"][name + "-metrics"]["spec"]["template"]["spec"] + assert { + "mountPath": "/usr/share/metricbeat/deployment-config.yml", + "name": project + "-config", + "subPath": "deployment-config.yml", + "readOnly": True, + } in deployment["containers"][0]["volumeMounts"] + + +def test_adding_in_deprecated_metricbeat_config(): + config = """ metricbeatConfig: metricbeat.yml: | key: diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index e89225f1f..49f9cb2e8 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -1,72 +1,82 @@ --- + +daemonset: + # Allows you to add any config files in /usr/share/metricbeat + # such as metricbeat.yml for daemonset + metricbeatConfig: + metricbeat.yml: | + metricbeat.modules: + - module: kubernetes + metricsets: + - container + - node + - pod + - system + - volume + period: 10s + host: "${NODE_NAME}" + hosts: ["https://${NODE_NAME}:10250"] + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + ssl.verification_mode: "none" + # If using Red Hat OpenShift remove ssl.verification_mode entry and + # uncomment these settings: + #ssl.certificate_authorities: + #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + processors: + - add_kubernetes_metadata: ~ + - module: kubernetes + enabled: true + metricsets: + - event + - module: system + period: 10s + metricsets: + - cpu + - load + - memory + - network + - process + - process_summary + processes: ['.*'] + process.include_top_n: + by_cpu: 5 + by_memory: 5 + - module: system + period: 1m + metricsets: + - filesystem + - fsstat + processors: + - drop_event.when.regexp: + system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib)($|/)' + output.elasticsearch: + hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' + +deployment: + # Allows you to add any config files in /usr/share/metricbeat + # such as metricbeat.yml for deployment + metricbeatConfig: + metricbeat.yml: | + metricbeat.modules: + - module: kubernetes + enabled: true + metricsets: + - state_node + - state_deployment + - state_replicaset + - state_pod + - state_container + period: 10s + hosts: ["${KUBE_STATE_METRICS_HOSTS}"] + output.elasticsearch: + hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' + +# DEPRECATED # Allows you to add any config files in /usr/share/metricbeat -# such as metricbeat.yml -metricbeatConfig: - metricbeat.yml: | - metricbeat.modules: - - module: kubernetes - metricsets: - - container - - node - - pod - - system - - volume - period: 10s - host: "${NODE_NAME}" - hosts: ["https://${NODE_NAME}:10250"] - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - ssl.verification_mode: "none" - # If using Red Hat OpenShift remove ssl.verification_mode entry and - # uncomment these settings: - #ssl.certificate_authorities: - #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - processors: - - add_kubernetes_metadata: ~ - - module: kubernetes - enabled: true - metricsets: - - event - - module: system - period: 10s - metricsets: - - cpu - - load - - memory - - network - - process - - process_summary - processes: ['.*'] - process.include_top_n: - by_cpu: 5 - by_memory: 5 - - module: system - period: 1m - metricsets: - - filesystem - - fsstat - processors: - - drop_event.when.regexp: - system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib)($|/)' - output.elasticsearch: - hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' - - kube-state-metrics-metricbeat.yml: | - metricbeat.modules: - - module: kubernetes - enabled: true - metricsets: - - state_node - - state_deployment - - state_replicaset - - state_pod - - state_container - period: 10s - hosts: ["${KUBE_STATE_METRICS_HOSTS}"] - output.elasticsearch: - hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' +# such as metricbeat.yml for both daemonset and deployment +metricbeatConfig: {} # Replicas being used for the kube-state-metrics metricbeat deployment - replicas: 1 extraContainers: "" From 61c96beed4497a3d0365f4cb6e618ac66657de1f Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Tue, 14 Apr 2020 16:57:52 +0200 Subject: [PATCH 02/15] [metricbeat] use markdown implicit link name for config table --- metricbeat/README.md | 92 +++++++++++++++++++++++++++----------------- 1 file changed, 56 insertions(+), 36 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index 32100045b..077e2053e 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -65,44 +65,44 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 ## Configuration -| Parameter | Description | Default | -| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- | -| `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) | -| `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) | -| `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | -| `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | -| `extraEnvs` | Extra [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config) which will be appended to the `env:` definition for the container | `[]` | -| `extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function | `""` | -| `extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function | `""` | -| `envFrom` | Templatable string of envFrom to be passed to the [environment from variables](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables) which will be appended to the `envFrom:` definition for the container | `[]` | -| `hostPathRoot` | Fully-qualified [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) that will be used to persist Metricbeat registry data | `/var/lib` | -| `image` | The Metricbeat docker image | `docker.elastic.co/beats/metricbeat` | -| `imageTag` | The Metricbeat docker image tag | `7.6.2` | -| `imagePullPolicy` | The Kubernetes [imagePullPolicy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) value | `IfNotPresent` | -| `imagePullSecrets` | Configuration for [imagePullSecrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) so that you can use a private registry for your image | `[]` | -| `labels` | Configurable [label](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) applied to all Metricbeat pods | `{}` | -| `managedServiceAccount` | Whether the `serviceAccount` should be managed by this helm chart. Set this to `false` in order to manage your own service account and related roles. | `true` | -| `clusterRoleRules` | Configurable [cluster role rules](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) that Metricbeat uses to access Kubernetes resources. | see [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) | -| `podAnnotations` | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Metricbeat pods | `{}` | -| `podSecurityContext` | Configurable [podSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Metricbeat pod execution environment | `runAsUser: 0`
`privileged: false` | -| `livenessProbe` | Parameters to pass to [liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | -| `readinessProbe` | Parameters to pass to [readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | -| `resources` | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the `DaemonSet` | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | -| `serviceAccount` | Custom [serviceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` | -| `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) for an example | `[]` | -| `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | -| `tolerations` | Configurable [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | -| `nodeSelector` | Configurable [nodeSelector](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | `{}` | -| `affinity` | Configurable [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) | `{}` | -| `updateStrategy` | The [updateStrategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually. | `RollingUpdate` | -| `priorityClassName` | The [name of the PriorityClass](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). No default is supplied as the PriorityClass must be created first. | `""` | -| `replicas` | The replica count for the metricbeat deployment talking to kube-state-metrics | `1` | -| `fullnameOverride` | Overrides the full name of the resources. If not set the name will default to "`.Release.Name`-`.Values.nameOverride or .Chart.Name`" | `""` | +| Parameter | Description | Default | +| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | +| `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | +| `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | +| `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | +| `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | +| `extraEnvs` | Extra [environment variables][] which will be appended to the `env:` definition for the container | `[]` | +| `extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function | `""` | +| `extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function | `""` | +| `envFrom` | Templatable string of envFrom to be passed to the [environment from variables][] which will be appended to the `envFrom:` definition for the container | `[]` | +| `hostPathRoot` | Fully-qualified [hostPath][] that will be used to persist Metricbeat registry data | `/var/lib` | +| `image` | The Metricbeat docker image | `docker.elastic.co/beats/metricbeat` | +| `imageTag` | The Metricbeat docker image tag | `7.6.2` | +| `imagePullPolicy` | The Kubernetes [imagePullPolicy][] value | `IfNotPresent` | +| `imagePullSecrets` | Configuration for [imagePullSecrets][] so that you can use a private registry for your image | `[]` | +| `labels` | Configurable [label][] applied to all Metricbeat pods | `{}` | +| `managedServiceAccount` | Whether the `serviceAccount` should be managed by this helm chart. Set this to `false` in order to manage your own service account and related roles. | `true` | +| `clusterRoleRules` | Configurable [cluster role rules][] that Metricbeat uses to access Kubernetes resources. | see [values.yaml][] | +| `podAnnotations` | Configurable [annotations][] applied to all Metricbeat pods | `{}` | +| `podSecurityContext` | Configurable [podSecurityContext][] for Metricbeat pod execution environment | `runAsUser: 0`
`privileged: false` | +| `livenessProbe` | Parameters to pass to [liveness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | +| `readinessProbe` | Parameters to pass to [readiness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | +| `resources` | Allows you to set the [resources][] for the `DaemonSet` | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | +| `serviceAccount` | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` | +| `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | +| `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | +| `tolerations` | Configurable [tolerations][] | `[]` | +| `nodeSelector` | Configurable [nodeSelector][] | `{}` | +| `affinity` | Configurable [affinity][] | `{}` | +| `updateStrategy` | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually. | `RollingUpdate` | +| `priorityClassName` | The [name of the PriorityClass][]. No default is supplied as the PriorityClass must be created first. | `""` | +| `replicas` | The replica count for the metricbeat deployment talking to kube-state-metrics | `1` | +| `fullnameOverride` | Overrides the full name of the resources. If not set the name will default to "`.Release.Name`-`.Values.nameOverride or .Chart.Name`" | `""` | ### Deprecated -| Parameter | Description | Default | -| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | -| `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml](https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml) | +| Parameter | Description | Default | +| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml][] | ## Examples @@ -152,3 +152,23 @@ To run the goss tests against the default example: cd examples/default make goss ``` + +[affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +[annotations]: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +[cluster role rules]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole +[environment variables]: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config +[environment from variables]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables +[hostPath]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath +[imagePullPolicy]: https://kubernetes.io/docs/concepts/containers/images/#updating-images +[imagePullSecrets]: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret +[label]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +[liveness probe]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ +[name of