diff --git a/charts/couchdb-backup-1.0.0.tgz b/charts/couchdb-backup-1.0.0.tgz index b636114e..7e16a8e6 100644 Binary files a/charts/couchdb-backup-1.0.0.tgz and b/charts/couchdb-backup-1.0.0.tgz differ diff --git a/charts/database-provisioner-1.0.0.tgz b/charts/database-provisioner-1.0.0.tgz index 7f7b5c29..63c47f56 100644 Binary files a/charts/database-provisioner-1.0.0.tgz and b/charts/database-provisioner-1.0.0.tgz differ diff --git a/charts/generic-0.3.2.tgz b/charts/generic-0.3.2.tgz index 7aad667d..2799166a 100644 Binary files a/charts/generic-0.3.2.tgz and b/charts/generic-0.3.2.tgz differ diff --git a/charts/generic3-0.3.2.tgz b/charts/generic3-0.3.2.tgz index 6c2a98aa..85ebcb98 100644 Binary files a/charts/generic3-0.3.2.tgz and b/charts/generic3-0.3.2.tgz differ diff --git a/charts/keycloak-7.5.0.tgz b/charts/keycloak-7.5.0.tgz index 4f685b54..7c372be8 100644 Binary files a/charts/keycloak-7.5.0.tgz and b/charts/keycloak-7.5.0.tgz differ diff --git a/charts/kong-0.10.0.tgz b/charts/kong-0.10.0.tgz index f985c7d3..68c57253 100644 Binary files a/charts/kong-0.10.0.tgz and b/charts/kong-0.10.0.tgz differ diff --git a/charts/opendistro-es-1.11.0.tgz b/charts/opendistro-es-1.11.0.tgz new file mode 100644 index 00000000..4155570f Binary files /dev/null and b/charts/opendistro-es-1.11.0.tgz differ diff --git a/index.yaml b/index.yaml index 3cfa3a85..59ceea60 100644 --- a/index.yaml +++ b/index.yaml @@ -2,7 +2,7 @@ apiVersion: v1 entries: aether-couchdb-sync: - apiVersion: v1 - created: "2020-11-24T06:49:56.764561147-08:00" + created: "2020-12-11T16:49:52.869445066+01:00" description: The CouchDB Sync module for Aether, an open source development platform for data curation, exchange, and publication digest: 94663db9c562f35f22ea90820d01721390dbb9ae201ea839e31e7fe097737fcc @@ -12,18 +12,18 @@ entries: version: 1.2.0 couchdb-backup: - apiVersion: v1 - created: "2020-11-24T06:49:56.76512015-08:00" + created: "2020-12-11T16:49:52.870004075+01:00" description: A Helm chart for automating CouchDB backups - digest: acbd3f7361bf2c415b6e531247936ac7e1c04912c041a9b7e84ff6caca901983 + digest: 7f03e8ce5efb5f1ac81f23bc67c1dfc1ffce84d0c13a4d31836011d4e729b55a name: couchdb-backup urls: - https://ehealthafrica.github.io/helm-charts/charts/couchdb-backup-1.0.0.tgz version: 1.0.0 database-provisioner: - apiVersion: v1 - created: "2020-11-24T06:49:56.765623658-08:00" + created: "2020-12-11T16:49:52.870219283+01:00" description: A Helm chart for provisioning databases - digest: 70fec899cd44099b5adfb99708d402b76b4cc360d4f8b23d9541b2eefe0259c9 + digest: 314cd7d1171b059703b7d2f0f859e073862a506b162347ab3fe87962075503ca name: database-provisioner urls: - https://ehealthafrica.github.io/helm-charts/charts/database-provisioner-1.0.0.tgz @@ -31,16 +31,16 @@ entries: generic: - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.811894742-08:00" + created: "2020-12-11T16:49:52.886002817+01:00" description: A Generic Helm chart for Kubernetes - digest: 3cc9d83d6d7fbf69affd3717272693927df897c106f3766f822abfaf68a89129 + digest: 2906a4761d0651571db2bc89e4ee57291b489509ac18680335642e34026e1896 name: generic urls: - https://ehealthafrica.github.io/helm-charts/charts/generic-0.3.2.tgz version: 0.3.2 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.810638266-08:00" + created: "2020-12-11T16:49:52.885164028+01:00" description: A Generic Helm chart for Kubernetes digest: 10f2b56521458d58cd9fc95e12a0f086c7c3641875d3cd5c155e3eae15cfe94f name: generic @@ -49,7 +49,7 @@ entries: version: 0.3.1 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.809318765-08:00" + created: "2020-12-11T16:49:52.884451167+01:00" description: A Generic Helm chart for Kubernetes digest: 337f73d077ecf02f71d233aa6b9fbab1562ea67a8800be1a31dd439496d129c1 name: generic @@ -58,7 +58,7 @@ entries: version: 0.3.0 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.808264892-08:00" + created: "2020-12-11T16:49:52.883543053+01:00" description: A Generic Helm chart for Kubernetes digest: c7ab24a271f46a1284c71297383c110833ecc47dbb6bbe377d3ca09ed46c7f49 name: generic @@ -67,7 +67,7 @@ entries: version: 0.2.9 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.806923214-08:00" + created: "2020-12-11T16:49:52.88265392+01:00" description: A Generic Helm chart for Kubernetes digest: e934230cb9f11e6e89059dbe074518fcd9c9a72f2b3ccae47314dd93f674b9b7 name: generic @@ -76,7 +76,7 @@ entries: version: 0.2.8 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.805816578-08:00" + created: "2020-12-11T16:49:52.881770234+01:00" description: A Generic Helm chart for Kubernetes digest: f4b0038768002679ebbd7fbe875b76636bdf4115e4f28c46feb1e59000ee10ec name: generic @@ -85,7 +85,7 @@ entries: version: 0.2.7 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.804567002-08:00" + created: "2020-12-11T16:49:52.88099976+01:00" description: A Generic Helm chart for Kubernetes digest: 9bb082c417843a293274c4fbb9f983bcd0b4e0ee7b99d44ef55b1de5d2486368 name: generic @@ -94,7 +94,7 @@ entries: version: 0.2.6 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.799685035-08:00" + created: "2020-12-11T16:49:52.880228905+01:00" description: A Generic Helm chart for Kubernetes digest: f529e036dc23b30e83b2f0eca6f38a091bb060ce4b16440d32c7442fb9916192 name: generic @@ -103,7 +103,7 @@ entries: version: 0.2.5 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.796435314-08:00" + created: "2020-12-11T16:49:52.879082991+01:00" description: A Generic Helm chart for Kubernetes digest: fcdaf734d2fe928a32585c97b4d8cb6bce3a31f9b203f50b1fba44949a22b7ee name: generic @@ -112,7 +112,7 @@ entries: version: 0.2.4 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.792909862-08:00" + created: "2020-12-11T16:49:52.878272371+01:00" description: A Generic Helm chart for Kubernetes digest: c6d061ca74d2b518f2273ce4bad400846e5fa5d4bb5199a7cc35dc114205f1b6 name: generic @@ -121,7 +121,7 @@ entries: version: 0.2.3 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.788814255-08:00" + created: "2020-12-11T16:49:52.876687054+01:00" description: A Generic Helm chart for Kubernetes digest: 9af6d1356fbe192e26fd4a0bc69797a28b3e1bb6711132aea2597eead3711627 name: generic @@ -130,7 +130,7 @@ entries: version: 0.2.2 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.783834119-08:00" + created: "2020-12-11T16:49:52.875932389+01:00" description: A Generic Helm chart for Kubernetes digest: 5b61076f2673454ecab15461bec3e3c8e211990b1f7d904aa218c84198a380b7 name: generic @@ -139,7 +139,7 @@ entries: version: 0.2.1 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.781396783-08:00" + created: "2020-12-11T16:49:52.875285627+01:00" description: A Generic Helm chart for Kubernetes digest: 51db3c069dc057f75e8ee70757daaf78b6b42b19618ad2b8a3ae12a6c99a89ad name: generic @@ -148,7 +148,7 @@ entries: version: 0.2.0 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.779341336-08:00" + created: "2020-12-11T16:49:52.874656822+01:00" description: A Generic Helm chart for Kubernetes digest: bbfee1526a953f358d0ac390b5e2ca21ffd683b3f1f1387f67fa0f3b8bc5a8ab name: generic @@ -157,7 +157,7 @@ entries: version: 0.1.7 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.778084986-08:00" + created: "2020-12-11T16:49:52.874027649+01:00" description: A Generic Helm chart for Kubernetes digest: 726776bfc218704127d851e3664026b4d87917963510406c2e6b683858d238a1 name: generic @@ -166,7 +166,7 @@ entries: version: 0.1.6 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.77705315-08:00" + created: "2020-12-11T16:49:52.873328765+01:00" description: A Generic Helm chart for Kubernetes digest: 9699140edfbecf22e6ea1fe387e40f5fcdf35219896cf4a8599e5f28ecdde663 name: generic @@ -175,7 +175,7 @@ entries: version: 0.1.5 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.775805407-08:00" + created: "2020-12-11T16:49:52.872746576+01:00" description: A Generic Helm chart for Kubernetes digest: a29b00eb91e006b11d2959a3c3cc2caf695ae0403158f1f0758c0d27c3ed7d14 name: generic @@ -184,7 +184,7 @@ entries: version: 0.1.4 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.772674642-08:00" + created: "2020-12-11T16:49:52.872191957+01:00" description: A Generic Helm chart for Kubernetes digest: 6b7a220566d085053beeea929c3ea70b5ce4b0779b6c600ab57d3138b7e76587 name: generic @@ -193,7 +193,7 @@ entries: version: 0.1.3 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.770703303-08:00" + created: "2020-12-11T16:49:52.871649603+01:00" description: A Generic Helm chart for Kubernetes digest: 8153cb3920c4ca85c18b027d4854da990c97b3453b0d97e19ace8805ea32207e name: generic @@ -202,7 +202,7 @@ entries: version: 0.1.2 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.769375855-08:00" + created: "2020-12-11T16:49:52.871170199+01:00" description: A Generic Helm chart for Kubernetes digest: ca3bd2d3033da36d9d6a765f9b84d0872329e68b178199d7ac07301831818464 name: generic @@ -211,7 +211,7 @@ entries: version: 0.1.1 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.766880041-08:00" + created: "2020-12-11T16:49:52.870701118+01:00" description: A Generic Helm chart for Kubernetes digest: f989086c5c472493d44e7094946980e5a9c95a74f66e4fd20775fedf84b7a013 name: generic @@ -221,21 +221,21 @@ entries: generic3: - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.923393877-08:00" + created: "2020-12-11T16:49:52.947493032+01:00" dependencies: - condition: redis.enabled name: redis repository: https://charts.bitnami.com/bitnami version: ~10.6.12 description: A Generic Helm chart for Kubernetes - digest: 54831caa9258b90054b6bc03bb49fb59d78feaaab90f40349fe9f4705b863d51 + digest: fa0d38af9032a88192659550b15a0223fda54bf66bab84c150a0f01026150435 name: generic3 urls: - https://ehealthafrica.github.io/helm-charts/charts/generic3-0.3.2.tgz version: 0.3.2 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.914955642-08:00" + created: "2020-12-11T16:49:52.942123847+01:00" dependencies: - condition: redis.enabled name: redis @@ -249,7 +249,7 @@ entries: version: 0.3.1 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.90944167-08:00" + created: "2020-12-11T16:49:52.937556474+01:00" dependencies: - condition: redis.enabled name: redis @@ -263,7 +263,7 @@ entries: version: 0.3.0 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.900928663-08:00" + created: "2020-12-11T16:49:52.933157532+01:00" dependencies: - condition: aether.redis.enabled name: redis @@ -277,7 +277,7 @@ entries: version: 0.2.9 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.892899271-08:00" + created: "2020-12-11T16:49:52.928042663+01:00" dependencies: - condition: redis.enabled