the PriorityClass]: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass +[nodeSelector]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector +[podSecurityContext]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +[readiness probe]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +[serviceAccount]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +[tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +[updateStrategy]: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy +[values.yaml]: https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml \ No newline at end of file From 2a5e45d6cfcc05384bf4c83feac50dfd90fdfc32 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Tue, 14 Apr 2020 18:30:32 +0200 Subject: [PATCH 03/15] [metricbeat] split affinity for daemonset and deployment --- metricbeat/README.md | 4 ++- metricbeat/templates/daemonset.yaml | 4 +-- metricbeat/templates/deployment.yaml | 1 + metricbeat/tests/metricbeat_test.py | 47 ++++++++++++++++++++++++++++ metricbeat/values.yaml | 7 +++-- 5 files changed, 57 insertions(+), 6 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index 077e2053e..840a061b7 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -67,7 +67,9 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 ## Configuration | Parameter | Description | Default | | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | +| `daemonset.affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | | `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | +| `deployment.affinity` | Configurable [affinity][] for Metricbeat `Deployment`. | `{}` | | `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | | `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | | `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | @@ -93,7 +95,6 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | | `tolerations` | Configurable [tolerations][] | `[]` | | `nodeSelector` | Configurable [nodeSelector][] | `{}` | -| `affinity` | Configurable [affinity][] | `{}` | | `updateStrategy` | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually. | `RollingUpdate` | | `priorityClassName` | The [name of the PriorityClass][]. No default is supplied as the PriorityClass must be created first. | `""` | | `replicas` | The replica count for the metricbeat deployment talking to kube-state-metrics | `1` | @@ -102,6 +103,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 ### Deprecated | Parameter | Description | Default | | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `affinity` | Configurable [affinity][] | `{}` | | `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml][] | ## Examples diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index 3a7e4ddfb..002c2a9d2 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -47,9 +47,7 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} - {{- with .Values.affinity }} - affinity: {{ toYaml . | nindent 8 -}} - {{- end }} + affinity: {{ toYaml ( .Values.affinity | default .Values.daemonset.affinity ) | nindent 8 }} serviceAccountName: {{ template "metricbeat.serviceAccount" . }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} volumes: diff --git a/metricbeat/templates/deployment.yaml b/metricbeat/templates/deployment.yaml index 3847f64dd..041c06230 100644 --- a/metricbeat/templates/deployment.yaml +++ b/metricbeat/templates/deployment.yaml @@ -32,6 +32,7 @@ spec: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' spec: + affinity: {{ toYaml .Values.deployment.affinity | nindent 8 }} {{- with .Values.tolerations }} tolerations: {{ toYaml . | indent 6 }} diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index aec5195e9..0403e658a 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -413,6 +413,53 @@ def test_adding_an_affinity_rule(): ][0]["topologyKey"] == "kubernetes.io/hostname" ) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["affinity"] == {} + ) + + config = """ +daemonset: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - metricbeat + topologyKey: kubernetes.io/hostname +""" + + r = helm_template(config) + assert ( + r["daemonset"][name]["spec"]["template"]["spec"]["affinity"]["podAntiAffinity"][ + "requiredDuringSchedulingIgnoredDuringExecution" + ][0]["topologyKey"] + == "kubernetes.io/hostname" + ) + + config = """ +deployment: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - metricbeat + topologyKey: kubernetes.io/hostname +""" + + r = helm_template(config) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["affinity"][ + "podAntiAffinity" + ]["requiredDuringSchedulingIgnoredDuringExecution"][0]["topologyKey"] + == "kubernetes.io/hostname" + ) def test_priority_class_name(): diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index 49f9cb2e8..ec62de9c2 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -1,6 +1,7 @@ --- daemonset: + affinity: {} # Allows you to add any config files in /usr/share/metricbeat # such as metricbeat.yml for daemonset metricbeatConfig: @@ -53,6 +54,7 @@ daemonset: hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' deployment: + affinity: {} # Allows you to add any config files in /usr/share/metricbeat # such as metricbeat.yml for deployment metricbeatConfig: @@ -209,8 +211,6 @@ tolerations: [] nodeSelector: {} -affinity: {} - # This is the PriorityClass settings as defined in # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" @@ -221,3 +221,6 @@ updateStrategy: RollingUpdate # Only edit these if you know what you're doing nameOverride: "" fullnameOverride: "" + +# DEPRECATED +affinity: {} From c8af71ba2a3c010cb9a348db72b88c13d0ab9be2 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 15 Apr 2020 00:23:30 +0200 Subject: [PATCH 04/15] [metricbeat] split resources for daemonset and deployment --- metricbeat/README.md | 14 +++-- metricbeat/templates/daemonset.yaml | 3 +- metricbeat/templates/deployment.yaml | 3 +- metricbeat/tests/metricbeat_test.py | 84 ++++++++++++++++++++++++++++ metricbeat/values.yaml | 23 +++++--- 5 files changed, 109 insertions(+), 18 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index 840a061b7..e4a78cb9f 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -66,11 +66,13 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 ## Configuration | Parameter | Description | Default | -| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | +| --- | --- | --- | | `daemonset.affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | | `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | +| `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet` | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `deployment.affinity` | Configurable [affinity][] for Metricbeat `Deployment`. | `{}` | | `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | +| `deployment.resources` | Allows you to set the [resources][] for Metricbeat `Deployment` | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | | `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | | `extraEnvs` | Extra [environment variables][] which will be appended to the `env:` definition for the container | `[]` | @@ -89,7 +91,6 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `podSecurityContext` | Configurable [podSecurityContext][] for Metricbeat pod execution environment | `runAsUser: 0`
`privileged: false` | | `livenessProbe` | Parameters to pass to [liveness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | | `readinessProbe` | Parameters to pass to [readiness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | -| `resources` | Allows you to set the [resources][] for the `DaemonSet` | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `serviceAccount` | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` | | `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | @@ -101,10 +102,11 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `fullnameOverride` | Overrides the full name of the resources. If not set the name will default to "`.Release.Name`-`.Values.nameOverride or .Chart.Name`" | `""` | ### Deprecated -| Parameter | Description | Default | -| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| `affinity` | Configurable [affinity][] | `{}` | -| `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml][] | +| Parameter | Description | Default | +| --- | --- | --- | +| `affinity` | Configurable [affinity][] | `{}` | +| `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml][] | +| `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | ## Examples diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index 002c2a9d2..755754e86 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -104,8 +104,7 @@ spec: {{ toYaml .Values.livenessProbe | indent 10 }} readinessProbe: {{ toYaml .Values.readinessProbe | indent 10 }} - resources: -{{ toYaml .Values.resources | indent 10 }} + resources: {{ toYaml ( .Values.resources | default .Values.daemonset.resources ) | nindent 10 }} env: - name: POD_NAMESPACE valueFrom: diff --git a/metricbeat/templates/deployment.yaml b/metricbeat/templates/deployment.yaml index 041c06230..422f9d32b 100644 --- a/metricbeat/templates/deployment.yaml +++ b/metricbeat/templates/deployment.yaml @@ -82,8 +82,7 @@ spec: {{ toYaml .Values.livenessProbe | indent 10 }} readinessProbe: {{ toYaml .Values.readinessProbe | indent 10 }} - resources: -{{ toYaml .Values.resources | indent 10 }} + resources: {{ toYaml ( .Values.resources | default .Values.deployment.resources ) | nindent 10 }} env: - name: POD_NAMESPACE valueFrom: diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index 0403e658a..2110ec6ae 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -98,6 +98,15 @@ def test_defaults(): "readOnly": True, } in deployment["containers"][0]["volumeMounts"] + assert daemonset["containers"][0]["resources"] == { + "requests": {"cpu": "100m", "memory": "100Mi"}, + "limits": {"cpu": "1000m", "memory": "200Mi"}, + } + assert deployment["containers"][0]["resources"] == { + "requests": {"cpu": "100m", "memory": "100Mi"}, + "limits": {"cpu": "1000m", "memory": "200Mi"}, + } + def test_adding_a_extra_container(): config = """ @@ -541,6 +550,81 @@ def test_adding_env_from(): assert configMapRef == {"name": "configmap-name"} +def test_overriding_resources(): + config = """ +daemonset: + resources: + limits: + cpu: "25m" + memory: "128Mi" + requests: + cpu: "25m" + memory: "128Mi" +""" + r = helm_template(config) + assert r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "resources" + ] == { + "requests": {"cpu": "25m", "memory": "128Mi"}, + "limits": {"cpu": "25m", "memory": "128Mi"}, + } + assert r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][ + 0 + ]["resources"] == { + "requests": {"cpu": "100m", "memory": "100Mi"}, + "limits": {"cpu": "1000m", "memory": "200Mi"}, + } + + config = """ +deployment: + resources: + limits: + cpu: "25m" + memory: "128Mi" + requests: + cpu: "25m" + memory: "128Mi" +""" + r = helm_template(config) + assert r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "resources" + ] == { + "requests": {"cpu": "100m", "memory": "100Mi"}, + "limits": {"cpu": "1000m", "memory": "200Mi"}, + } + assert r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][ + 0 + ]["resources"] == { + "requests": {"cpu": "25m", "memory": "128Mi"}, + "limits": {"cpu": "25m", "memory": "128Mi"}, + } + + +def test_adding_deprecated_resources(): + config = """ +resources: + limits: + cpu: "25m" + memory: "128Mi" + requests: + cpu: "25m" + memory: "128Mi" +""" + r = helm_template(config) + assert r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "resources" + ] == { + "requests": {"cpu": "25m", "memory": "128Mi"}, + "limits": {"cpu": "25m", "memory": "128Mi"}, + } + assert r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][ + 0 + ]["resources"] == { + "requests": {"cpu": "25m", "memory": "128Mi"}, + "limits": {"cpu": "25m", "memory": "128Mi"}, + } + + def test_setting_fullnameOverride(): config = """ fullnameOverride: 'metricbeat-custom' diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index ec62de9c2..906ffb583 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -52,6 +52,13 @@ daemonset: system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib)($|/)' output.elasticsearch: hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + cpu: "1000m" + memory: "200Mi" deployment: affinity: {} @@ -72,6 +79,13 @@ deployment: hosts: ["${KUBE_STATE_METRICS_HOSTS}"] output.elasticsearch: hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + cpu: "1000m" + memory: "200Mi" # DEPRECATED # Allows you to add any config files in /usr/share/metricbeat @@ -186,14 +200,6 @@ podSecurityContext: runAsUser: 0 privileged: false -resources: - requests: - cpu: "100m" - memory: "100Mi" - limits: - cpu: "1000m" - memory: "200Mi" - # Custom service account override that the pod will use serviceAccount: "" @@ -224,3 +230,4 @@ fullnameOverride: "" # DEPRECATED affinity: {} +resources: {} From f667825fa453a78713b4f2b7d535ea45d943dcdd Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 15 Apr 2020 00:57:00 +0200 Subject: [PATCH 05/15] [metricbeat] split nodeSelector for daemonset and deployment --- metricbeat/README.md | 4 +++- metricbeat/templates/daemonset.yaml | 4 +--- metricbeat/templates/deployment.yaml | 1 + metricbeat/tests/metricbeat_test.py | 31 ++++++++++++++++++++++++++++ metricbeat/values.yaml | 5 +++-- 5 files changed, 39 insertions(+), 6 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index e4a78cb9f..aa7ed33fc 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -69,9 +69,11 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | --- | --- | --- | | `daemonset.affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | | `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | +| `daemonset.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | | `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet` | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `deployment.affinity` | Configurable [affinity][] for Metricbeat `Deployment`. | `{}` | | `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | +| `deployment.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `Deployment`. | `{}` | | `deployment.resources` | Allows you to set the [resources][] for Metricbeat `Deployment` | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | | `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | @@ -95,7 +97,6 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | | `tolerations` | Configurable [tolerations][] | `[]` | -| `nodeSelector` | Configurable [nodeSelector][] | `{}` | | `updateStrategy` | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually. | `RollingUpdate` | | `priorityClassName` | The [name of the PriorityClass][]. No default is supplied as the PriorityClass must be created first. | `""` | | `replicas` | The replica count for the metricbeat deployment talking to kube-state-metrics | `1` | @@ -106,6 +107,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | --- | --- | --- | | `affinity` | Configurable [affinity][] | `{}` | | `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml][] | +| `nodeSelector` | Configurable [nodeSelector][] | `{}` | | `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | ## Examples diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index 755754e86..311bdaeb0 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -41,9 +41,7 @@ spec: {{- with .Values.tolerations }} tolerations: {{ toYaml . | nindent 6 }} {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} + nodeSelector: {{ toYaml ( .Values.nodeSelector | default .Values.daemonset.nodeSelector ) | nindent 8 }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} diff --git a/metricbeat/templates/deployment.yaml b/metricbeat/templates/deployment.yaml index 422f9d32b..ca9fe8347 100644 --- a/metricbeat/templates/deployment.yaml +++ b/metricbeat/templates/deployment.yaml @@ -33,6 +33,7 @@ spec: release: '{{ .Release.Name }}' spec: affinity: {{ toYaml .Values.deployment.affinity | nindent 8 }} + nodeSelector: {{ toYaml .Values.deployment.nodeSelector | nindent 8 }} {{- with .Values.tolerations }} tolerations: {{ toYaml . | indent 6 }} diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index 2110ec6ae..29f54dca3 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -391,6 +391,37 @@ def test_adding_a_extra_volume_with_volume_mount(): def test_adding_a_node_selector(): config = """ +daemonset: + nodeSelector: + disktype: ssd +""" + r = helm_template(config) + assert ( + r["daemonset"][name]["spec"]["template"]["spec"]["nodeSelector"]["disktype"] + == "ssd" + ) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["nodeSelector"] + == {} + ) + + config = """ +deployment: + nodeSelector: + disktype: ssd +""" + r = helm_template(config) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["nodeSelector"][ + "disktype" + ] + == "ssd" + ) + assert r["daemonset"][name]["spec"]["template"]["spec"]["nodeSelector"] == {} + + +def test_adding_deprecated_node_selector(): + config = """ nodeSelector: disktype: ssd """ diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index 906ffb583..a68c9c51a 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -52,6 +52,7 @@ daemonset: system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib)($|/)' output.elasticsearch: hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' + nodeSelector: {} resources: requests: cpu: "100m" @@ -79,6 +80,7 @@ deployment: hosts: ["${KUBE_STATE_METRICS_HOSTS}"] output.elasticsearch: hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' + nodeSelector: {} resources: requests: cpu: "100m" @@ -215,8 +217,6 @@ terminationGracePeriod: 30 tolerations: [] -nodeSelector: {} - # This is the PriorityClass settings as defined in # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" @@ -230,4 +230,5 @@ fullnameOverride: "" # DEPRECATED affinity: {} +nodeSelector: {} resources: {} From bcdab4545b6e022b11f31a1bee3d5206c1885cc6 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 15 Apr 2020 10:49:23 +0200 Subject: [PATCH 06/15] [metricbeat] split tolerations for daemonset and deployment --- metricbeat/README.md | 6 ++-- metricbeat/templates/daemonset.yaml | 4 +-- metricbeat/templates/deployment.yaml | 5 +-- metricbeat/tests/metricbeat_test.py | 52 +++++++++++++++++++++++++++- metricbeat/values.yaml | 5 +-- 5 files changed, 59 insertions(+), 13 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index aa7ed33fc..13427cccd 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -70,11 +70,11 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `daemonset.affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | | `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | | `daemonset.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | -| `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet` | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | +| `daemonset.tolerations` | Configurable [tolerations][] for Metricbeat `DaemonSet`. | `[]` | | `deployment.affinity` | Configurable [affinity][] for Metricbeat `Deployment`. | `{}` | | `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | | `deployment.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `Deployment`. | `{}` | -| `deployment.resources` | Allows you to set the [resources][] for Metricbeat `Deployment` | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | +| `deployment.tolerations` | Configurable [tolerations][] for Metricbeat `Deployment`. | `[]` | | `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | | `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | | `extraEnvs` | Extra [environment variables][] which will be appended to the `env:` definition for the container | `[]` | @@ -96,7 +96,6 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `serviceAccount` | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` | | `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | -| `tolerations` | Configurable [tolerations][] | `[]` | | `updateStrategy` | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually. | `RollingUpdate` | | `priorityClassName` | The [name of the PriorityClass][]. No default is supplied as the PriorityClass must be created first. | `""` | | `replicas` | The replica count for the metricbeat deployment talking to kube-state-metrics | `1` | @@ -109,6 +108,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml][] | | `nodeSelector` | Configurable [nodeSelector][] | `{}` | | `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | +| `tolerations` | Configurable [tolerations][] for both Metricbeat `DaemonSet` and `Deployment`. | `[]` | ## Examples diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index 311bdaeb0..c97117030 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -38,10 +38,8 @@ spec: {{ $key }}: {{ $value | quote }} {{- end }} spec: - {{- with .Values.tolerations }} - tolerations: {{ toYaml . | nindent 6 }} - {{- end }} nodeSelector: {{ toYaml ( .Values.nodeSelector | default .Values.daemonset.nodeSelector ) | nindent 8 }} + tolerations: {{ toYaml ( .Values.tolerations | default .Values.daemonset.tolerations ) | nindent 8 }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} diff --git a/metricbeat/templates/deployment.yaml b/metricbeat/templates/deployment.yaml index ca9fe8347..c0e4fa07b 100644 --- a/metricbeat/templates/deployment.yaml +++ b/metricbeat/templates/deployment.yaml @@ -34,10 +34,7 @@ spec: spec: affinity: {{ toYaml .Values.deployment.affinity | nindent 8 }} nodeSelector: {{ toYaml .Values.deployment.nodeSelector | nindent 8 }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 6 }} - {{- end }} + tolerations: {{ toYaml ( .Values.tolerations | default .Values.deployment.tolerations ) | nindent 8 }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index 29f54dca3..792f5bcfd 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -27,9 +27,14 @@ def test_defaults(): assert "metricbeat test output" in c["readinessProbe"]["exec"]["command"][-1] + assert r["daemonset"][name]["spec"]["template"]["spec"]["tolerations"] == [] + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["tolerations"] + == [] + ) + # Empty customizable defaults assert "imagePullSecrets" not in r["daemonset"][name]["spec"]["template"]["spec"] - assert "tolerations" not in r["daemonset"][name]["spec"]["template"]["spec"] assert r["daemonset"][name]["spec"]["updateStrategy"]["type"] == "RollingUpdate" @@ -187,6 +192,45 @@ def test_adding_image_pull_secrets(): def test_adding_tolerations(): config = """ +daemonset: + tolerations: + - key: "key1" + operator: "Equal" + value: "value1" + effect: "NoExecute" + tolerationSeconds: 3600 +""" + r = helm_template(config) + assert ( + r["daemonset"][name]["spec"]["template"]["spec"]["tolerations"][0]["key"] + == "key1" + ) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["tolerations"] + == [] + ) + + config = """ +deployment: + tolerations: + - key: "key1" + operator: "Equal" + value: "value1" + effect: "NoExecute" + tolerationSeconds: 3600 +""" + r = helm_template(config) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["tolerations"][ + 0 + ]["key"] + == "key1" + ) + assert r["daemonset"][name]["spec"]["template"]["spec"]["tolerations"] == [] + + +def test_adding_deprecated_tolerations(): + config = """ tolerations: - key: "key1" operator: "Equal" @@ -199,6 +243,12 @@ def test_adding_tolerations(): r["daemonset"][name]["spec"]["template"]["spec"]["tolerations"][0]["key"] == "key1" ) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["tolerations"][ + 0 + ]["key"] + == "key1" + ) def test_override_the_default_update_strategy(): diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index a68c9c51a..465920f79 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -60,6 +60,7 @@ daemonset: limits: cpu: "1000m" memory: "200Mi" + tolerations: [] deployment: affinity: {} @@ -88,6 +89,7 @@ deployment: limits: cpu: "1000m" memory: "200Mi" + tolerations: [] # DEPRECATED # Allows you to add any config files in /usr/share/metricbeat @@ -215,8 +217,6 @@ secretMounts: [] # How long to wait for metricbeat pods to stop gracefully terminationGracePeriod: 30 -tolerations: [] - # This is the PriorityClass settings as defined in # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" @@ -232,3 +232,4 @@ fullnameOverride: "" affinity: {} nodeSelector: {} resources: {} +tolerations: [] From 7914ffb358cc76aeaee04850ef41e8d2781297e5 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 15 Apr 2020 10:54:51 +0200 Subject: [PATCH 07/15] [metricbeat] nit * reorder some values * improve values description --- metricbeat/README.md | 6 ++++-- metricbeat/templates/daemonset.yaml | 2 +- metricbeat/values.yaml | 8 +++----- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index 13427cccd..11d373b15 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -70,10 +70,12 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `daemonset.affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | | `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | | `daemonset.