name: redis @@ -291,7 +291,7 @@ entries: version: 0.2.8 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.887008271-08:00" + created: "2020-12-11T16:49:52.923144969+01:00" dependencies: - condition: aether.redis.enabled name: redis @@ -305,7 +305,7 @@ entries: version: 0.2.7 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.875290981-08:00" + created: "2020-12-11T16:49:52.918991968+01:00" dependencies: - condition: aether.redis.enabled name: redis @@ -319,7 +319,7 @@ entries: version: 0.2.6 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.868186144-08:00" + created: "2020-12-11T16:49:52.914825851+01:00" dependencies: - condition: aether.redis.enabled name: redis @@ -333,7 +333,7 @@ entries: version: 0.2.5 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.858029461-08:00" + created: "2020-12-11T16:49:52.909767641+01:00" dependencies: - condition: aether.redis.enabled name: redis @@ -347,7 +347,7 @@ entries: version: 0.2.4 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.85023458-08:00" + created: "2020-12-11T16:49:52.904436141+01:00" dependencies: - condition: aether.redis.enabled name: redis @@ -361,7 +361,7 @@ entries: version: 0.2.3 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.838131378-08:00" + created: "2020-12-11T16:49:52.899135458+01:00" description: A Generic Helm chart for Kubernetes digest: 964e069a8dd4fccd82cc7c436165512611dc78aa9c5eb99ce8dd4034e2c8f35a name: generic3 @@ -370,7 +370,7 @@ entries: version: 0.2.2 - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.835381043-08:00" + created: "2020-12-11T16:49:52.898166503+01:00" description: A Generic Helm chart for Kubernetes digest: c8122c3843f5611c68e2c1e4f476ae8ba0c233d19d65cda970d504559ad6cf30 name: generic3 @@ -379,7 +379,7 @@ entries: version: 0.2.1 - apiVersion: v2 appVersion: "1.0" - created: "2020-11-24T06:49:56.83312117-08:00" + created: "2020-12-11T16:49:52.897177287+01:00" description: A Generic Helm chart for Kubernetes digest: c56aa4de0e73dcb593a283bd6901e8cd7098375a6b15f0821eaf2e733575c03d name: generic3 @@ -388,7 +388,7 @@ entries: version: 0.2.0 - apiVersion: v2 appVersion: "1.0" - created: "2020-11-24T06:49:56.831434565-08:00" + created: "2020-12-11T16:49:52.895719591+01:00" description: A Generic Helm chart for Kubernetes digest: 5da5fc6b9a5ce6810f1c3215e06d0ea29ddca13f357e7dc64dfb571260f1e84d name: generic3 @@ -397,7 +397,7 @@ entries: version: 0.1.9 - apiVersion: v2 appVersion: "1.0" - created: "2020-11-24T06:49:56.830256716-08:00" + created: "2020-12-11T16:49:52.894332239+01:00" description: A Generic Helm chart for Kubernetes digest: cba826d6e9df0e930d421a488d0850d8d7785cb4279358e88d9820ca92dd2d19 name: generic3 @@ -406,7 +406,7 @@ entries: version: 0.1.8 - apiVersion: v2 appVersion: "1.0" - created: "2020-11-24T06:49:56.828964411-08:00" + created: "2020-12-11T16:49:52.893336199+01:00" description: A Generic Helm chart for Kubernetes digest: f483a153cf1d3cbf728dd8966d8f727fac405dc38210732aeb5954c08c99d255 name: generic3 @@ -415,7 +415,7 @@ entries: version: 0.1.7 - apiVersion: v2 appVersion: "1.0" - created: "2020-11-24T06:49:56.827423985-08:00" + created: "2020-12-11T16:49:52.892445724+01:00" description: A Generic Helm chart for Kubernetes digest: 7e9d3df66ac3708dd6171b12e1032bd09e9819dc631372c897054b4da18c9331 name: generic3 @@ -424,7 +424,7 @@ entries: version: 0.1.6 - apiVersion: v2 appVersion: "1.0" - created: "2020-11-24T06:49:56.825902777-08:00" + created: "2020-12-11T16:49:52.891615342+01:00" description: A Generic Helm chart for Kubernetes digest: 96ab5964f5c836474bbb9532cf7ff17815663707c6fc23e6e30a24055222b421 name: generic3 @@ -433,7 +433,7 @@ entries: version: 0.1.5 - apiVersion: v2 appVersion: "1.0" - created: "2020-11-24T06:49:56.824434378-08:00" + created: "2020-12-11T16:49:52.890758598+01:00" description: A Generic Helm chart for Kubernetes digest: fe9bdd30194ebc48b82fafd5f8c6575304d1ea9193559f59e66b052cfce13474 name: generic3 @@ -442,7 +442,7 @@ entries: version: 0.1.4 - apiVersion: v2 appVersion: "1.0" - created: "2020-11-24T06:49:56.820497021-08:00" + created: "2020-12-11T16:49:52.889993929+01:00" description: A Generic Helm chart for Kubernetes digest: 08c2ad2be84f2793ddb0905c12fd8962d57fb4f8178227edb4485ded55f02a7d name: generic3 @@ -451,7 +451,7 @@ entries: version: 0.1.3 - apiVersion: v2 appVersion: "1.0" - created: "2020-11-24T06:49:56.81833681-08:00" + created: "2020-12-11T16:49:52.889089996+01:00" description: A Generic Helm chart for Kubernetes digest: d28a5cb19b6e5208734446d2c9e62a4f10a53826729e9c63120b3ab08294b6d4 name: generic3 @@ -460,7 +460,7 @@ entries: version: 0.1.2 - apiVersion: v2 appVersion: "1.0" - created: "2020-11-24T06:49:56.816322949-08:00" + created: "2020-12-11T16:49:52.888259777+01:00" description: A Generic Helm chart for Kubernetes digest: d816bdb34c39c0b8709f8efbacddcc7ac90c261b531420150e38c0b9b87ddd97 name: generic3 @@ -469,7 +469,7 @@ entries: version: 0.1.1 - apiVersion: v2 appVersion: "1.0" - created: "2020-11-24T06:49:56.814223221-08:00" + created: "2020-12-11T16:49:52.887058721+01:00" description: A Generic Helm chart for Kubernetes digest: ee30bec2f607b6dfc130e4b7aba93fb6456cd88e1da01d87823e4374655ef11e name: generic3 @@ -479,7 +479,7 @@ entries: helloworld: - apiVersion: v1 appVersion: "1.0" - created: "2020-11-24T06:49:56.924611292-08:00" + created: "2020-12-11T16:49:52.947885385+01:00" description: A Helm chart for Kubernetes digest: a530741c031d54379fe8381baac8245e925e0bd2c79e81bce3ed495ac41a52cc name: helloworld @@ -489,7 +489,7 @@ entries: keycloak: - apiVersion: v1 appVersion: 9.0.2 - created: "2020-11-24T06:49:56.931448068-08:00" + created: "2020-12-11T16:49:52.951092847+01:00" dependencies: - condition: keycloak.persistence.deployPostgres name: postgresql @@ -497,7 +497,7 @@ entries: version: 6.3.13 description: Open Source Identity and Access Management For Modern Applications and Services - digest: e4d059a76ab3caa204b74bd8b971ddfcfc88e1e8b6d1a24aaca2d263eadb47ec + digest: 4782df2aa72193aba5084e6df10ceee213482d3db7118c8379dc9e5149eb28d5 home: https://www.keycloak.org/ icon: https://www.keycloak.org/resources/images/keycloak_logo_480x108.png keywords: @@ -522,9 +522,9 @@ entries: kong: - apiVersion: v1 appVersion: "1.1" - created: "2020-11-24T06:49:56.932989256-08:00" + created: "2020-12-11T16:49:52.952918995+01:00" description: The Cloud-Native Ingress and Service Mesh for APIs and Microservices - digest: f9686e72b76bd4bc1113d73e5277cba043fb0bb0e6051b60f12bbfdd78b526c3 + digest: b533bbdd25b878905758897e376959103e07fc2f4756ae084703ddaa24a3ee8f home: https://KongHQ.com/ icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png maintainers: @@ -539,7 +539,7 @@ entries: logstash: - apiVersion: v1 appVersion: 7.5.2 - created: "2020-11-24T06:49:56.934416788-08:00" + created: "2020-12-11T16:49:52.954022716+01:00" description: Official Elastic helm chart for Logstash digest: 5e3a775debc2b09c5a5d245f040d928d98811a96e8631f52f11736d159ca7eb7 home: https://github.com/elastic/helm-charts @@ -554,9 +554,26 @@ entries: - https://ehealthafrica.github.io/helm-charts/charts/logstash-7.5.2.tgz version: 7.5.2 opendistro-es: + - apiVersion: v1 + appVersion: 1.11.0 + created: "2020-12-11T16:49:52.967959681+01:00" + description: Open Distro for Elasticsearch + digest: a4a79d4794072fa1b9d2e9c0c5e90dae8afddd97902be0132ba1dcf8d8b8ac7e + kubeVersion: ^1.10.0-0 + maintainers: + - email: derek.heldt-werle@viasat.com + name: Derek Heldt-Werle + - email: kalvin.chau@viasat.com + name: Kalvin Chau + name: opendistro-es + sources: + - https://pages.git.viasat.com/ATG/charts + urls: + - https://ehealthafrica.github.io/helm-charts/charts/opendistro-es-1.11.0.tgz + version: 1.11.0 - apiVersion: v1 appVersion: 1.8.0 - created: "2020-11-24T06:49:56.957828418-08:00" + created: "2020-12-11T16:49:52.969655686+01:00" description: Open Distro for Elasticsearch digest: d1a106b42372e0c230088a82e24c474275af0b0b993bbdb00d595c9c6523dc64 kubeVersion: ^1.10.0-0 @@ -573,7 +590,7 @@ entries: version: 1.8.0 - apiVersion: v1 appVersion: 1.0.0 - created: "2020-11-24T06:49:56.955749121-08:00" + created: "2020-12-11T16:49:52.966553146+01:00" description: Opendistro Elasticsearch digest: 0d969f81a141995b09e923568c8c03892218f823cf737d682ff4f23de892d63b kubeVersion: ^1.10.0-0 @@ -587,7 +604,7 @@ entries: version: 1.0.7 - apiVersion: v1 appVersion: 1.0.0 - created: "2020-11-24T06:49:56.952997125-08:00" + created: "2020-12-11T16:49:52.964838493+01:00" description: Opendistro Elasticsearch digest: 6ff1170c979257f4ad2085cac84b6d63208d2bf5bc32b60bbd16a2db0ef22422 kubeVersion: ^1.10.0-0 @@ -601,7 +618,7 @@ entries: version: 1.0.6 - apiVersion: v1 appVersion: 1.0.0 - created: "2020-11-24T06:49:56.950873592-08:00" + created: "2020-12-11T16:49:52.963455111+01:00" description: Opendistro Elasticsearch digest: 30a2c1a290924700eebe108a8a16dea6cd4e576b3684a7258adebc5c62e1d754 kubeVersion: ^1.10.0-0 @@ -615,7 +632,7 @@ entries: version: 1.0.5 - apiVersion: v1 appVersion: 1.0.0 - created: "2020-11-24T06:49:56.948916954-08:00" + created: "2020-12-11T16:49:52.961671534+01:00" description: Opendistro Elasticsearch digest: a52a88c9d8ea55a9c35341fcee8e39c63276059bc24456bab042b7dc82e5b721 kubeVersion: ^1.10.0-0 @@ -629,7 +646,7 @@ entries: version: 1.0.4 - apiVersion: v1 appVersion: 1.0.0 - created: "2020-11-24T06:49:56.944870533-08:00" + created: "2020-12-11T16:49:52.959588667+01:00" description: Opendistro Elasticsearch digest: 46f82df3aaa62eefb611b5d14b86d9c42c66c20ad0f8b42b198447c6e8d8001b kubeVersion: ^1.10.0-0 @@ -643,7 +660,7 @@ entries: version: 1.0.3 - apiVersion: v1 appVersion: 1.0.0 - created: "2020-11-24T06:49:56.941899164-08:00" + created: "2020-12-11T16:49:52.958227+01:00" description: Opendistro Elasticsearch digest: 52b2f28b407772d8417a4b0628ec28ef2d55928793ef060782ffd0370701536f kubeVersion: ^1.10.0-0 @@ -657,7 +674,7 @@ entries: version: 1.0.2 - apiVersion: v1 appVersion: 1.0.0 - created: "2020-11-24T06:49:56.938584452-08:00" + created: "2020-12-11T16:49:52.956851813+01:00" description: Opendistro Elasticsearch digest: 0f9959ea4163c9c431334ccb5487666b4a26bdcbef3c28334621fff2a1766562 kubeVersion: ^1.10.0-0 @@ -671,7 +688,7 @@ entries: version: 1.0.1 - apiVersion: v1 appVersion: 1.0.0 - created: "2020-11-24T06:49:56.936252049-08:00" + created: "2020-12-11T16:49:52.955466887+01:00" description: Opendistro Elasticsearch digest: e7b57bf2c027b2878696cb1de02b4a0203bdf2dd8518229988b8654407af57bf kubeVersion: ^1.10.0-0 @@ -683,4 +700,4 @@ entries: urls: - https://ehealthafrica.github.io/helm-charts/charts/opendistro-es-1.0.0.tgz version: 1.0.0 -generated: "2020-11-24T06:49:56.763185836-08:00" +generated: "2020-12-11T16:49:52.868466758+01:00" diff --git a/src/opendistro-es/.helmignore b/src/opendistro-es/.helmignore old mode 100644 new mode 100755 diff --git a/src/opendistro-es/Chart.yaml b/src/opendistro-es/Chart.yaml old mode 100644 new mode 100755 index f810493f..1f9165d2 --- a/src/opendistro-es/Chart.yaml +++ b/src/opendistro-es/Chart.yaml @@ -1,11 +1,29 @@ +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + apiVersion: v1 -appVersion: 1.0.0 -description: 'Opendistro Elasticsearch' +# Open Distro for Elasticsearch version +appVersion: 1.11.0 +description: 'Open Distro for Elasticsearch' engine: gotpl kubeVersion: ^1.10.0-0 maintainers: - - name: OpenDistro ES Maintainers +- email: derek.heldt-werle@viasat.com + name: Derek Heldt-Werle +- email: kalvin.chau@viasat.com + name: Kalvin Chau name: opendistro-es sources: - https://pages.git.viasat.com/ATG/charts -version: 1.0.7 +# Chart version +version: 1.11.0 diff --git a/src/opendistro-es/README.md b/src/opendistro-es/README.md new file mode 100644 index 00000000..2ca4f4be --- /dev/null +++ b/src/opendistro-es/README.md @@ -0,0 +1,6 @@ +# Custom eHA OpenDistro Chart + +This custom chart is cloned from [here](https://opendistro.github.io/for-elasticsearch-docs/docs/install/helm/). +The `values.yaml` and `Chart.yaml` are major files that were edited. Others remain mostly a clone of the src code. + +Current Version is `1.11.0`. diff --git a/src/opendistro-es/templates/_helpers.tpl b/src/opendistro-es/templates/_helpers.tpl old mode 100644 new mode 100755 index fa32d1cc..15275eca --- a/src/opendistro-es/templates/_helpers.tpl +++ b/src/opendistro-es/templates/_helpers.tpl @@ -1,4 +1,19 @@ {{/* vim: set filetype=mustache: */}} +{{/* +Copyright 2019 Viasat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"). +You may not use this file except in compliance with the License. +A copy of the License is located at + + http://www.apache.org/licenses/LICENSE-2.0 + +or in the "license" file accompanying this file. This file is distributed +on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +express or implied. See the License for the specific language governing +permissions and limitations under the License. +*/}} + {{/* Expand the name of the chart. */}} @@ -29,11 +44,22 @@ If release name contains chart name it will be used as a full name. Define standard labels for frequently used metadata. */}} {{- define "opendistro-es.labels.standard" -}} +app: {{ template "opendistro-es.fullname" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" {{- end -}} +{{/* +Define labels for deployment/statefulset selectors. +We cannot have the chart label here as it will prevent upgrades. +*/}} +{{- define "opendistro-es.labels.selector" -}} +app: {{ template "opendistro-es.fullname" . }} +release: "{{ .Release.Name }}" +heritage: "{{ .Release.Service }}" +{{- end -}} + {{/* Create the name of the service account to use */}} diff --git a/src/opendistro-es/templates/elasticsearch/elasticsearch-serviceaccount.yaml b/src/opendistro-es/templates/elasticsearch/elasticsearch-serviceaccount.yaml old mode 100644 new mode 100755 index e3b6c569..070c9a51 --- a/src/opendistro-es/templates/elasticsearch/elasticsearch-serviceaccount.yaml +++ b/src/opendistro-es/templates/elasticsearch/elasticsearch-serviceaccount.yaml @@ -1,3 +1,18 @@ +# Copyright 2019 Viasat, Inc. +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off {{ if .Values.elasticsearch.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount diff --git a/src/opendistro-es/templates/elasticsearch/es-client-deploy.yaml b/src/opendistro-es/templates/elasticsearch/es-client-deploy.yaml index 782ba452..ac3f6ddd 100644 --- a/src/opendistro-es/templates/elasticsearch/es-client-deploy.yaml +++ b/src/opendistro-es/templates/elasticsearch/es-client-deploy.yaml @@ -1,7 +1,19 @@ +# Copyright 2019 Viasat, Inc. # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: MIT-0 -{{- if .Values.elasticsearch.client.enabled }} ---- +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off +{{- if and .Values.elasticsearch.client.enabled .Values.elasticsearch.client.dedicatedPod.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -14,7 +26,8 @@ spec: replicas: {{ .Values.elasticsearch.client.replicas }} selector: matchLabels: -{{ include "opendistro-es.labels.standard" . | indent 8 }} +{{ include "opendistro-es.labels.selector" . | indent 6 }} + role: client template: metadata: labels: @@ -23,8 +36,11 @@ spec: annotations: {{/* This forces a restart if the secret config has changed */}} {{- if .Values.elasticsearch.config }} - configchecksum: {{ include (print .Template.BasePath "/elasticsearch/es-config.yaml") . | sha256sum | trunc 63 }} + configchecksum: {{ include (print .Template.BasePath "/elasticsearch/es-config-secret.yaml") . | sha256sum | trunc 63 }} {{- end }} +{{- if .Values.elasticsearch.client.podAnnotations }} +{{ toYaml .Values.elasticsearch.client.podAnnotations | indent 8 }} +{{- end }} spec: {{- include "opendistro-es.imagePullSecrets" . | indent 6 }} serviceAccountName: {{ template "opendistro-es.elasticsearch.serviceAccountName" . }} @@ -36,31 +52,29 @@ spec: nodeSelector: {{ toYaml . | indent 8 }} {{- end }} - # Weighted anti-affinity to disallow deploying client node to the same worker node as master node + {{- with .Values.elasticsearch.client.affinity }} affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchLabels: - role: client - {{- with .Values.elasticsearch.client.nodeAffinity }} - nodeAffinity: -{{ toYaml . | indent 10 }} - {{- end }} +{{ toYaml . | indent 8 }} + {{- end }} initContainers: +{{- if .Values.elasticsearch.sysctl.enabled }} - name: init-sysctl - image: {{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }} + image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }} command: - sysctl - -w - vm.max_map_count={{ .Values.elasticsearch.maxMapCount }} securityContext: privileged: true +{{- end }} +{{- if .Values.elasticsearch.extraInitContainers }} +{{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }} +{{- end }} containers: - name: elasticsearch + securityContext: + capabilities: + add: ["SYS_CHROOT"] env: - name: cluster.name value: {{ .Values.global.clusterName }} @@ -94,8 +108,8 @@ spec: resources: {{ toYaml .Values.elasticsearch.client.resources | indent 12 }} # Official Image from Open Distro Team - image: {{ .Values.elasticsearch.image }}:{{ .Values.elasticsearch.imageTag }} - imagePullPolicy: Always + image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.image }}:{{ .Values.elasticsearch.imageTag }} + imagePullPolicy: {{ .Values.elasticsearch.imagePullPolicy | default "Always" | quote }} ports: - containerPort: 9200 name: http @@ -103,12 +117,18 @@ spec: name: transport - containerPort: 9600 name: metrics + - containerPort: 9650 + name: rca {{- with .Values.elasticsearch.client.readinessProbe}} readinessProbe: {{ toYaml . | indent 10 }} {{- end }} {{- with .Values.elasticsearch.client.livenessProbe}} livenessProbe: +{{ toYaml . | indent 10 }} + {{- end }} + {{- with .Values.elasticsearch.client.startupProbe}} + startupProbe: {{ toYaml . | indent 10 }} {{- end }} volumeMounts: @@ -117,9 +137,6 @@ spec: name: config subPath: elasticsearch.yml {{- end }} - - mountPath: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml - name: security-config - subPath: config.yml {{- if .Values.elasticsearch.log4jConfig }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/log4j2.properties name: config @@ -128,44 +145,47 @@ spec: - mountPath: {{ .Values.elasticsearch.configDirectory }}/logging.yml name: config subPath: logging.yml - {{- if and .Values.elasticsearch.ssl.transport.enabled .Values.elasticsearch.ssl.transport.existingCertSecret }} - - mountPath: {{ .Values.elasticsearch.configDirectory }}/transport-crt.pem + {{- if .Values.elasticsearch.ssl.transport.existingCertSecret }} + - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-transport-crt.pem name: transport-certs - subPath: transport-crt.pem - - mountPath: {{ .Values.elasticsearch.configDirectory }}/transport-key.pem + subPath: {{ .Values.elasticsearch.ssl.transport.existingCertSecretCertSubPath }} + - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-transport-key.pem name: transport-certs - subPath: transport-key.pem - - mountPath: {{ .Values.elasticsearch.configDirectory }}/transport-root-ca.pem + subPath: {{ .Values.elasticsearch.ssl.transport.existingCertSecretKeySubPath }} + - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-transport-root-ca.pem name: transport-certs - subPath: transport-root-ca.pem + subPath: {{ .Values.elasticsearch.ssl.transport.existingCertSecretRootCASubPath }} {{- end }} {{- if and .Values.elasticsearch.ssl.rest.enabled .Values.elasticsearch.ssl.rest.existingCertSecret }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-rest-crt.pem name: rest-certs - subPath: elk-rest-crt.pem + subPath: {{ .Values.elasticsearch.ssl.rest.existingCertSecretCertSubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-rest-key.pem name: rest-certs - subPath: elk-rest-key.pem + subPath: {{ .Values.elasticsearch.ssl.rest.existingCertSecretKeySubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-rest-root-ca.pem name: rest-certs - subPath: elk-rest-root-ca.pem + subPath: {{ .Values.elasticsearch.ssl.rest.existingCertSecretRootCASubPath }} {{- end }} {{- if and .Values.elasticsearch.ssl.admin.enabled .Values.elasticsearch.ssl.admin.existingCertSecret }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/admin-crt.pem name: admin-certs - subPath: admin-crt.pem + subPath: {{ .Values.elasticsearch.ssl.admin.existingCertSecretCertSubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/admin-key.pem name: admin-certs - subPath: admin-key.pem + subPath: {{ .Values.elasticsearch.ssl.admin.existingCertSecretKeySubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/admin-root-ca.pem name: admin-certs - subPath: admin-root-ca.pem + subPath: {{ .Values.elasticsearch.ssl.admin.existingCertSecretRootCASubPath }} {{- end }} +{{- if .Values.elasticsearch.extraVolumeMounts }} +{{ toYaml .Values.elasticsearch.extraVolumeMounts | indent 8 }} +{{- end }} volumes: - name: config - configMap: - name: {{ template "opendistro-es.fullname" . }}-config - {{- if and .Values.elasticsearch.ssl.transport.enabled .Values.elasticsearch.ssl.transport.existingCertSecret }} + secret: + secretName: {{ template "opendistro-es.fullname" . }}-es-config + {{- if .Values.elasticsearch.ssl.transport.existingCertSecret }} - name: transport-certs secret: secretName: {{ .Values.elasticsearch.ssl.transport.existingCertSecret }} @@ -180,7 +200,7 @@ spec: secret: secretName: {{ .Values.elasticsearch.ssl.admin.existingCertSecret }} {{- end }} - - name: security-config - configMap: - name: {{ template "opendistro-es.fullname" . }}-security-config +{{- if .Values.elasticsearch.extraVolumes }} +{{ toYaml .Values.elasticsearch.extraVolumes | indent 6 }} +{{- end }} {{- end }} diff --git a/src/opendistro-es/templates/elasticsearch/es-client-ingress.yaml b/src/opendistro-es/templates/elasticsearch/es-client-ingress.yaml old mode 100644 new mode 100755 index cddb379c..0267bc21 --- a/src/opendistro-es/templates/elasticsearch/es-client-ingress.yaml +++ b/src/opendistro-es/templates/elasticsearch/es-client-ingress.yaml @@ -1,8 +1,22 @@ -{{- if and .Values.elasticsearch.client.ingress.enabled .Values.elasticsearch.client.enabled -}} -{{- $fullName := printf "%s-%s" (include "opendistro-es.fullname" .) "client-service" }} -{{- $ingressPath := .Values.elasticsearch.client.ingress.path -}} +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off +{{- if and .Values.elasticsearch.client.ingress.enabled .Values.elasticsearch.client.enabled }} +{{ $fullName := printf "%s-%s" (include "opendistro-es.fullname" .) "client-service" }} +{{ $ingressPath := .Values.elasticsearch.client.ingress.path }} kind: Ingress -apiVersion: apps/v1 +apiVersion: extensions/v1beta1 metadata: name: {{ $fullName }} labels: @@ -31,5 +45,5 @@ spec: backend: serviceName: {{ $fullName }} servicePort: http - {{- end -}} -{{- end -}} + {{- end }} +{{- end }} diff --git a/src/opendistro-es/templates/elasticsearch/es-client-pdb.yaml b/src/opendistro-es/templates/elasticsearch/es-client-pdb.yaml old mode 100644 new mode 100755 index c976b5e5..89e4a1b2 --- a/src/opendistro-es/templates/elasticsearch/es-client-pdb.yaml +++ b/src/opendistro-es/templates/elasticsearch/es-client-pdb.yaml @@ -1,7 +1,18 @@ -# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: MIT-0 -{{- if and .Values.elasticsearch.client.podDisruptionBudget.enabled .Values.elasticsearch.client.enabled }} ---- +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off +{{- if and .Values.elasticsearch.client.podDisruptionBudget.enabled .Values.elasticsearch.client.enabled .Values.elasticsearch.client.dedicatedPod.enabled }} apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: @@ -11,7 +22,7 @@ metadata: {{ include "opendistro-es.labels.standard" . | indent 4 }} spec: {{- if .Values.elasticsearch.client.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.client.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.elasticsearch.client.podDisruptionBudget.minAvailable }} {{- end }} {{- if .Values.elasticsearch.client.podDisruptionBudget.maxUnavailable }} maxUnavailable: {{ .Values.elasticsearch.client.podDisruptionBudget.maxUnavailable }} diff --git a/src/opendistro-es/templates/elasticsearch/es-data-pdb.yaml b/src/opendistro-es/templates/elasticsearch/es-data-pdb.yaml old mode 100644 new mode 100755 index 0d0ca789..961a6471 --- a/src/opendistro-es/templates/elasticsearch/es-data-pdb.yaml +++ b/src/opendistro-es/templates/elasticsearch/es-data-pdb.yaml @@ -1,7 +1,18 @@ -# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: MIT-0 -{{- if and .Values.elasticsearch.data.podDisruptionBudget.enabled .Values.elasticsearch.data.enabled }} ---- +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off +{{- if and .Values.elasticsearch.data.podDisruptionBudget.enabled .Values.elasticsearch.data.enabled .Values.elasticsearch.data.dedicatedPod.enabled }} apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: @@ -11,7 +22,7 @@ metadata: {{ include "opendistro-es.labels.standard" . | indent 4 }} spec: {{- if .Values.elasticsearch.data.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.data.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.elasticsearch.data.podDisruptionBudget.minAvailable }} {{- end }} {{- if .Values.elasticsearch.data.podDisruptionBudget.maxUnavailable }} maxUnavailable: {{ .Values.elasticsearch.data.podDisruptionBudget.maxUnavailable }} diff --git a/src/opendistro-es/templates/elasticsearch/es-data-sts.yaml b/src/opendistro-es/templates/elasticsearch/es-data-sts.yaml index bbe09f07..0537a0e1 100644 --- a/src/opendistro-es/templates/elasticsearch/es-data-sts.yaml +++ b/src/opendistro-es/templates/elasticsearch/es-data-sts.yaml @@ -1,7 +1,19 @@ +# Copyright 2019 Viasat, Inc. # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: MIT-0 -{{ if .Values.elasticsearch.data.enabled }} ---- +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off +{{ if and .Values.elasticsearch.data.enabled .Values.elasticsearch.data.dedicatedPod.enabled }} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -15,7 +27,8 @@ spec: replicas: {{ .Values.elasticsearch.data.replicas }} selector: matchLabels: -{{ include "opendistro-es.labels.standard" . | indent 8 }} +{{ include "opendistro-es.labels.selector" . | indent 6 }} + role: data updateStrategy: type: {{ .Values.elasticsearch.data.updateStrategy }} template: @@ -26,8 +39,11 @@ spec: annotations: {{/* This forces a restart if the secret config has changed */}} {{- if .Values.elasticsearch.config }} - configchecksum: {{ include (print .Template.BasePath "/elasticsearch/es-config.yaml") . | sha256sum | trunc 63 }} + configchecksum: {{ include (print .Template.BasePath "/elasticsearch/es-config-secret.yaml") . | sha256sum | trunc 63 }} {{- end }} +{{- if .Values.elasticsearch.data.podAnnotations }} +{{ toYaml .Values.elasticsearch.data.podAnnotations | indent 8 }} +{{- end }} spec: {{- include "opendistro-es.imagePullSecrets" . | indent 6 }} {{- with .Values.elasticsearch.data.tolerations }} @@ -39,37 +55,36 @@ spec: {{ toYaml . | indent 8 }} {{- end }} initContainers: +{{- if .Values.elasticsearch.sysctl.enabled }} - name: init-sysctl - image: {{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }} + image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }} command: - sysctl - -w - vm.max_map_count={{ .Values.elasticsearch.maxMapCount }} securityContext: privileged: true +{{- end }} - name: fixmount command: [ 'sh', '-c', 'chown -R 1000:1000 /usr/share/elasticsearch/data' ] - image: busybox + image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }} volumeMounts: - mountPath: /usr/share/elasticsearch/data name: data - # Weighted anti-affinity to disallow deploying client node to the same worker node as master node + subPath: {{ .Values.elasticsearch.data.persistence.subPath }} +{{- if .Values.elasticsearch.extraInitContainers }} +{{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }} +{{- end }} + {{- with .Values.elasticsearch.data.affinity }} affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchLabels: - role: data - {{- with .Values.elasticsearch.data.nodeAffinity }} - nodeAffinity: -{{ toYaml . | indent 10 }} - {{- end }} +{{ toYaml . | indent 8 }} + {{- end }} serviceAccountName: {{ template "opendistro-es.elasticsearch.serviceAccountName" . }} containers: - name: elasticsearch + securityContext: + capabilities: + add: ["SYS_CHROOT"] env: - name: cluster.name value: {{ .Values.global.clusterName }} @@ -101,8 +116,8 @@ spec: {{ toYaml .Values.elasticsearch.extraEnvs | indent 8 }} {{- end }} # Official Image from Open Distro Team - image: {{ .Values.elasticsearch.image }}:{{ .Values.elasticsearch.imageTag }} - imagePullPolicy: Always + image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.image }}:{{ .Values.elasticsearch.imageTag }} + imagePullPolicy: {{ .Values.elasticsearch.imagePullPolicy | default "Always" | quote }} # only publish the transport port ports: - containerPort: 9300 @@ -115,11 +130,16 @@ spec: {{- end }} {{- with .Values.elasticsearch.data.livenessProbe}} livenessProbe: +{{ toYaml . | indent 10 }} + {{- end }} + {{- with .Values.elasticsearch.data.startupProbe}} + startupProbe: {{ toYaml . | indent 10 }} {{- end }} volumeMounts: - mountPath: /usr/share/elasticsearch/data name: data + subPath: {{ .Values.elasticsearch.data.persistence.subPath }} {{- if .Values.elasticsearch.config }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/elasticsearch.yml name: config @@ -133,47 +153,47 @@ spec: - mountPath: {{ .Values.elasticsearch.configDirectory }}/logging.yml name: config subPath: logging.yml - {{- if and .Values.elasticsearch.ssl.transport.enabled .Values.elasticsearch.ssl.transport.existingCertSecret }} - - mountPath: {{ .Values.elasticsearch.configDirectory }}/transport-crt.pem + {{- if .Values.elasticsearch.ssl.transport.existingCertSecret }} + - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-transport-crt.pem name: transport-certs - subPath: transport-crt.pem - - mountPath: {{ .Values.elasticsearch.configDirectory }}/transport-key.pem + subPath: {{ .Values.elasticsearch.ssl.transport.existingCertSecretCertSubPath }} + - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-transport-key.pem name: transport-certs - subPath: transport-key.pem - - mountPath: {{ .Values.elasticsearch.configDirectory }}/transport-root-ca.pem + subPath: {{ .Values.elasticsearch.ssl.transport.existingCertSecretKeySubPath }} + - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-transport-root-ca.pem name: transport-certs - subPath: transport-root-ca.pem - {{- end }} - {{- if and .Values.elasticsearch.ssl.rest.enabled .Values.elasticsearch.ssl.rest.existingCertSecret }} + subPath: {{ .Values.elasticsearch.ssl.transport.existingCertSecretRootCASubPath }} + {{- end }} + {{- if and .Values.elasticsearch.ssl.rest.enabled .Values.elasticsearch.ssl.rest.existingCertSecret }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-rest-crt.pem name: rest-certs - subPath: elk-rest-crt.pem + subPath: {{ .Values.elasticsearch.ssl.rest.existingCertSecretCertSubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-rest-key.pem name: rest-certs - subPath: elk-rest-key.pem + subPath: {{ .Values.elasticsearch.ssl.rest.existingCertSecretKeySubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-rest-root-ca.pem name: rest-certs - subPath: elk-rest-root-ca.pem - {{- end }} - {{- if and .Values.elasticsearch.ssl.admin.enabled .Values.elasticsearch.ssl.admin.existingCertSecret }} + subPath: {{ .Values.elasticsearch.ssl.rest.existingCertSecretRootCASubPath }} + {{- end }} + {{- if and .Values.elasticsearch.ssl.admin.enabled .Values.elasticsearch.ssl.admin.existingCertSecret }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/admin-crt.pem name: admin-certs - subPath: admin-crt.pem + subPath: {{ .Values.elasticsearch.ssl.admin.existingCertSecretCertSubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/admin-key.pem name: admin-certs - subPath: admin-key.pem + subPath: {{ .Values.elasticsearch.ssl.admin.existingCertSecretKeySubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/admin-root-ca.pem name: admin-certs - subPath: admin-root-ca.pem + subPath: {{ .Values.elasticsearch.ssl.admin.existingCertSecretRootCASubPath }} {{- end }} - - mountPath: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml - name: security-config - subPath: config.yml +{{- if .Values.elasticsearch.extraVolumeMounts }} +{{ toYaml .Values.elasticsearch.extraVolumeMounts | indent 8 }} +{{- end }} volumes: - name: config - configMap: - name: {{ template "opendistro-es.fullname" . }}-config - {{- if and .Values.elasticsearch.ssl.transport.enabled .Values.elasticsearch.ssl.transport.existingCertSecret }} + secret: + secretName: {{ template "opendistro-es.fullname" . }}-es-config + {{- if .Values.elasticsearch.ssl.transport.existingCertSecret }} - name: transport-certs secret: secretName: {{ .Values.elasticsearch.ssl.transport.existingCertSecret }} @@ -188,16 +208,41 @@ spec: secret: secretName: {{ .Values.elasticsearch.ssl.admin.existingCertSecret }} {{- end }} - - name: security-config - configMap: - name: {{ template "opendistro-es.fullname" . }}-security-config + {{- if not .Values.elasticsearch.data.