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | +| `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `daemonset.tolerations` | Configurable [tolerations][] for Metricbeat `DaemonSet`. | `[]` | | `deployment.affinity` | Configurable [affinity][] for Metricbeat `Deployment`. | `{}` | | `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | | `deployment.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `Deployment`. | `{}` | +| `deployment.resources` | Allows you to set the [resources][] for Metricbeat `Deployment`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `deployment.tolerations` | Configurable [tolerations][] for Metricbeat `Deployment`. | `[]` | | `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | | `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | @@ -104,9 +106,9 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 ### Deprecated | Parameter | Description | Default | | --- | --- | --- | -| `affinity` | Configurable [affinity][] | `{}` | +| `affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | | `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml][] | -| `nodeSelector` | Configurable [nodeSelector][] | `{}` | +| `nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | | `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `tolerations` | Configurable [tolerations][] for both Metricbeat `DaemonSet` and `Deployment`. | `[]` | diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index c97117030..a82948c58 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -38,12 +38,12 @@ spec: {{ $key }}: {{ $value | quote }} {{- end }} spec: + affinity: {{ toYaml ( .Values.affinity | default .Values.daemonset.affinity ) | nindent 8 }} nodeSelector: {{ toYaml ( .Values.nodeSelector | default .Values.daemonset.nodeSelector ) | nindent 8 }} tolerations: {{ toYaml ( .Values.tolerations | default .Values.daemonset.tolerations ) | nindent 8 }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} - affinity: {{ toYaml ( .Values.affinity | default .Values.daemonset.affinity ) | nindent 8 }} serviceAccountName: {{ template "metricbeat.serviceAccount" . }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} volumes: diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index 465920f79..38799dd87 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -91,11 +91,6 @@ deployment: memory: "200Mi" tolerations: [] -# DEPRECATED -# Allows you to add any config files in /usr/share/metricbeat -# such as metricbeat.yml for both daemonset and deployment -metricbeatConfig: {} - # Replicas being used for the kube-state-metrics metricbeat deployment replicas: 1 @@ -230,6 +225,9 @@ fullnameOverride: "" # DEPRECATED affinity: {} +# Allows you to add any config files in /usr/share/metricbeat +# such as metricbeat.yml for both daemonset and deployment +metricbeatConfig: {} nodeSelector: {} resources: {} tolerations: [] From 07877a635c1add5420a413549d5bcd43a9f68e6a Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 15 Apr 2020 12:51:03 +0200 Subject: [PATCH 08/15] [metricbeat] split security context for daemonset and deployment --- metricbeat/README.md | 6 +- metricbeat/templates/daemonset.yaml | 5 +- metricbeat/templates/deployment.yaml | 5 +- metricbeat/tests/metricbeat_test.py | 118 ++++++++++++++++++++++++++- metricbeat/values.yaml | 20 +++-- 5 files changed, 132 insertions(+), 22 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index 11d373b15..9ebbc7517 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -70,11 +70,13 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `daemonset.affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | | `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | | `daemonset.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | +| `daemonset.securityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` pod execution environment. | `runAsUser: 0`
`privileged: false` | | `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `daemonset.tolerations` | Configurable [tolerations][] for Metricbeat `DaemonSet`. | `[]` | | `deployment.affinity` | Configurable [affinity][] for Metricbeat `Deployment`. | `{}` | | `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | | `deployment.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `Deployment`. | `{}` | +| `deployment.securityContext` | Configurable [securityContext][] for Metricbeat `Deployment` pod execution environment. | `runAsUser: 0`
`privileged: false` | | `deployment.resources` | Allows you to set the [resources][] for Metricbeat `Deployment`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `deployment.tolerations` | Configurable [tolerations][] for Metricbeat `Deployment`. | `[]` | | `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | @@ -92,7 +94,6 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `managedServiceAccount` | Whether the `serviceAccount` should be managed by this helm chart. Set this to `false` in order to manage your own service account and related roles. | `true` | | `clusterRoleRules` | Configurable [cluster role rules][] that Metricbeat uses to access Kubernetes resources. | see [values.yaml][] | | `podAnnotations` | Configurable [annotations][] applied to all Metricbeat pods | `{}` | -| `podSecurityContext` | Configurable [podSecurityContext][] for Metricbeat pod execution environment | `runAsUser: 0`
`privileged: false` | | `livenessProbe` | Parameters to pass to [liveness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | | `readinessProbe` | Parameters to pass to [readiness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | | `serviceAccount` | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` | @@ -109,6 +110,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | | `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml][] | | `nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | +| `podSecurityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` and `Deployment` pod execution environment. | `runAsUser: 0`
`privileged: false` | | `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `tolerations` | Configurable [tolerations][] for both Metricbeat `DaemonSet` and `Deployment`. | `[]` | @@ -173,7 +175,7 @@ make goss [liveness probe]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ [name of the PriorityClass]: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass [nodeSelector]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector -[podSecurityContext]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +[securityContext]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ [readiness probe]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ [resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ [serviceAccount]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index a82948c58..37fa15ee5 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -117,10 +117,7 @@ spec: envFrom: {{ toYaml .Values.envFrom | indent 10 }} {{- end }} -{{- if .Values.podSecurityContext }} - securityContext: -{{ toYaml .Values.podSecurityContext | indent 10 }} -{{- end }} + securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.daemonset.securityContext ) | nindent 10 }} volumeMounts: {{- range .Values.secretMounts }} - name: {{ .name }} diff --git a/metricbeat/templates/deployment.yaml b/metricbeat/templates/deployment.yaml index c0e4fa07b..8d5925a8e 100644 --- a/metricbeat/templates/deployment.yaml +++ b/metricbeat/templates/deployment.yaml @@ -95,10 +95,7 @@ spec: envFrom: {{ toYaml .Values.envFrom | indent 10 }} {{- end }} -{{- if .Values.podSecurityContext }} - securityContext: -{{ toYaml .Values.podSecurityContext | indent 10 }} -{{- end }} + securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.deployment.securityContext ) | nindent 10 }} volumeMounts: {{- range .Values.secretMounts }} - name: {{ .name }} diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index 792f5bcfd..448cad33a 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -33,6 +33,31 @@ def test_defaults(): == [] ) + assert ( + r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["runAsUser"] + == 0 + ) + assert ( + r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["privileged"] + == False + ) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["runAsUser"] + == 0 + ) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["privileged"] + == False + ) + # Empty customizable defaults assert "imagePullSecrets" not in r["daemonset"][name]["spec"]["template"]["spec"] @@ -283,14 +308,101 @@ def test_self_managing_rbac_resources(): def test_setting_pod_security_context(): config = """ +daemonset: + securityContext: + runAsUser: 1001 + privileged: false +""" + r = helm_template(config) + assert ( + r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["runAsUser"] + == 1001 + ) + assert ( + r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["privileged"] + == False + ) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["runAsUser"] + == 0 + ) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["privileged"] + == False + ) + + config = """ +deployment: + securityContext: + runAsUser: 1001 + privileged: false +""" + r = helm_template(config) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["runAsUser"] + == 1001 + ) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["privileged"] + == False + ) + assert ( + r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["runAsUser"] + == False + ) + assert ( + r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["privileged"] + == False + ) + + +def test_setting_deprecated_pod_security_context(): + config = """ podSecurityContext: runAsUser: 1001 privileged: false """ r = helm_template(config) - c = r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0] - assert c["securityContext"]["runAsUser"] == 1001 - assert c["securityContext"]["privileged"] == False + assert ( + r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["runAsUser"] + == 1001 + ) + assert ( + r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["privileged"] + == False + ) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["runAsUser"] + == 1001 + ) + assert ( + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][ + "securityContext" + ]["privileged"] + == False + ) def test_adding_in_metricbeat_config(): diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index 38799dd87..a538890c8 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -53,6 +53,13 @@ daemonset: output.elasticsearch: hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' nodeSelector: {} + # Various pod security context settings. Bear in mind that many of these have an impact on metricbeat functioning properly. + # - Filesystem group for the metricbeat user. The official elastic docker images always have an id of 1000. + # - User that the container will execute as. Typically necessary to run as root (0) in order to properly collect host container logs. + # - Whether to execute the metricbeat containers as privileged containers. Typically not necessarily unless running within environments such as OpenShift. + securityContext: + runAsUser: 0 + privileged: false resources: requests: cpu: "100m" @@ -82,6 +89,9 @@ deployment: output.elasticsearch: hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' nodeSelector: {} + securityContext: + runAsUser: 0 + privileged: false resources: requests: cpu: "100m" @@ -190,15 +200,6 @@ clusterRoleRules: podAnnotations: {} # iam.amazonaws.com/role: es-cluster -# Various pod security context settings. Bear in mind that many of these have an impact on metricbeat functioning properly. -# -# - Filesystem group for the metricbeat user. The official elastic docker images always have an id of 1000. -# - User that the container will execute as. Typically necessary to run as root (0) in order to properly collect host container logs. -# - Whether to execute the metricbeat containers as privileged containers. Typically not necessarily unless running within environments such as OpenShift. -podSecurityContext: - runAsUser: 0 - privileged: false - # Custom service account override that the pod will use serviceAccount: "" @@ -229,5 +230,6 @@ affinity: {} # such as metricbeat.yml for both daemonset and deployment metricbeatConfig: {} nodeSelector: {} +podSecurityContext: {} resources: {} tolerations: [] From d1a96a139167bad71e0d3746f5a7fbf2d923bd7e Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 15 Apr 2020 17:26:23 +0200 Subject: [PATCH 09/15] [metricbeat] nit - fix default values in README --- metricbeat/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index 9ebbc7517..8856d978b 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -105,14 +105,14 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `fullnameOverride` | Overrides the full name of the resources. If not set the name will default to "`.Release.Name`-`.Values.nameOverride or .Chart.Name`" | `""` | ### Deprecated -| Parameter | Description | Default | -| --- | --- | --- | -| `affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | -| `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml][] | -| `nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | -| `podSecurityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` and `Deployment` pod execution environment. | `runAsUser: 0`
`privileged: false` | -| `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | -| `tolerations` | Configurable [tolerations][] for both Metricbeat `DaemonSet` and `Deployment`. | `[]` | +| Parameter | Description | Default | +| --- | --- | --- | +| `affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | +| `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | `{}` | +| `nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | +| `podSecurityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` and `Deployment` pod execution environment. | `{}` | +| `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `{}` | +| `tolerations` | Configurable [tolerations][] for both Metricbeat `DaemonSet` and `Deployment`. | `[]` | ## Examples From bc05368cceeb1a78d0132547d685b084673bf4c3 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 15 Apr 2020 18:40:04 +0200 Subject: [PATCH 10/15] metricbeat] split extraEnvs for daemonset and deployment --- metricbeat/README.md | 4 ++- metricbeat/examples/oss/values.yaml | 12 ++++++-- metricbeat/examples/security/values.yaml | 34 +++++++++++++-------- metricbeat/templates/daemonset.yaml | 4 +-- metricbeat/templates/deployment.yaml | 4 +-- metricbeat/tests/metricbeat_test.py | 38 ++++++++++++++++++++++-- metricbeat/values.yaml | 16 +++++----- 7 files changed, 83 insertions(+), 29 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index 8856d978b..68f2de4c4 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -68,12 +68,14 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | Parameter | Description | Default | | --- | --- | --- | | `daemonset.affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | +| `daemonset.extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for `DaemonSet`. | `[]` | | `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | | `daemonset.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | | `daemonset.securityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` pod execution environment. | `runAsUser: 0`
`privileged: false` | | `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `daemonset.tolerations` | Configurable [tolerations][] for Metricbeat `DaemonSet`. | `[]` | | `deployment.affinity` | Configurable [affinity][] for Metricbeat `Deployment`. | `{}` | +| `deployment.extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for `deployment`. | `[]` | | `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | | `deployment.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `Deployment`. | `{}` | | `deployment.securityContext` | Configurable [securityContext][] for Metricbeat `Deployment` pod execution environment. | `runAsUser: 0`
`privileged: false` | @@ -81,7 +83,6 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `deployment.tolerations` | Configurable [tolerations][] for Metricbeat `Deployment`. | `[]` | | `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | | `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | -| `extraEnvs` | Extra [environment variables][] which will be appended to the `env:` definition for the container | `[]` | | `extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function | `""` | | `extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function | `""` | | `envFrom` | Templatable string of envFrom to be passed to the [environment from variables][] which will be appended to the `envFrom:` definition for the container | `[]` | @@ -108,6 +109,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | Parameter | Description | Default | | --- | --- | --- | | `affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | +| `extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for both `DaemonSet` and `Deployment`. | `[]` | | `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | `{}` | | `nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | | `podSecurityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` and `Deployment` pod execution environment. | `{}` | diff --git a/metricbeat/examples/oss/values.yaml b/metricbeat/examples/oss/values.yaml index 89f2d453c..29791cc2c 100644 --- a/metricbeat/examples/oss/values.yaml +++ b/metricbeat/examples/oss/values.yaml @@ -1,5 +1,11 @@ image: docker.elastic.co/beats/metricbeat-oss -extraEnvs: - - name: ELASTICSEARCH_HOSTS - value: oss-master:9200 +daemonset: + extraEnvs: + - name: ELASTICSEARCH_HOSTS + value: oss-master:9200 + +deployment: + extraEnvs: + - name: ELASTICSEARCH_HOSTS + value: oss-master:9200 diff --git a/metricbeat/examples/security/values.yaml b/metricbeat/examples/security/values.yaml index 51db92312..147213309 100644 --- a/metricbeat/examples/security/values.yaml +++ b/metricbeat/examples/security/values.yaml @@ -1,4 +1,15 @@ daemonset: + extraEnvs: + - name: 'ELASTICSEARCH_USERNAME' + valueFrom: + secretKeyRef: + name: elastic-credentials + key: username + - name: 'ELASTICSEARCH_PASSWORD' + valueFrom: + secretKeyRef: + name: elastic-credentials + key: password # Allows you to add any config files in /usr/share/metricbeat # such as metricbeat.yml for daemonset metricbeatConfig: @@ -56,6 +67,17 @@ daemonset: - /usr/share/metricbeat/config/certs/elastic-certificate.pem deployment: + extraEnvs: + - name: 'ELASTICSEARCH_USERNAME' + valueFrom: + secretKeyRef: + name: elastic-credentials + key: username + - name: 'ELASTICSEARCH_PASSWORD' + valueFrom: + secretKeyRef: + name: elastic-credentials + key: password # Allows you to add any config files in /usr/share/metricbeat # such as metricbeat.yml for deployment metricbeatConfig: @@ -83,15 +105,3 @@ secretMounts: - name: elastic-certificate-pem secretName: elastic-certificate-pem path: /usr/share/metricbeat/config/certs - -extraEnvs: - - name: 'ELASTICSEARCH_USERNAME' - valueFrom: - secretKeyRef: - name: elastic-credentials - key: username - - name: 'ELASTICSEARCH_PASSWORD' - valueFrom: - secretKeyRef: - name: elastic-credentials - key: password diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index 37fa15ee5..7b4e37294 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -110,8 +110,8 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName -{{- if .Values.extraEnvs }} -{{ toYaml .Values.extraEnvs | indent 8 }} +{{- if .Values.extraEnvs | default .Values.daemonset.extraEnvs }} +{{ toYaml ( .Values.extraEnvs | default .Values.daemonset.extraEnvs ) | indent 8 }} {{- end }} {{- if .Values.envFrom }} envFrom: diff --git a/metricbeat/templates/deployment.yaml b/metricbeat/templates/deployment.yaml index 8d5925a8e..8cf3f99f4 100644 --- a/metricbeat/templates/deployment.yaml +++ b/metricbeat/templates/deployment.yaml @@ -88,8 +88,8 @@ spec: fieldPath: metadata.namespace - name: KUBE_STATE_METRICS_HOSTS value: "$({{ .Release.Name | replace "-" "_" | upper }}_KUBE_STATE_METRICS_SERVICE_HOST):$({{ .Release.Name | replace "-" "_" | upper }}_KUBE_STATE_METRICS_SERVICE_PORT_HTTP)" -{{- if .Values.extraEnvs }} -{{ toYaml .Values.extraEnvs | indent 8 }} +{{- if .Values.extraEnvs | default .Values.deployment.extraEnvs }} +{{ toYaml ( .Values.extraEnvs | default .Values.deployment.extraEnvs ) | indent 8 }} {{- end }} {{- if .Values.envFrom }} envFrom: diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index 448cad33a..6d5009336 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -194,13 +194,47 @@ def test_adding_a_extra_init_container(): def test_adding_envs(): config = """ +daemonset: + extraEnvs: + - name: LOG_LEVEL + value: DEBUG +""" + r = helm_template(config) + assert {"name": "LOG_LEVEL", "value": "DEBUG"} in r["daemonset"][name]["spec"][ + "template" + ]["spec"]["containers"][0]["env"] + assert {"name": "LOG_LEVEL", "value": "DEBUG"} not in r["deployment"][ + name + "-metrics" + ]["spec"]["template"]["spec"]["containers"][0]["env"] + + config = """ +deployment: + extraEnvs: + - name: LOG_LEVEL + value: DEBUG +""" + r = helm_template(config) + assert {"name": "LOG_LEVEL", "value": "DEBUG"} in r["deployment"][ + name + "-metrics" + ]["spec"]["template"]["spec"]["containers"][0]["env"] + assert {"name": "LOG_LEVEL", "value": "DEBUG"} not in r["daemonset"][name]["spec"][ + "template" + ]["spec"]["containers"][0]["env"] + + +def test_adding_deprecated_envs(): + config = """ extraEnvs: - name: LOG_LEVEL value: DEBUG """ r = helm_template(config) - envs = r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0]["env"] - assert {"name": "LOG_LEVEL", "value": "DEBUG"} in envs + assert {"name": "LOG_LEVEL", "value": "DEBUG"} in r["daemonset"][name]["spec"][ + "template" + ]["spec"]["containers"][0]["env"] + assert {"name": "LOG_LEVEL", "value": "DEBUG"} in r["deployment"][ + name + "-metrics" + ]["spec"]["template"]["spec"]["containers"][0]["env"] def test_adding_image_pull_secrets(): diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index a538890c8..6ebb9fbbd 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -2,6 +2,10 @@ daemonset: affinity: {} + # Extra environment variables for Metricbeat container. + extraEnvs: [] + # - name: MY_ENVIRONMENT_VAR + # value: the_value_goes_here # Allows you to add any config files in /usr/share/metricbeat # such as metricbeat.yml for daemonset metricbeatConfig: @@ -71,6 +75,10 @@ daemonset: deployment: affinity: {} + # Extra environment variables for Metricbeat container. + extraEnvs: [] + # - name: MY_ENVIRONMENT_VAR + # value: the_value_goes_here # Allows you to add any config files in /usr/share/metricbeat # such as metricbeat.yml for deployment metricbeatConfig: @@ -114,13 +122,6 @@ extraInitContainers: "" # image: busybox # command: ['echo', 'hey'] -# Extra environment variables to append to the DaemonSet pod spec. -# This will be appended to the current 'env:' key. You can use any of the kubernetes env -# syntax here -extraEnvs: [] -# - name: MY_ENVIRONMENT_VAR -# value: the_value_goes_here - extraVolumeMounts: [] # - name: extras # mountPath: /usr/share/extras @@ -226,6 +227,7 @@ fullnameOverride: "" # DEPRECATED affinity: {} +extraEnvs: [] # Allows you to add any config files in /usr/share/metricbeat # such as metricbeat.yml for both daemonset and deployment metricbeatConfig: {} From 1dd2e846cb7bb6172bcb0d967adc5390f452c34c Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 15 Apr 2020 18:57:41 +0200 Subject: [PATCH 11/15] [metricbeat] split envFrom for daemonset and deployment --- metricbeat/README.md | 22 +++++++------- metricbeat/templates/daemonset.yaml | 5 ++-- metricbeat/templates/deployment.yaml | 5 ++-- metricbeat/tests/metricbeat_test.py | 44 +++++++++++++++++++++++++--- metricbeat/values.yaml | 11 ++++--- 5 files changed, 63 insertions(+), 24 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index 68f2de4c4..48eda68dd 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -68,6 +68,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | Parameter | Description | Default | | --- | --- | --- | | `daemonset.affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | +| `daemonset.envFrom` | Templatable string of `envFrom` to be passed to the [environment from variables][] which will be appended to Metricbeat container for `DaemonSet`. | `[]` | | `daemonset.extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for `DaemonSet`. | `[]` | | `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | | `daemonset.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | @@ -75,6 +76,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `daemonset.tolerations` | Configurable [tolerations][] for Metricbeat `DaemonSet`. | `[]` | | `deployment.affinity` | Configurable [affinity][] for Metricbeat `Deployment`. | `{}` | +| `deployment.envFrom` | Templatable string of `envFrom` to be passed to the [environment from variables][] which will be appended to Metricbeat container for `Deployment`. | `[]` | | `deployment.extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for `deployment`. | `[]` | | `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | | `deployment.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `Deployment`. | `{}` | @@ -85,7 +87,6 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | | `extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function | `""` | | `extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function | `""` | -| `envFrom` | Templatable string of envFrom to be passed to the [environment from variables][] which will be appended to the `envFrom:` definition for the container | `[]` | | `hostPathRoot` | Fully-qualified [hostPath][] that will be used to persist Metricbeat registry data | `/var/lib` | | `image` | The Metricbeat docker image | `docker.elastic.co/beats/metricbeat` | | `imageTag` | The Metricbeat docker image tag | `7.6.2` | @@ -106,15 +107,16 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `fullnameOverride` | Overrides the full name of the resources. If not set the name will default to "`.Release.Name`-`.Values.nameOverride or .Chart.Name`" | `""` | ### Deprecated -| Parameter | Description | Default | -| --- | --- | --- | -| `affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | -| `extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for both `DaemonSet` and `Deployment`. | `[]` | -| `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | `{}` | -| `nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | -| `podSecurityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` and `Deployment` pod execution environment. | `{}` | -| `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `{}` | -| `tolerations` | Configurable [tolerations][] for both Metricbeat `DaemonSet` and `Deployment`. | `[]` | +| Parameter | Description | Default | +| --- | --- | --- | +| `affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | +| `extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for both `DaemonSet` and `Deployment`. | `[]` | +| `deployment.envFrom` | Templatable string to be passed to the [environment from variables][] which will be appended to Metricbeat container for both `DaemonSet` and `Deployment`. | `[]` | +| `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | `{}` | +| `nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | +| `podSecurityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` and `Deployment` pod execution environment. | `{}` | +| `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `{}` | +| `tolerations` | Configurable [tolerations][] for both Metricbeat `DaemonSet` and `Deployment`. | `[]` | ## Examples diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index 7b4e37294..57832ac9a 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -113,9 +113,8 @@ spec: {{- if .Values.extraEnvs | default .Values.daemonset.extraEnvs }} {{ toYaml ( .Values.extraEnvs | default .Values.daemonset.extraEnvs ) | indent 8 }} {{- end }} -{{- if .Values.envFrom }} - envFrom: -{{ toYaml .Values.envFrom | indent 10 }} +{{- if .Values.envFrom | default .Values.daemonset.envFrom }} + envFrom: {{ toYaml ( .Values.envFrom | default .Values.daemonset.envFrom ) | nindent 10 }} {{- end }} securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.daemonset.securityContext ) | nindent 10 }} volumeMounts: diff --git a/metricbeat/templates/deployment.yaml b/metricbeat/templates/deployment.yaml index 8cf3f99f4..83bfeb1b4 100644 --- a/metricbeat/templates/deployment.yaml +++ b/metricbeat/templates/deployment.yaml @@ -91,9 +91,8 @@ spec: {{- if .Values.extraEnvs | default .Values.deployment.extraEnvs }} {{ toYaml ( .Values.extraEnvs | default .Values.deployment.extraEnvs ) | indent 8 }} {{- end }} -{{- if .Values.envFrom }} - envFrom: -{{ toYaml .Values.envFrom | indent 10 }} +{{- if .Values.envFrom | default .Values.deployment.envFrom }} + envFrom: {{ toYaml ( .Values.envFrom | default .Values.deployment.envFrom ) | nindent 10 }} {{- end }} securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.deployment.securityContext ) | nindent 10 }} volumeMounts: diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index 6d5009336..7daa6411e 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -766,15 +766,51 @@ def test_adding_pod_labels(): def test_adding_env_from(): config = """ +daemonset: + envFrom: + - configMapRef: + name: configmap-name +""" + r = helm_template(config) + assert r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0]["envFrom"][ + 0 + ]["configMapRef"] == {"name": "configmap-name"} + assert ( + "envFrom" + not in r["deployment"][name + "-metrics"]["spec"]["template"]["spec"][ + "containers" + ][0] + ) + + config = """ +deployment: + envFrom: + - configMapRef: + name: configmap-name +""" + r = helm_template(config) + assert r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][ + 0 + ]["envFrom"][0]["configMapRef"] == {"name": "configmap-name"} + assert ( + "envFrom" + not in r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0] + ) + + +def test_adding_deprecated_env_from(): + config = """ envFrom: - configMapRef: name: configmap-name """ r = helm_template(config) - configMapRef = r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ - "envFrom" - ][0]["configMapRef"] - assert configMapRef == {"name": "configmap-name"} + assert r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0]["envFrom"][ + 0 + ]["configMapRef"] == {"name": "configmap-name"} + assert r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][ + 0 + ]["envFrom"][0]["configMapRef"] == {"name": "configmap-name"} def test_overriding_resources(): diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index 6ebb9fbbd..f28786b54 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -3,6 +3,9 @@ daemonset: affinity: {} # Extra environment variables for Metricbeat container. + envFrom: [] + # - configMapRef: + # name: config-secret extraEnvs: [] # - name: MY_ENVIRONMENT_VAR # value: the_value_goes_here @@ -76,6 +79,9 @@ daemonset: deployment: affinity: {} # Extra environment variables for Metricbeat container. + envFrom: [] + # - configMapRef: + # name: config-secret extraEnvs: [] # - name: MY_ENVIRONMENT_VAR # value: the_value_goes_here @@ -131,10 +137,6 @@ extraVolumes: [] # - name: extras # emptyDir: {} -envFrom: [] - # - configMapRef: - # name: config-secret - # Root directory where metricbeat will write data to in order to persist registry data across pod restarts (file position and other metadata). hostPathRoot: /var/lib @@ -227,6 +229,7 @@ fullnameOverride: "" # DEPRECATED affinity: {} +envFrom: [] extraEnvs: [] # Allows you to add any config files in /usr/share/metricbeat # such as metricbeat.yml for both daemonset and deployment From 593c743290056b6400369a60beca030898049010 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 15 Apr 2020 21:43:17 +0200 Subject: [PATCH 12/15] [metricbeat] split volumes and volumeMounts for daemonset and deployment --- metricbeat/README.md | 84 +++++++++++++++------------- metricbeat/templates/daemonset.yaml | 8 +-- metricbeat/templates/deployment.yaml | 8 +-- metricbeat/tests/metricbeat_test.py | 78 ++++++++++++++++++++++---- metricbeat/values.yaml | 25 ++++++--- 5 files changed, 136 insertions(+), 67 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index 48eda68dd..991aa1447 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -65,52 +65,56 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 ## Configuration -| Parameter | Description | Default | -| --- | --- | --- | -| `daemonset.affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | -| `daemonset.envFrom` | Templatable string of `envFrom` to be passed to the [environment from variables][] which will be appended to Metricbeat container for `DaemonSet`. | `[]` | -| `daemonset.extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for `DaemonSet`. | `[]` | -| `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | -| `daemonset.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | -| `daemonset.securityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` pod execution environment. | `runAsUser: 0`
`privileged: false` | -| `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | -| `daemonset.tolerations` | Configurable [tolerations][] for Metricbeat `DaemonSet`. | `[]` | -| `deployment.affinity` | Configurable [affinity][] for Metricbeat `Deployment`. | `{}` | -| `deployment.envFrom` | Templatable string of `envFrom` to be passed to the [environment from variables][] which will be appended to Metricbeat container for `Deployment`. | `[]` | -| `deployment.extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for `deployment`. | `[]` | -| `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | -| `deployment.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `Deployment`. | `{}` | -| `deployment.securityContext` | Configurable [securityContext][] for Metricbeat `Deployment` pod execution environment. | `runAsUser: 0`
`privileged: false` | -| `deployment.resources` | Allows you to set the [resources][] for Metricbeat `Deployment`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | -| `deployment.tolerations` | Configurable [tolerations][] for Metricbeat `Deployment`. | `[]` | -| `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | -| `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | -| `extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function | `""` | -| `extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function | `""` | -| `hostPathRoot` | Fully-qualified [hostPath][] that will be used to persist Metricbeat registry data | `/var/lib` | -| `image` | The Metricbeat docker image | `docker.elastic.co/beats/metricbeat` | -| `imageTag` | The Metricbeat docker image tag | `7.6.2` | -| `imagePullPolicy` | The Kubernetes [imagePullPolicy][] value | `IfNotPresent` | -| `imagePullSecrets` | Configuration for [imagePullSecrets][] so that you can use a private registry for your image | `[]` | -| `labels` | Configurable [label][] applied to all Metricbeat pods | `{}` | -| `managedServiceAccount` | Whether the `serviceAccount` should be managed by this helm chart. Set this to `false` in order to manage your own service account and related roles. | `true` | -| `clusterRoleRules` | Configurable [cluster role rules][] that Metricbeat uses to access Kubernetes resources. | see [values.yaml][] | -| `podAnnotations` | Configurable [annotations][] applied to all Metricbeat pods | `{}` | -| `livenessProbe` | Parameters to pass to [liveness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | -| `readinessProbe` | Parameters to pass to [readiness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | -| `serviceAccount` | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` | -| `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | -| `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | -| `updateStrategy` | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually. | `RollingUpdate` | -| `priorityClassName` | The [name of the PriorityClass][]. No default is supplied as the PriorityClass must be created first. | `""` | -| `replicas` | The replica count for the metricbeat deployment talking to kube-state-metrics | `1` | -| `fullnameOverride` | Overrides the full name of the resources. If not set the name will default to "`.Release.Name`-`.Values.nameOverride or .Chart.Name`" | `""` | +| Parameter | Description | Default | +| --- | --- | --- | +| `daemonset.affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | +| `daemonset.envFrom` | Templatable string of `envFrom` to be passed to the [environment from variables][] which will be appended to Metricbeat container for `DaemonSet`. | `[]` | +| `daemonset.extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for `DaemonSet`. | `[]` | +| `daemonset.extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function or `DaemonSet`. | `[]` | +| `daemonset.extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function or `DaemonSet`. | `[]` | +| `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | +| `daemonset.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | +| `daemonset.securityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` pod execution environment. | `runAsUser: 0`
`privileged: false` | +| `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | +| `daemonset.tolerations` | Configurable [tolerations][] for Metricbeat `DaemonSet`. | `[]` | +| `deployment.affinity` | Configurable [affinity][] for Metricbeat `Deployment`. | `{}` | +| `deployment.envFrom` | Templatable string of `envFrom` to be passed to the [environment from variables][] which will be appended to Metricbeat container for `Deployment`. | `[]` | +| `deployment.extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for `Deployment`. | `[]` | +| `deployment.extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function or `Deployment`. | `[]` | +| `deployment.extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function or `DaemonSet`. | `[]` | +| `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | +| `deployment.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `Deployment`. | `{}` | +| `deployment.securityContext` | Configurable [securityContext][] for Metricbeat `Deployment` pod execution environment. | `runAsUser: 0`
`privileged: false` | +| `deployment.resources` | Allows you to set the [resources][] for Metricbeat `Deployment`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | +| `deployment.tolerations` | Configurable [tolerations][] for Metricbeat `Deployment`. | `[]` | +| `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | +| `extraInitContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | +| `hostPathRoot` | Fully-qualified [hostPath][] that will be used to persist Metricbeat registry data | `/var/lib` | +| `image` | The Metricbeat docker image | `docker.elastic.co/beats/metricbeat` | +| `imageTag` | The Metricbeat docker image tag | `7.6.2` | +| `imagePullPolicy` | The Kubernetes [imagePullPolicy][] value | `IfNotPresent` | +| `imagePullSecrets` | Configuration for [imagePullSecrets][] so that you can use a private registry for your image | `[]` | +| `labels` | Configurable [label][] applied to all Metricbeat pods | `{}` | +| `managedServiceAccount` | Whether the `serviceAccount` should be managed by this helm chart. Set this to `false` in order to manage your own service account and related roles. | `true` | +| `clusterRoleRules` | Configurable [cluster role rules][] that Metricbeat uses to access Kubernetes resources. | see [values.yaml][] | +| `podAnnotations` | Configurable [annotations][] applied to all Metricbeat pods | `{}` | +| `livenessProbe` | Parameters to pass to [liveness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | +| `readinessProbe` | Parameters to pass to [readiness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | +| `serviceAccount` | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` | +| `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | +| `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | +| `updateStrategy` | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually. | `RollingUpdate` | +| `priorityClassName` | The [name of the PriorityClass][]. No default is supplied as the PriorityClass must be created first. | `""` | +| `replicas` | The replica count for the metricbeat deployment talking to kube-state-metrics | `1` | +| `fullnameOverride` | Overrides the full name of the resources. If not set the name will default to "`.Release.Name`-`.Values.nameOverride or .Chart.Name`" | `""` | ### Deprecated | Parameter | Description | Default | | --- | --- | --- | | `affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` | | `extraEnvs` | Extra [environment variables][] which will be appended to Metricbeat container for both `DaemonSet` and `Deployment`. | `[]` | +| `extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function for both `DaemonSet` and `Deployment`. | `[]` | +| `extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function for both `DaemonSet` and `Deployment`. | `[]` | | `deployment.envFrom` | Templatable string to be passed to the [environment from variables][] which will be appended to Metricbeat container for both `DaemonSet` and `Deployment`. | `[]` | | `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | `{}` | | `nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index 57832ac9a..4a2c53366 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -76,8 +76,8 @@ spec: - name: cgroup hostPath: path: /sys/fs/cgroup - {{- if .Values.extraVolumes }} -{{ toYaml .Values.extraVolumes | indent 6 }} + {{- if .Values.extraVolumes | default .Values.daemonset.extraVolumes }} +{{ toYaml ( .Values.extraVolumes | default .Values.daemonset.extraVolumes ) | indent 6 }} {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: @@ -151,8 +151,8 @@ spec: - name: cgroup mountPath: /hostfs/sys/fs/cgroup readOnly: true - {{- if .Values.extraVolumeMounts }} -{{ toYaml .Values.extraVolumeMounts | indent 8 }} + {{- if .Values.extraVolumeMounts | default .Values.daemonset.extraVolumeMounts }} +{{ toYaml ( .Values.extraVolumeMounts | default .Values.daemonset.extraVolumeMounts ) | indent 8 }} {{- end }} {{- if .Values.extraContainers }} {{ tpl .Values.extraContainers . | indent 6 }} diff --git a/metricbeat/templates/deployment.yaml b/metricbeat/templates/deployment.yaml index 83bfeb1b4..482e78b8a 100644 --- a/metricbeat/templates/deployment.yaml +++ b/metricbeat/templates/deployment.yaml @@ -57,8 +57,8 @@ spec: defaultMode: 0600 name: {{ template "metricbeat.fullname" . }}-deployment-config {{- end }} - {{- if .Values.extraVolumes }} -{{ toYaml .Values.extraVolumes | indent 6 }} + {{- if .Values.extraVolumes | default .Values.deployment.extraVolumes }} +{{ toYaml ( .Values.extraVolumes | default .Values.deployment.extraVolumes ) | indent 6 }} {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: @@ -116,8 +116,8 @@ spec: subPath: {{ $path }} {{- end }} {{- end }} - {{- if .Values.extraVolumeMounts }} -{{ toYaml .Values.extraVolumeMounts | indent 8 }} + {{- if .Values.extraVolumeMounts | default .Values.deployment.extraVolumeMounts }} +{{ toYaml ( .Values.extraVolumeMounts | default .Values.deployment.extraVolumeMounts ) | indent 8 }} {{- end }} {{- if .Values.extraContainers }} {{ tpl .Values.extraContainers . | indent 6 }} diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index 7daa6411e..d3b1eeee1 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -564,6 +564,62 @@ def test_adding_a_secret_mount(): def test_adding_a_extra_volume_with_volume_mount(): config = """ +daemonset: + extraVolumes: + - name: extras + emptyDir: {} + extraVolumeMounts: + - name: extras + mountPath: /usr/share/extras + readOnly: true +""" + r = helm_template(config) + assert {"name": "extras", "emptyDir": {}} in r["daemonset"][name]["spec"][ + "template" + ]["spec"]["volumes"] + assert {"name": "extras", "mountPath": "/usr/share/extras", "readOnly": True,} in r[ + "daemonset" + ][name]["spec"]["template"]["spec"]["containers"][0]["volumeMounts"] + assert {"name": "extras", "emptyDir": {}} not in r["deployment"][name + "-metrics"][ + "spec" + ]["template"]["spec"]["volumes"] + assert ( + {"name": "extras", "mountPath": "/usr/share/extras", "readOnly": True,} + not in r["deployment"][name + "-metrics"]["spec"]["template"]["spec"][ + "containers" + ][0]["volumeMounts"] + ) + + config = """ +deployment: + extraVolumes: + - name: extras + emptyDir: {} + extraVolumeMounts: + - name: extras + mountPath: /usr/share/extras + readOnly: true +""" + r = helm_template(config) + assert {"name": "extras", "emptyDir": {}} in r["deployment"][name + "-metrics"][ + "spec" + ]["template"]["spec"]["volumes"] + assert {"name": "extras", "mountPath": "/usr/share/extras", "readOnly": True,} in r[ + "deployment" + ][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0]["volumeMounts"] + assert {"name": "extras", "emptyDir": {}} not in r["daemonset"][name]["spec"][ + "template" + ]["spec"]["volumes"] + assert ( + {"name": "extras", "mountPath": "/usr/share/extras", "readOnly": True,} + not in r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "volumeMounts" + ] + ) + + +def test_adding_a_deprecated_extra_volume_with_volume_mount(): + config = """ extraVolumes: - name: extras emptyDir: {} @@ -573,16 +629,18 @@ def test_adding_a_extra_volume_with_volume_mount(): readOnly: true """ r = helm_template(config) - extraVolume = r["daemonset"][name]["spec"]["template"]["spec"]["volumes"] - assert {"name": "extras", "emptyDir": {}} in extraVolume - extraVolumeMounts = r["daemonset"][name]["spec"]["template"]["spec"]["containers"][ - 0 - ]["volumeMounts"] - assert { - "name": "extras", - "mountPath": "/usr/share/extras", - "readOnly": True, - } in extraVolumeMounts + assert {"name": "extras", "emptyDir": {}} in r["daemonset"][name]["spec"][ + "template" + ]["spec"]["volumes"] + assert {"name": "extras", "mountPath": "/usr/share/extras", "readOnly": True,} in r[ + "daemonset" + ][name]["spec"]["template"]["spec"]["containers"][0]["volumeMounts"] + assert {"name": "extras", "emptyDir": {}} in r["deployment"][name + "-metrics"][ + "spec" + ]["template"]["spec"]["volumes"] + assert {"name": "extras", "mountPath": "/usr/share/extras", "readOnly": True,} in r[ + "deployment" + ][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0]["volumeMounts"] def test_adding_a_node_selector(): diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index f28786b54..0d30ca08e 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -9,6 +9,13 @@ daemonset: extraEnvs: [] # - name: MY_ENVIRONMENT_VAR # value: the_value_goes_here + extraVolumes: [] + # - name: extras + # emptyDir: {} + extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true # Allows you to add any config files in /usr/share/metricbeat # such as metricbeat.yml for daemonset metricbeatConfig: @@ -86,6 +93,13 @@ deployment: # - name: MY_ENVIRONMENT_VAR # value: the_value_goes_here # Allows you to add any config files in /usr/share/metricbeat + extraVolumes: [] + # - name: extras + # emptyDir: {} + extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true # such as metricbeat.yml for deployment metricbeatConfig: metricbeat.yml: | @@ -128,15 +142,6 @@ extraInitContainers: "" # image: busybox # command: ['echo', 'hey'] -extraVolumeMounts: [] - # - name: extras - # mountPath: /usr/share/extras - # readOnly: true - -extraVolumes: [] - # - name: extras - # emptyDir: {} - # Root directory where metricbeat will write data to in order to persist registry data across pod restarts (file position and other metadata). hostPathRoot: /var/lib @@ -231,6 +236,8 @@ fullnameOverride: "" affinity: {} envFrom: [] extraEnvs: [] +extraVolumes: [] +extraVolumeMounts: [] # Allows you to add any config files in /usr/share/metricbeat # such as metricbeat.yml for both daemonset and deployment metricbeatConfig: {} From 055313c7dc9b1eef0dd5a24a101095331d4d64d2 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 15 Apr 2020 22:26:12 +0200 Subject: [PATCH 13/15] [metricbeat] split secretMounts for daemonset and deployment --- metricbeat/README.md | 4 +- metricbeat/examples/security/values.yaml | 7 +- metricbeat/templates/daemonset.yaml | 4 +- metricbeat/templates/deployment.yaml | 4 +- metricbeat/tests/metricbeat_test.py | 97 +++++++++++++++++++++++- metricbeat/values.yaml | 20 +++-- 6 files changed, 119 insertions(+), 17 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index 991aa1447..f3915029a 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -74,6 +74,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `daemonset.extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function or `DaemonSet`. | `[]` | | `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] | | `daemonset.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | +| `daemonset.secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | | `daemonset.securityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` pod execution environment. | `runAsUser: 0`
`privileged: false` | | `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `daemonset.tolerations` | Configurable [tolerations][] for Metricbeat `DaemonSet`. | `[]` | @@ -84,6 +85,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `deployment.extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function or `DaemonSet`. | `[]` | | `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] | | `deployment.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `Deployment`. | `{}` | +| `deployment.secretMounts` | Allows you easily mount a secret as a file inside the `Deployment`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | | `deployment.securityContext` | Configurable [securityContext][] for Metricbeat `Deployment` pod execution environment. | `runAsUser: 0`
`privileged: false` | | `deployment.resources` | Allows you to set the [resources][] for Metricbeat `Deployment`. | `requests.cpu: 100m`
`requests.memory: 100Mi`
`limits.cpu: 1000m`
`limits.memory: 200Mi` | | `deployment.tolerations` | Configurable [tolerations][] for Metricbeat `Deployment`. | `[]` | @@ -101,7 +103,6 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `livenessProbe` | Parameters to pass to [liveness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | | `readinessProbe` | Parameters to pass to [readiness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | | `serviceAccount` | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` | -| `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | | `updateStrategy` | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually. | `RollingUpdate` | | `priorityClassName` | The [name of the PriorityClass][]. No default is supplied as the PriorityClass must be created first. | `""` | @@ -120,6 +121,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2 | `nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` | | `podSecurityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` and `Deployment` pod execution environment. | `{}` | | `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `{}` | +| `secretMounts` | Allows you easily mount a secret as a file inside `DaemonSet` and `Deployment`. Useful for mounting certificates and other secrets. | `[]` | | `tolerations` | Configurable [tolerations][] for both Metricbeat `DaemonSet` and `Deployment`. | `[]` | ## Examples diff --git a/metricbeat/examples/security/values.yaml b/metricbeat/examples/security/values.yaml index 147213309..2939d1c20 100644 --- a/metricbeat/examples/security/values.yaml +++ b/metricbeat/examples/security/values.yaml @@ -65,6 +65,10 @@ daemonset: hosts: ["security-master:9200"] ssl.certificate_authorities: - /usr/share/metricbeat/config/certs/elastic-certificate.pem + secretMounts: + - name: elastic-certificate-pem + secretName: elastic-certificate-pem + path: /usr/share/metricbeat/config/certs deployment: extraEnvs: @@ -100,8 +104,7 @@ deployment: hosts: ["security-master:9200"] ssl.certificate_authorities: - /usr/share/metricbeat/config/certs/elastic-certificate.pem - -secretMounts: + secretMounts: - name: elastic-certificate-pem secretName: elastic-certificate-pem path: /usr/share/metricbeat/config/certs diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index 4a2c53366..334ab53ea 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -47,7 +47,7 @@ spec: serviceAccountName: {{ template "metricbeat.serviceAccount" . }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} volumes: - {{- range .Values.secretMounts }} + {{- range .Values.secretMounts | default .Values.daemonset.secretMounts }} - name: {{ .name }} secret: secretName: {{ .secretName }} @@ -118,7 +118,7 @@ spec: {{- end }} securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.daemonset.securityContext ) | nindent 10 }} volumeMounts: - {{- range .Values.secretMounts }} + {{- range .Values.secretMounts | default .Values.daemonset.secretMounts }} - name: {{ .name }} mountPath: {{ .path }} {{- if .subPath }} diff --git a/metricbeat/templates/deployment.yaml b/metricbeat/templates/deployment.yaml index 482e78b8a..8d8ca8066 100644 --- a/metricbeat/templates/deployment.yaml +++ b/metricbeat/templates/deployment.yaml @@ -41,7 +41,7 @@ spec: serviceAccountName: {{ template "metricbeat.serviceAccount" . }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} volumes: - {{- range .Values.secretMounts }} + {{- range .Values.secretMounts | default .Values.deployment.secretMounts }} - name: {{ .name }} secret: secretName: {{ .secretName }} @@ -96,7 +96,7 @@ spec: {{- end }} securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.deployment.securityContext ) | nindent 10 }} volumeMounts: - {{- range .Values.secretMounts }} + {{- range .Values.secretMounts | default .Values.deployment.secretMounts }} - name: {{ .name }} mountPath: {{ .path }} {{- if .subPath }} diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index d3b1eeee1..b33eca842 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -545,18 +545,109 @@ def test_adding_in_deprecated_metricbeat_config(): def test_adding_a_secret_mount(): config = """ +daemonset: + secretMounts: + - name: elastic-certificates + secretName: elastic-certificates-name + path: /usr/share/metricbeat/config/certs +""" + r = helm_template(config) + assert ( + { + "mountPath": "/usr/share/metricbeat/config/certs", + "name": "elastic-certificates", + } + in r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "volumeMounts" + ] + ) + assert { + "name": "elastic-certificates", + "secret": {"secretName": "elastic-certificates-name"}, + } in r["daemonset"][name]["spec"]["template"]["spec"]["volumes"] + + assert ( + { + "mountPath": "/usr/share/metricbeat/config/certs", + "name": "elastic-certificates", + } + not in r["deployment"][name + "-metrics"]["spec"]["template"]["spec"][ + "containers" + ][0]["volumeMounts"] + ) + assert { + "name": "elastic-certificates", + "secret": {"secretName": "elastic-certificates-name"}, + } not in r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["volumes"] + + config = """ +deployment: + secretMounts: + - name: elastic-certificates + secretName: elastic-certificates-name + path: /usr/share/metricbeat/config/certs +""" + r = helm_template(config) + assert ( + { + "mountPath": "/usr/share/metricbeat/config/certs", + "name": "elastic-certificates", + } + in r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][ + 0 + ]["volumeMounts"] + ) + assert { + "name": "elastic-certificates", + "secret": {"secretName": "elastic-certificates-name"}, + } in r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["volumes"] + + assert ( + { + "mountPath": "/usr/share/metricbeat/config/certs", + "name": "elastic-certificates", + } + not in r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "volumeMounts" + ] + ) + assert { + "name": "elastic-certificates", + "secret": {"secretName": "elastic-certificates-name"}, + } not in r["daemonset"][name]["spec"]["template"]["spec"]["volumes"] + + +def test_adding_a_deprecated_secret_mount(): + config = """ secretMounts: - name: elastic-certificates secretName: elastic-certificates-name path: /usr/share/metricbeat/config/certs """ r = helm_template(config) - s = r["daemonset"][name]["spec"]["template"]["spec"] - assert s["containers"][0]["volumeMounts"][0] == { + assert ( + { + "mountPath": "/usr/share/metricbeat/config/certs", + "name": "elastic-certificates", + } + in r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][ + "volumeMounts" + ] + ) + assert { + "name": "elastic-certificates", + "secret": {"secretName": "elastic-certificates-name"}, + } in r["daemonset"][name]["spec"]["template"]["spec"]["volumes"] + + assert r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][ + 0 + ]["volumeMounts"][0] == { "mountPath": "/usr/share/metricbeat/config/certs", "name": "elastic-certificates", } - assert s["volumes"][0] == { + assert r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["volumes"][ + 0 + ] == { "name": "elastic-certificates", "secret": {"secretName": "elastic-certificates-name"}, } diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index 0d30ca08e..a2b328d1a 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -67,6 +67,12 @@ daemonset: output.elasticsearch: hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' nodeSelector: {} + # A list of secrets and their paths to mount inside the pod + # This is useful for mounting certificates for security other sensitive values + secretMounts: [] + # - name: metricbeat-certificates + # secretName: metricbeat-certificates + # path: /usr/share/metricbeat/certs # Various pod security context settings. Bear in mind that many of these have an impact on metricbeat functioning properly. # - Filesystem group for the metricbeat user. The official elastic docker images always have an id of 1000. # - User that the container will execute as. Typically necessary to run as root (0) in order to properly collect host container logs. @@ -117,6 +123,12 @@ deployment: output.elasticsearch: hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}' nodeSelector: {} + # A list of secrets and their paths to mount inside the pod + # This is useful for mounting certificates for security other sensitive values + secretMounts: [] + # - name: metricbeat-certificates + # secretName: metricbeat-certificates + # path: /usr/share/metricbeat/certs securityContext: runAsUser: 0 privileged: false @@ -211,13 +223,6 @@ podAnnotations: {} # Custom service account override that the pod will use serviceAccount: "" -# A list of secrets and their paths to mount inside the pod -# This is useful for mounting certificates for security other sensitive values -secretMounts: [] -# - name: metricbeat-certificates -# secretName: metricbeat-certificates -# path: /usr/share/metricbeat/certs - # How long to wait for metricbeat pods to stop gracefully terminationGracePeriod: 30 @@ -244,4 +249,5 @@ metricbeatConfig: {} nodeSelector: {} podSecurityContext: {} resources: {} +secretMounts: [] tolerations: [] From 890428d1e74135db43787f6ec23221449aa02643 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Fri, 17 Apr 2020 16:52:01 +0200 Subject: [PATCH 14/15] [metricbeat] remove unneeded if statement for envFrom --- metricbeat/templates/daemonset.yaml | 2 -- metricbeat/templates/deployment.yaml | 2 -- metricbeat/tests/metricbeat_test.py | 12 ++++++------ 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/metricbeat/templates/daemonset.yaml b/metricbeat/templates/daemonset.yaml index 334ab53ea..b057059e0 100644 --- a/metricbeat/templates/daemonset.yaml +++ b/metricbeat/templates/daemonset.yaml @@ -113,9 +113,7 @@ spec: {{- if .Values.extraEnvs | default .Values.daemonset.extraEnvs }} {{ toYaml ( .Values.extraEnvs | default .Values.daemonset.extraEnvs ) | indent 8 }} {{- end }} -{{- if .Values.envFrom | default .Values.daemonset.envFrom }} envFrom: {{ toYaml ( .Values.envFrom | default .Values.daemonset.envFrom ) | nindent 10 }} -{{- end }} securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.daemonset.securityContext ) | nindent 10 }} volumeMounts: {{- range .Values.secretMounts | default .Values.daemonset.secretMounts }} diff --git a/metricbeat/templates/deployment.yaml b/metricbeat/templates/deployment.yaml index 8d8ca8066..ca056d42b 100644 --- a/metricbeat/templates/deployment.yaml +++ b/metricbeat/templates/deployment.yaml @@ -91,9 +91,7 @@ spec: {{- if .Values.extraEnvs | default .Values.deployment.extraEnvs }} {{ toYaml ( .Values.extraEnvs | default .Values.deployment.extraEnvs ) | indent 8 }} {{- end }} -{{- if .Values.envFrom | default .Values.deployment.envFrom }} envFrom: {{ toYaml ( .Values.envFrom | default .Values.deployment.envFrom ) | nindent 10 }} -{{- end }} securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.deployment.securityContext ) | nindent 10 }} volumeMounts: {{- range .Values.secretMounts | default .Values.deployment.secretMounts }} diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index b33eca842..91c1bfeed 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -925,10 +925,10 @@ def test_adding_env_from(): 0 ]["configMapRef"] == {"name": "configmap-name"} assert ( - "envFrom" - not in r["deployment"][name + "-metrics"]["spec"]["template"]["spec"][ - "containers" - ][0] + r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][ + "envFrom" + ] + == [] ) config = """ @@ -942,8 +942,8 @@ def test_adding_env_from(): 0 ]["envFrom"][0]["configMapRef"] == {"name": "configmap-name"} assert ( - "envFrom" - not in r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0] + r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0]["envFrom"] + == [] ) From b489901c2f205b608ba123e76fcc50182a91c4a0 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Fri, 17 Apr 2020 16:59:53 +0200 Subject: [PATCH 15/15] [metricbeat] nit - add missing trailing lines --- metricbeat/README.md | 2 +- metricbeat/templates/configmap.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/metricbeat/README.md b/metricbeat/README.md index f3915029a..1a413cce5 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -191,4 +191,4 @@ make goss [serviceAccount]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ [tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ [updateStrategy]: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy -[values.yaml]: https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml \ No newline at end of file +[values.yaml]: https://github.com/elastic/helm-charts/tree/master/metricbeat/values.yaml diff --git a/metricbeat/templates/configmap.yaml b/metricbeat/templates/configmap.yaml index eb0e88885..54183db1b 100644 --- a/metricbeat/templates/configmap.yaml +++ b/metricbeat/templates/configmap.yaml @@ -50,4 +50,4 @@ data: {{ $path }}: | {{ $config | indent 4 -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}}