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else }} + {{- if .Values.elasticsearch.data.persistence.existingClaim }} + - name: "data" + persistentVolumeClaim: + claimName: {{ .Values.elasticsearch.data.persistence.existingClaim }} + {{- end }} + {{- end }} +{{- if .Values.elasticsearch.extraVolumes }} +{{ toYaml .Values.elasticsearch.extraVolumes | indent 6 }} +{{- end }} + {{- if and .Values.elasticsearch.data.persistence.enabled (not .Values.elasticsearch.data.persistence.existingClaim) }} volumeClaimTemplates: - metadata: name: data + annotations: + {{- range $key, $value := .Values.elasticsearch.data.persistence.annotations }} + {{ $key }}: {{ $value }} + {{- end }} spec: - accessModes: [ ReadWriteOnce ] - storageClassName: {{ .Values.elasticsearch.data.storageClassName }} + accessModes: + {{- range .Values.elasticsearch.data.persistence.accessModes }} + - {{ . | quote }} + {{- end }} resources: requests: - storage: {{ .Values.elasticsearch.data.storage }} + storage: {{ .Values.elasticsearch.data.persistence.size | quote }} + {{- if .Values.elasticsearch.data.persistence.storageClass }} + {{- if (eq "-" .Values.elasticsearch.data.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.elasticsearch.data.persistence.storageClass }}" + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/src/opendistro-es/templates/elasticsearch/es-data-svc.yaml b/src/opendistro-es/templates/elasticsearch/es-data-svc.yaml old mode 100644 new mode 100755 index a6b10465..895ff205 --- a/src/opendistro-es/templates/elasticsearch/es-data-svc.yaml +++ b/src/opendistro-es/templates/elasticsearch/es-data-svc.yaml @@ -1,7 +1,18 @@ +# Copyright 2019 Viasat, Inc. # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: MIT-0 -{{- if .Values.elasticsearch.data.enabled }} ---- +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off apiVersion: v1 kind: Service metadata: @@ -18,7 +29,12 @@ spec: name: http - port: 9600 name: metrics + - port: 9650 + name: rca clusterIP: None selector: + {{- if .Values.elasticsearch.data.dedicatedPod.enabled }} role: data -{{- end }} \ No newline at end of file + {{- else }} + role: master + {{- end }} diff --git a/src/opendistro-es/templates/elasticsearch/es-master-pdb.yaml b/src/opendistro-es/templates/elasticsearch/es-master-pdb.yaml old mode 100644 new mode 100755 index d77c82b5..8cac05db --- a/src/opendistro-es/templates/elasticsearch/es-master-pdb.yaml +++ b/src/opendistro-es/templates/elasticsearch/es-master-pdb.yaml @@ -1,7 +1,18 @@ -# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: MIT-0 +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off {{- if and .Values.elasticsearch.master.podDisruptionBudget.enabled .Values.elasticsearch.master.enabled }} ---- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: @@ -11,7 +22,7 @@ metadata: {{ include "opendistro-es.labels.standard" . | indent 4 }} spec: {{- if .Values.elasticsearch.master.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.master.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.elasticsearch.master.podDisruptionBudget.minAvailable }} {{- end }} {{- if .Values.elasticsearch.master.podDisruptionBudget.maxUnavailable }} maxUnavailable: {{ .Values.elasticsearch.master.podDisruptionBudget.maxUnavailable }} diff --git a/src/opendistro-es/templates/elasticsearch/es-master-sts.yaml b/src/opendistro-es/templates/elasticsearch/es-master-sts.yaml index 3a5af7c1..3c46a792 100644 --- a/src/opendistro-es/templates/elasticsearch/es-master-sts.yaml +++ b/src/opendistro-es/templates/elasticsearch/es-master-sts.yaml @@ -1,7 +1,19 @@ +# Copyright 2019 Viasat, Inc. # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: MIT-0 +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off {{- if .Values.elasticsearch.master.enabled }} ---- apiVersion: apps/v1 kind: StatefulSet metadata: @@ -11,13 +23,14 @@ metadata: name: {{ template "opendistro-es.fullname" . }}-master namespace: {{ .Release.Namespace }} spec: - serviceName: {{ template "opendistro-es.fullname" . }}-discovery replicas: {{ .Values.elasticsearch.master.replicas }} selector: matchLabels: -{{ include "opendistro-es.labels.standard" . | indent 8 }} +{{ include "opendistro-es.labels.selector" . | indent 6 }} + role: master updateStrategy: type: {{ .Values.elasticsearch.master.updateStrategy }} + serviceName: {{ template "opendistro-es.fullname" . }}-discovery template: metadata: labels: @@ -26,8 +39,11 @@ spec: annotations: {{/* This forces a restart if the secret config has changed */}} {{- if .Values.elasticsearch.config }} - configchecksum: {{ include (print .Template.BasePath "/elasticsearch/es-config.yaml") . | sha256sum | trunc 63 }} + configchecksum: {{ include (print .Template.BasePath "/elasticsearch/es-config-secret.yaml") . | sha256sum | trunc 63 }} {{- end }} +{{- if .Values.elasticsearch.master.podAnnotations }} +{{ toYaml .Values.elasticsearch.master.podAnnotations | indent 8 }} +{{- end }} spec: {{- include "opendistro-es.imagePullSecrets" . | indent 6 }} serviceAccountName: {{ template "opendistro-es.elasticsearch.serviceAccountName" . }} @@ -39,35 +55,39 @@ spec: nodeSelector: {{ toYaml . | indent 8 }} {{- end }} - # Anti-affinity to disallow deploying client and master nodes on the same worker node + {{- with .Values.elasticsearch.master.affinity }} affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchLabels: - role: master - {{- with .Values.elasticsearch.master.nodeAffinity }} - nodeAffinity: -{{ toYaml . | indent 10 }} - {{- end }} +{{ toYaml . | indent 8 }} + {{- end }} initContainers: +{{- if .Values.elasticsearch.sysctl.enabled }} - name: init-sysctl - image: {{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }} + image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }} command: - sysctl - -w - vm.max_map_count={{ .Values.elasticsearch.maxMapCount }} securityContext: privileged: true +{{- end }} - name: fixmount command: [ 'sh', '-c', 'chown -R 1000:1000 /usr/share/elasticsearch/data' ] - image: busybox + image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }} volumeMounts: - mountPath: /usr/share/elasticsearch/data name: data + subPath: {{ .Values.elasticsearch.master.persistence.subPath }} +{{- if .Values.elasticsearch.extraInitContainers }} +{{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }} +{{- end }} +{{- if .Values.elasticsearch.master.extraInitContainers }} +{{ toYaml .Values.elasticsearch.master.extraInitContainers| indent 6 }} +{{- end }} containers: - name: elasticsearch + securityContext: + capabilities: + add: ["SYS_CHROOT"] env: - name: cluster.name value: {{ .Values.global.clusterName }} @@ -76,9 +96,17 @@ spec: - name: node.master value: "true" - name: node.ingest + {{- if .Values.elasticsearch.client.dedicatedPod.enabled }} value: "false" + {{- else }} + value: "true" + {{- end }} - name: node.data + {{- if .Values.elasticsearch.data.dedicatedPod.enabled }} value: "false" + {{- else }} + value: "true" + {{- end }} - name: network.host value: "0.0.0.0" {{- if .Values.elasticsearch.transportKeyPassphrase.enabled}} @@ -116,11 +144,15 @@ spec: {{- end }} {{- with .Values.elasticsearch.master.livenessProbe}} livenessProbe: +{{ toYaml . | indent 10 }} + {{- end }} + {{- with .Values.elasticsearch.master.startupProbe}} + startupProbe: {{ toYaml . | indent 10 }} {{- end }} # Official Image from Open Distro Team - image: {{ .Values.elasticsearch.image }}:{{ .Values.elasticsearch.imageTag }} - imagePullPolicy: Always + image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.image }}:{{ .Values.elasticsearch.imageTag }} + imagePullPolicy: {{ .Values.elasticsearch.imagePullPolicy | default "Always" | quote }} ports: - containerPort: 9300 name: transport @@ -128,9 +160,12 @@ spec: name: http - containerPort: 9600 name: metrics + - containerPort: 9650 + name: rca volumeMounts: - mountPath: /usr/share/elasticsearch/data name: data + subPath: {{ .Values.elasticsearch.master.persistence.subPath }} {{- if .Values.elasticsearch.config }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/elasticsearch.yml name: config @@ -144,82 +179,86 @@ spec: - mountPath: {{ .Values.elasticsearch.configDirectory }}/logging.yml name: config subPath: logging.yml - {{- if and .Values.elasticsearch.ssl.transport.enabled .Values.elasticsearch.ssl.transport.existingCertSecret }} - - mountPath: {{ .Values.elasticsearch.configDirectory }}/transport-crt.pem + {{- if .Values.elasticsearch.ssl.transport.existingCertSecret }} + - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-transport-crt.pem name: transport-certs - subPath: transport-crt.pem - - mountPath: {{ .Values.elasticsearch.configDirectory }}/transport-key.pem + subPath: {{ .Values.elasticsearch.ssl.transport.existingCertSecretCertSubPath }} + - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-transport-key.pem name: transport-certs - subPath: transport-key.pem - - mountPath: {{ .Values.elasticsearch.configDirectory }}/transport-root-ca.pem + subPath: {{ .Values.elasticsearch.ssl.transport.existingCertSecretKeySubPath }} + - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-transport-root-ca.pem name: transport-certs - subPath: transport-root-ca.pem - {{- end }} - {{- if and .Values.elasticsearch.ssl.rest.enabled .Values.elasticsearch.ssl.rest.existingCertSecret }} + subPath: {{ .Values.elasticsearch.ssl.transport.existingCertSecretRootCASubPath }} + {{- end }} + {{- if and .Values.elasticsearch.ssl.rest.enabled .Values.elasticsearch.ssl.rest.existingCertSecret }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-rest-crt.pem name: rest-certs - subPath: elk-rest-crt.pem + subPath: {{ .Values.elasticsearch.ssl.rest.existingCertSecretCertSubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-rest-key.pem name: rest-certs - subPath: elk-rest-key.pem + subPath: {{ .Values.elasticsearch.ssl.rest.existingCertSecretKeySubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/elk-rest-root-ca.pem name: rest-certs - subPath: elk-rest-root-ca.pem + subPath: {{ .Values.elasticsearch.ssl.rest.existingCertSecretRootCASubPath }} {{- end }} {{- if and .Values.elasticsearch.ssl.admin.enabled .Values.elasticsearch.ssl.admin.existingCertSecret }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/admin-crt.pem name: admin-certs - subPath: admin-crt.pem + subPath: {{ .Values.elasticsearch.ssl.admin.existingCertSecretCertSubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/admin-key.pem name: admin-certs - subPath: admin-key.pem + subPath: {{ .Values.elasticsearch.ssl.admin.existingCertSecretKeySubPath }} - mountPath: {{ .Values.elasticsearch.configDirectory }}/admin-root-ca.pem name: admin-certs - subPath: admin-root-ca.pem - {{- end }} - {{- if .Values.elasticsearch.securityConfig.enabled }} - {{- if .Values.elasticsearch.securityConfig.actionGroupsSecret }} + subPath: {{ .Values.elasticsearch.ssl.admin.existingCertSecretRootCASubPath }} + {{- end }} + {{- if .Values.elasticsearch.securityConfig.enabled }} + {{- if .Values.elasticsearch.securityConfig.actionGroupsSecret }} - mountPath: {{ .Values.elasticsearch.securityConfig.path }}/action_groups.yml name: action-groups subPath: action_groups.yml - {{- end }} - {{- if .Values.elasticsearch.securityConfig.configSecret }} + {{- end }} + {{- if .Values.elasticsearch.securityConfig.configSecret }} - mountPath: {{ .Values.elasticsearch.securityConfig.path }}/config.yml name: security-config subPath: config.yml - {{- end }} - {{- if .Values.elasticsearch.securityConfig.internalUsersSecret }} + {{- end }} + {{- if .Values.elasticsearch.securityConfig.internalUsersSecret }} - mountPath: {{ .Values.elasticsearch.securityConfig.path }}/internal_users.yml name: internal-users-config subPath: internal_users.yml - {{- end }} - {{- if .Values.elasticsearch.securityConfig.rolesSecret }} + {{- end }} + {{- if .Values.elasticsearch.securityConfig.rolesSecret }} - mountPath: {{ .Values.elasticsearch.securityConfig.path }}/roles.yml name: roles subPath: roles.yml - {{- end }} - {{- if .Values.elasticsearch.securityConfig.rolesMappingSecret }} + {{- end }} + {{- if .Values.elasticsearch.securityConfig.rolesMappingSecret }} - mountPath: {{ .Values.elasticsearch.securityConfig.path }}/roles_mapping.yml name: role-mapping subPath: roles_mapping.yml - {{- end }} - {{- if .Values.elasticsearch.securityConfig.tenantsSecret }} + {{- end }} + {{- if .Values.elasticsearch.securityConfig.tenantsSecret }} - mountPath: {{ .Values.elasticsearch.securityConfig.path }}/tenants.yml name: tenants subPath: tenants.yml - {{- end }} - {{- end }} - - mountPath: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml + {{- end }} + {{- if and .Values.elasticsearch.securityConfig.config.securityConfigSecret .Values.elasticsearch.securityConfig.config.data }} + - mountPath: {{ .Values.elasticsearch.securityConfig.path }} name: security-config - subPath: config.yml + {{- end }} + {{- end }} +{{- if .Values.elasticsearch.extraVolumeMounts }} +{{ toYaml .Values.elasticsearch.extraVolumeMounts | indent 8 }} +{{- end }} +{{- if .Values.elasticsearch.master.extraContainers }} +{{ toYaml .Values.elasticsearch.master.extraContainers | indent 6 }} +{{- end }} volumes: - name: config - configMap: - name: {{ template "opendistro-es.fullname" . }}-config - - name: security-config - configMap: - name: {{ template "opendistro-es.fullname" . }}-security-config - {{- if and .Values.elasticsearch.ssl.transport.enabled .Values.elasticsearch.ssl.transport.existingCertSecret }} + secret: + secretName: {{ template "opendistro-es.fullname" . }}-es-config + {{- if .Values.elasticsearch.ssl.transport.existingCertSecret }} - name: transport-certs secret: secretName: {{ .Values.elasticsearch.ssl.transport.existingCertSecret }} @@ -234,6 +273,11 @@ spec: secret: secretName: {{ .Values.elasticsearch.ssl.admin.existingCertSecret }} {{- end }} + {{- if and .Values.elasticsearch.securityConfig.config.securityConfigSecret .Values.elasticsearch.securityConfig.config.data }} + - name: security-config + secret: + secretName: {{ .Values.elasticsearch.securityConfig.config.securityConfigSecret }} + {{- end }} {{- if .Values.elasticsearch.securityConfig.actionGroupsSecret }} - name: action-groups secret: @@ -241,8 +285,8 @@ spec: {{- end }} {{- if .Values.elasticsearch.securityConfig.configSecret }} - name: security-config - configMap: - name: {{ .Values.elasticsearch.securityConfig.configSecret }} + secret: + secretName: {{ .Values.elasticsearch.securityConfig.configSecret }} {{- end }} {{- if .Values.elasticsearch.securityConfig.internalUsersSecret }} - name: internal-users-config @@ -264,13 +308,41 @@ spec: secret: secretName: {{ .Values.elasticsearch.securityConfig.tenantsSecret }} {{- end }} + {{- if not .Values.elasticsearch.master.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else }} + {{- if .Values.elasticsearch.master.persistence.existingClaim }} + - name: "data" + persistentVolumeClaim: + claimName: {{ .Values.elasticsearch.master.persistence.existingClaim }} + {{- end }} + {{- end }} +{{- if .Values.elasticsearch.extraVolumes }} +{{ toYaml .Values.elasticsearch.extraVolumes | indent 6 }} +{{- end }} + {{- if and .Values.elasticsearch.master.persistence.enabled (not .Values.elasticsearch.master.persistence.existingClaim) }} volumeClaimTemplates: - metadata: name: data + annotations: + {{- range $key, $value := .Values.elasticsearch.master.persistence.annotations }} + {{ $key }}: {{ $value }} + {{- end }} spec: - accessModes: [ ReadWriteOnce ] - storageClassName: {{ .Values.elasticsearch.master.storageClassName }} + accessModes: + {{- range .Values.elasticsearch.master.persistence.accessModes }} + - {{ . | quote }} + {{- end }} resources: requests: - storage: {{ .Values.elasticsearch.master.storage }} + storage: {{ .Values.elasticsearch.master.persistence.size | quote }} + {{- if .Values.elasticsearch.master.persistence.storageClass }} + {{- if (eq "-" .Values.elasticsearch.master.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.elasticsearch.master.persistence.storageClass }}" + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/src/opendistro-es/templates/elasticsearch/es-security-config.yaml b/src/opendistro-es/templates/elasticsearch/es-security-config.yaml index 64d02e53..5b97cbe4 100644 --- a/src/opendistro-es/templates/elasticsearch/es-security-config.yaml +++ b/src/opendistro-es/templates/elasticsearch/es-security-config.yaml @@ -1,46 +1,14 @@ +{{- if and .Values.elasticsearch.securityConfig.config.securityConfigSecret .Values.elasticsearch.securityConfig.config.data }} apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: - name: {{ template "opendistro-es.fullname" . }}-security-config + name: {{ .Values.elasticsearch.securityConfig.config.securityConfigSecret }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "opendistro-es.labels.standard" . | indent 4 }} +type: Opaque data: - config.yml: | - _meta: - type: "config" - config_version: 2 - - config: - dynamic: - do_not_fail_on_forbidden: true - kibana: - multitenancy_enabled: true - server_username: admin - http: - anonymous_auth_enabled: false - xff: - enabled: true - internalProxies: '.*' # trust all internal proxies, regex pattern - remoteIpHeader: 'x-forwarded-for' - - authc: - basic_internal_auth_domain: - http_enabled: true - transport_enabled: true - order: 0 - http_authenticator: - type: basic - challenge: false - authentication_backend: - type: intern - - proxy_auth_domain: - http_enabled: true - transport_enabled: true - order: 1 - http_authenticator: - type: proxy - challenge: false - config: - user_header: "x-oauth-preferred_username" - roles_header: "x-oauth-realm" - authentication_backend: - type: noop +{{- range $key, $val := .Values.elasticsearch.securityConfig.config.data }} + {{ $key }}: {{ $val | b64enc | quote }} +{{- end }} +{{- end}} diff --git a/src/opendistro-es/templates/elasticsearch/es-service.yaml b/src/opendistro-es/templates/elasticsearch/es-service.yaml old mode 100644 new mode 100755 index 07cd5983..122d0243 --- a/src/opendistro-es/templates/elasticsearch/es-service.yaml +++ b/src/opendistro-es/templates/elasticsearch/es-service.yaml @@ -1,12 +1,23 @@ +# Copyright 2019 Viasat, Inc. # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: MIT-0 -{{- if .Values.elasticsearch.client.enabled }} ---- -apiVersion: v1 +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off kind: Service +apiVersion: v1 metadata: annotations: -{{- toYaml .Values.elasticsearch.client.service.annotations | indent 4 }} +{{ toYaml .Values.elasticsearch.client.service.annotations | indent 4 }} labels: {{ include "opendistro-es.labels.standard" . | indent 4 }} role: client @@ -20,7 +31,12 @@ spec: port: 9300 - name: metrics port: 9600 + - name: rca + port: 9650 selector: + {{- if .Values.elasticsearch.client.dedicatedPod.enabled }} role: client + {{- else }} + role: master + {{- end }} type: {{ .Values.elasticsearch.client.service.type }} -{{- end }} \ No newline at end of file diff --git a/src/opendistro-es/templates/elasticsearch/master-svc.yaml b/src/opendistro-es/templates/elasticsearch/master-svc.yaml old mode 100644 new mode 100755 index 2aab017b..be806833 --- a/src/opendistro-es/templates/elasticsearch/master-svc.yaml +++ b/src/opendistro-es/templates/elasticsearch/master-svc.yaml @@ -1,3 +1,18 @@ +# Copyright 2019 Viasat, Inc. +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off {{- if .Values.elasticsearch.master.enabled }} apiVersion: v1 kind: Service @@ -14,4 +29,4 @@ spec: clusterIP: None selector: role: master -{{- end }} \ No newline at end of file +{{- end }} diff --git a/src/opendistro-es/templates/elasticsearch/role.yaml b/src/opendistro-es/templates/elasticsearch/role.yaml old mode 100644 new mode 100755 index fa51a81c..6bc87173 --- a/src/opendistro-es/templates/elasticsearch/role.yaml +++ b/src/opendistro-es/templates/elasticsearch/role.yaml @@ -1,3 +1,17 @@ +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off {{- if .Values.global.rbac.enabled }} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role diff --git a/src/opendistro-es/templates/elasticsearch/rolebinding.yaml b/src/opendistro-es/templates/elasticsearch/rolebinding.yaml old mode 100644 new mode 100755 index 3b1faa0c..385699dd --- a/src/opendistro-es/templates/elasticsearch/rolebinding.yaml +++ b/src/opendistro-es/templates/elasticsearch/rolebinding.yaml @@ -1,4 +1,18 @@ -{{- if .Values.global.rbac.enabled -}} +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off +{{- if .Values.global.rbac.enabled }} kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/src/opendistro-es/templates/kibana/kibana-deployment.yaml b/src/opendistro-es/templates/kibana/kibana-deployment.yaml index d9ba1a59..269e4dc0 100644 --- a/src/opendistro-es/templates/kibana/kibana-deployment.yaml +++ b/src/opendistro-es/templates/kibana/kibana-deployment.yaml @@ -1,40 +1,60 @@ +# Copyright 2019 Viasat, Inc. +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off {{- if .Values.kibana.enabled }} apiVersion: apps/v1 kind: Deployment metadata: labels: {{ include "opendistro-es.labels.standard" . | indent 4 }} + role: kibana name: {{ template "opendistro-es.fullname" . }}-kibana spec: replicas: {{ .Values.kibana.replicas }} selector: matchLabels: -{{ include "opendistro-es.labels.standard" . | indent 8 }} +{{ include "opendistro-es.labels.selector" . | indent 6 }} + role: kibana template: metadata: labels: {{ include "opendistro-es.labels.standard" . | indent 8 }} - app: {{ template "opendistro-es.fullname" . }}-kibana + role: kibana annotations: {{/* This forces a restart if the secret config has changed */}} {{- if .Values.kibana.config }} - checksum/config: {{ include (print .Template.BasePath "/kibana/kibana-config.yaml") . | sha256sum | trunc 63 }} + checksum/config: {{ include (print .Template.BasePath "/kibana/kibana-config-secret.yaml") . | sha256sum | trunc 63 }} {{- end }} +{{- if .Values.kibana.podAnnotations }} +{{ toYaml .Values.kibana.podAnnotations | indent 8 }} +{{- end }} spec: - securityContext: - {{ toYaml .Values.kibana.podSecurityContext | indent 8 }} {{- include "opendistro-es.imagePullSecrets" . | indent 6 }} +{{- if .Values.kibana.extraInitContainers }} + initContainers: +{{ toYaml .Values.kibana.extraInitContainers | indent 8 }} +{{- end }} containers: - env: - name: CLUSTER_NAME value: {{ .Values.global.clusterName }} # If no custom configuration provided, default to internal DNS + {{- if not .Values.kibana.config }} - name: ELASTICSEARCH_HOSTS - value: http://{{ template "opendistro-es.fullname" . }}-client-service:9200 - - name: ELASTICSEARCH_USERNAME - value: admin - - name: ELASTICSEARCH_PASSWORD - value: admin + value: https://{{ template "opendistro-es.fullname" . }}-client-service:9200 + {{- end }} {{- if .Values.kibana.elasticsearchAccount.secret }} - name: ELASTICSEARCH_USERNAME valueFrom: @@ -63,19 +83,22 @@ spec: {{- if .Values.kibana.extraEnvs }} {{ toYaml .Values.kibana.extraEnvs | indent 8 }} {{- end }} - image: {{ .Values.kibana.image }}:{{ .Values.kibana.imageTag }} + image: {{ .Values.global.registry }}/{{ .Values.kibana.image }}:{{ .Values.kibana.imageTag }} + imagePullPolicy: {{ .Values.kibana.imagePullPolicy | default "Always" | quote }} {{- with .Values.kibana.readinessProbe}} readinessProbe: {{ toYaml . | indent 10 }} {{- end }} {{- with .Values.kibana.livenessProbe}} livenessProbe: +{{ toYaml . | indent 10 }} + {{- end }} + {{- with .Values.kibana.startupProbe}} + startupProbe: {{ toYaml . | indent 10 }} {{- end }} resources: {{ toYaml .Values.kibana.resources | indent 12 }} - securityContext: -{{ toYaml .Values.kibana.securityContext | indent 10 }} name: {{ template "opendistro-es.fullname" . }}-kibana volumeMounts: {{- if .Values.kibana.config }} @@ -86,39 +109,39 @@ spec: {{- if and .Values.kibana.ssl.kibana.enabled .Values.kibana.ssl.kibana.existingCertSecret }} - mountPath: {{ .Values.kibana.certsDirectory }}/kibana-crt.pem name: kibana-certs - subPath: kibana-crt.pem + subPath: {{ .Values.kibana.ssl.kibana.existingCertSecretCertSubPath }} - mountPath: {{ .Values.kibana.certsDirectory }}/kibana-key.pem name: kibana-certs - subPath: kibana-key.pem + subPath: {{ .Values.kibana.ssl.kibana.existingCertSecretKeySubPath }} - mountPath: {{ .Values.kibana.certsDirectory }}/kibana-root-ca.pem name: kibana-certs - subPath: kibana-root-ca.pem + subPath: {{ .Values.kibana.ssl.kibana.existingCertSecretRootCASubPath }} {{- end }} {{- if and .Values.kibana.ssl.elasticsearch.enabled .Values.kibana.ssl.elasticsearch.existingCertSecret }} - mountPath: {{ .Values.kibana.certsDirectory }}/elk-rest-crt.pem name: elasticsearch-certs - subPath: elk-rest-crt.pem + subPath: {{ .Values.kibana.ssl.elasticsearch.existingCertSecretCertSubPath }} - mountPath: {{ .Values.kibana.certsDirectory }}/elk-rest-key.pem name: elasticsearch-certs - subPath: elk-rest-key.pem + subPath: {{ .Values.kibana.ssl.elasticsearch.existingCertSecretKeySubPath }} - mountPath: {{ .Values.kibana.certsDirectory }}/elk-rest-root-ca.pem name: elasticsearch-certs - subPath: elk-rest-root-ca.pem + subPath: {{ .Values.kibana.ssl.elasticsearch.existingCertSecretRootCASubPath }} {{- end }} - - mountPath: /usr/share/kibana/plugins/opendistro_security/securityconfig/config.yml - name: security-config - subPath: config.yml +{{- if .Values.kibana.extraVolumeMounts }} +{{ toYaml .Values.kibana.extraVolumeMounts | indent 10 }} +{{- end }} ports: - containerPort: {{ .Values.kibana.port }} +{{- if .Values.kibana.extraContainers }} +{{ toYaml .Values.kibana.extraContainers | indent 6 }} +{{- end }} serviceAccountName: {{ template "opendistro-es.kibana.serviceAccountName" . }} volumes: - - name: security-config - configMap: - name: {{ template "opendistro-es.fullname" . }}-security-config {{- if .Values.kibana.config }} - name: config - configMap: - name: {{ template "opendistro-es.fullname" . }}-kibana-config + secret: + secretName: {{ template "opendistro-es.fullname" . }}-kibana-config {{- end }} {{- if and .Values.kibana.ssl.kibana.enabled .Values.kibana.ssl.kibana.existingCertSecret }} - name: kibana-certs @@ -130,8 +153,15 @@ spec: secret: secretName: {{ .Values.kibana.ssl.elasticsearch.existingCertSecret }} {{- end }} +{{- if .Values.kibana.extraVolumes }} +{{ toYaml .Values.kibana.extraVolumes | indent 8 }} +{{- end }} {{- with .Values.kibana.nodeSelector }} nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.elasticsearch.client.affinity }} + affinity: {{ toYaml . | indent 8 }} {{- end }} {{- with .Values.kibana.tolerations }} diff --git a/src/opendistro-es/templates/kibana/kibana-ingress.yml b/src/opendistro-es/templates/kibana/kibana-ingress.yml old mode 100644 new mode 100755 index 82643721..3817b0cc --- a/src/opendistro-es/templates/kibana/kibana-ingress.yml +++ b/src/opendistro-es/templates/kibana/kibana-ingress.yml @@ -1,31 +1,43 @@ +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off {{- if and .Values.kibana.ingress.enabled .Values.kibana.enabled }} -{{- $serviceName:= printf "%s-%s" (include "opendistro-es.fullname" .) "kibana-svc" }} -{{- $servicePort := .Values.kibana.externalPort -}} +{{- $serviceName := printf "%s-%s" (include "opendistro-es.fullname" .) "kibana-svc" }} +{{- $servicePort := .Values.kibana.externalPort }} +{{- $ingressPath := .Values.kibana.ingress.path }} apiVersion: extensions/v1beta1 kind: Ingress metadata: + name: {{ template "opendistro-es.fullname" . }}-kibana-ing labels: -{{ include "opendistro-es.labels.standard" . | indent 4 }} - name: {{ template "opendistro-es.fullname" . }}-kibana + {{- include "opendistro-es.labels.standard" . | nindent 4 }} + {{- with .Values.kibana.ingress.annotations }} annotations: - {{- range $key, $value := .Values.kibana.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: rules: {{- range .Values.kibana.ingress.hosts }} - {{- $url := splitList "/" . }} - - host: {{ first $url }} + - host: {{ . | quote }} http: paths: - - path: /{{ rest $url | join "/" }} + - path: {{ $ingressPath }} backend: serviceName: {{ $serviceName }} servicePort: {{ $servicePort }} - {{- end -}} + {{- end }} {{- if .Values.kibana.ingress.tls }} - tls: -{{ toYaml .Values.kibana.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} - + tls: {{ toYaml .Values.kibana.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/src/opendistro-es/templates/kibana/kibana-service.yaml b/src/opendistro-es/templates/kibana/kibana-service.yaml old mode 100644 new mode 100755 index c07cc786..98295823 --- a/src/opendistro-es/templates/kibana/kibana-service.yaml +++ b/src/opendistro-es/templates/kibana/kibana-service.yaml @@ -1,11 +1,27 @@ +# Copyright 2019 Viasat, Inc. +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off {{- if .Values.kibana.enabled }} apiVersion: v1 kind: Service metadata: annotations: -{{- toYaml .Values.kibana.service.annotations | indent 4 }} +{{ toYaml .Values.kibana.service.annotations | indent 4 }} labels: {{ include "opendistro-es.labels.standard" . | indent 4 }} + role: kibana name: {{ template "opendistro-es.fullname" . }}-kibana-svc spec: ports: @@ -13,6 +29,6 @@ spec: port: {{ .Values.kibana.externalPort }} targetPort: {{ .Values.kibana.port }} selector: - app: {{ template "opendistro-es.fullname" . }}-kibana + role: kibana type: {{ .Values.kibana.service.type }} {{- end }} diff --git a/src/opendistro-es/templates/kibana/kibana-serviceaccount.yaml b/src/opendistro-es/templates/kibana/kibana-serviceaccount.yaml old mode 100644 new mode 100755 index 507fab65..1be04b0a --- a/src/opendistro-es/templates/kibana/kibana-serviceaccount.yaml +++ b/src/opendistro-es/templates/kibana/kibana-serviceaccount.yaml @@ -1,3 +1,17 @@ +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off {{ if and .Values.kibana.serviceAccount.create .Values.kibana.enabled }} apiVersion: v1 kind: ServiceAccount diff --git a/src/opendistro-es/templates/kibana/role.yaml b/src/opendistro-es/templates/kibana/role.yaml old mode 100644 new mode 100755 index 758cfcca..a7e7bf99 --- a/src/opendistro-es/templates/kibana/role.yaml +++ b/src/opendistro-es/templates/kibana/role.yaml @@ -1,3 +1,17 @@ +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off {{- if and .Values.global.rbac.enabled .Values.kibana.enabled }} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role diff --git a/src/opendistro-es/templates/kibana/rolebinding.yaml b/src/opendistro-es/templates/kibana/rolebinding.yaml old mode 100644 new mode 100755 index 181c9f12..7f3608c5 --- a/src/opendistro-es/templates/kibana/rolebinding.yaml +++ b/src/opendistro-es/templates/kibana/rolebinding.yaml @@ -1,4 +1,18 @@ -{{- if and .Values.global.rbac.enabled .Values.kibana.enabled -}} +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off +{{- if and .Values.global.rbac.enabled .Values.kibana.enabled }} kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/src/opendistro-es/templates/psp.yml b/src/opendistro-es/templates/psp.yml old mode 100644 new mode 100755 index e50fd56b..891c3884 --- a/src/opendistro-es/templates/psp.yml +++ b/src/opendistro-es/templates/psp.yml @@ -1,5 +1,19 @@ +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# @formatter:off {{- if .Values.global.psp.create }} -apiVersion: extensions/v1beta1 +apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: labels: @@ -33,4 +47,6 @@ spec: - min: 1 max: 65535 readOnlyRootFilesystem: false + allowedCapabilities: + - 'SYS_CHROOT' {{- end }} diff --git a/src/opendistro-es/values.yaml b/src/opendistro-es/values.yaml index a32d722f..b9f1c9cc 100644 --- a/src/opendistro-es/values.yaml +++ b/src/opendistro-es/values.yaml @@ -1,19 +1,36 @@ +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + kibana: enabled: true image: amazon/opendistro-for-elasticsearch-kibana - imageTag: 1.8.0 - replicas: 3 + imageTag: 1.11.0 + ## Specifies the image pull policy. Can be "Always" or "IfNotPresent" or "Never". + ## Default to "Always". + imagePullPolicy: "" + replicas: 1 port: 5601 - externalPort: 5601 - resources: - limits: - cpu: 2500m - memory: 2Gi - requests: - cpu: 500m - memory: 512Mi + externalPort: 443 + resources: {} + # limits: + # cpu: 2500m + # memory: 2Gi + # requests: + # cpu: 500m + # memory: 512Mi readinessProbe: [] livenessProbe: [] + startupProbe: [] elasticsearchAccount: secret: "" @@ -22,46 +39,71 @@ kibana: extraEnvs: [] + extraVolumes: [] + # - name: extras + # emptyDir: {} + + extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + + extraInitContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + + extraContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + ssl: kibana: enabled: false existingCertSecret: + existingCertSecretCertSubPath: kibana-crt.pem + existingCertSecretKeySubPath: kibana-key.pem + existingCertSecretRootCASubPath: kibana-root-ca.pem elasticsearch: - enabled: true - existingCertSecret: elasticsearch-certificates - ingress: - enabled: false + enabled: false + existingCertSecret: + existingCertSecretCertSubPath: elk-rest-crt.pem + existingCertSecretKeySubPath: elk-rest-key.pem + existingCertSecretRootCASubPath: elk-rest-root-ca.pem + + configDirectory: "/usr/share/kibana/config" certsDirectory: "/usr/share/kibana/certs" + ingress: + ## Set to true to enable ingress record generation + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + service: type: ClusterIP annotations: {} - config: - # Default Kibana configuration from kibana-docker. - server.basePath: "/kibana-app" - server.rewriteBasePath: true - elasticsearch.preserveHost: false - opendistro_security.auth.type: "proxy" - opendistro_security.multitenancy.enabled: true - elasticsearch.requestHeadersWhitelist: - - securitytenant - - Authorization - - x-forwarded-for - - x-forwarded-by - - x-oauth-preferred_username - - x-oauth-realm - opendistro_security.multitenancy.tenants.enable_private: false - opendistro_security.multitenancy.tenants.enable_global: false + config: {} + ## Default Kibana configuration from kibana-docker. + # server.name: kibana + # server.host: "0" ## Replace with Elasticsearch DNS name picked during Service deployment - elasticsearch.hosts: ["http://opendistro-es-client-service:9200"] - elasticsearch.requestTimeout: 360000 - elasticsearch.username: admin - elasticsearch.password: admin - server.host: "0.0.0.0" + # elasticsearch.hosts: ${ELASTIC_URL} + # elasticsearch.requestTimeout: 360000 ## Kibana TLS Config # server.ssl.enabled: true @@ -70,7 +112,7 @@ kibana: # elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/certs/kibana-root-ca.pem # opendistro_security.cookie.secure: true - # opendistro_security.cookie.password: ${COOKIE_PASS} + # opendistro_security.cookie.password: ${COOKIE_PASS} @@ -84,33 +126,30 @@ kibana: ## tolerations: [] - podSecurityContext: - fsGroup: 1000 - - securityContext: - capabilities: - drop: - - ALL - # readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 + affinity: {} serviceAccount: - # Specifies whether a ServiceAccount should be created + ## Specifies whether a ServiceAccount should be created create: true - # The name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template name: + podAnnotations: {} + global: clusterName: elasticsearch psp: - create: false + create: true rbac: enabled: true + + # Optionally override the docker registry to use for images + registry: docker.io + ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. # imagePullSecrets: @@ -130,136 +169,336 @@ elasticsearch: rolesSecret: rolesMappingSecret: tenantsSecret: + #The following option simplifies securityConfig by using a single secret and specifying the respective secrets in the corresponding files instead of creating different secrets for config,internal users, roles, roles mapping and tenants + #Note that this is an alternative to the above secrets and shouldn't be used if the above secrets are used + config: + securityConfigSecret: + data: {} + # config.yml: |- + # internal_users.yml: |- + # roles.yml: |- + # rolesMapping.yml: |- + # tenants.yml: |- extraEnvs: [] + extraInitContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + + extraVolumes: [] + # - name: extras + # emptyDir: {} + + extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + initContainer: image: busybox imageTag: 1.27.2 + ## Set optimal sysctl's. This requires privilege. Can be disabled if + ## the system has already been preconfigured. + sysctl: + enabled: true + ssl: + ## TLS is mandatory for the transport layer and can not be disabled transport: - enabled: true - existingCertSecret: elasticsearch-certificates + existingCertSecret: + existingCertSecretCertSubPath: elk-transport-crt.pem + existingCertSecretKeySubPath: elk-transport-key.pem + existingCertSecretRootCASubPath: elk-transport-root-ca.pem rest: - enabled: true - existingCertSecret: elasticsearch-certificates + enabled: false + existingCertSecret: + existingCertSecretCertSubPath: elk-rest-crt.pem + existingCertSecretKeySubPath: elk-rest-key.pem + existingCertSecretRootCASubPath: elk-rest-root-ca.pem admin: - enabled: true - existingCertSecret: elasticsearch-certificates + enabled: false + existingCertSecret: + existingCertSecretCertSubPath: admin-crt.pem + existingCertSecretKeySubPath: admin-key.pem + existingCertSecretRootCASubPath: admin-root-ca.pem master: enabled: true - replicas: 3 + replicas: 1 updateStrategy: "RollingUpdate" - nodeAffinity: {} - storageClassName: standard - storage: 50Gi - resources: - limits: - cpu: 1 - memory: 1024Mi - requests: - cpu: 200m - memory: 1024Mi + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## + # existingClaim: + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + + ## Open Distro master Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + + resources: {} + # limits: + # cpu: 1 + # memory: 1024Mi + # requests: + # cpu: 200m + # memory: 1024Mi javaOpts: "-Xms512m -Xmx512m" podDisruptionBudget: enabled: false minAvailable: 1 - tolerations: [] readinessProbe: [] livenessProbe: tcpSocket: port: transport initialDelaySeconds: 60 periodSeconds: 10 + startupProbe: [] nodeSelector: {} + tolerations: [] + ## Anti-affinity to disallow deploying client and master nodes on the same worker node + affinity: {} + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - topologyKey: "kubernetes.io/hostname" + # labelSelector: + # matchLabels: + # role: master + podAnnotations: {} + + extraInitContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + + extraContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] data: enabled: true - replicas: 3 + ## Enables dedicated statefulset for data. Otherwise master nodes as data storage + dedicatedPod: + enabled: true + replicas: 1 updateStrategy: "RollingUpdate" - nodeAffinity: {} - storageClassName: standard - storage: 100Gi - resources: - limits: - cpu: 1 - memory: 1024Mi - requests: - cpu: 200m - memory: 1024Mi + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## + # existingClaim: + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + + ## Open Distro master Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + + resources: {} + # limits: + # cpu: 1 + # memory: 1024Mi + # requests: + # cpu: 200m + # memory: 1024Mi javaOpts: "-Xms512m -Xmx512m" podDisruptionBudget: enabled: false minAvailable: 1 - tolerations: [] readinessProbe: [] livenessProbe: tcpSocket: port: transport initialDelaySeconds: 60 periodSeconds: 10 + startupProbe: [] nodeSelector: {} + tolerations: [] + ## Anti-affinity to disallow deploying client and master nodes on the same worker node + affinity: {} + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 1 + # podAffinityTerm: + # topologyKey: "kubernetes.io/hostname" + # labelSelector: + # matchLabels: + # role: data + podAnnotations: {} client: enabled: true + ## Enables dedicated deployment for client/ingest. Otherwise master nodes as client/ingest + dedicatedPod: + enabled: true service: type: ClusterIP annotations: {} - replicas: 2 + # # Defined ELB backend protocol as HTTPS to allow connection to Elasticsearch API + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https + + # # ARN of ACM certificate registered to the deployed ELB for handling connections over TLS + # # ACM certificate should be issued to the DNS hostname defined earlier (elk.sec.example.com) + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:111222333444:certificate/c69f6022-b24f-43d9-b9c8-dfe288d9443d" + # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + + # service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: "true" + # service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout: "60" + # service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + + # # Annotation to create internal only ELB + # service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + replicas: 1 javaOpts: "-Xms512m -Xmx512m" - nodeAffinity: {} ingress: + ## Set to true to enable ingress record generation enabled: false - limits: - cpu: 1 - memory: 1024Mi - requests: - cpu: 200m - memory: 1024Mi + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + resources: {} + # limits: + # cpu: 1 + # memory: 1024Mi + # requests: + # cpu: 200m + # memory: 1024Mi podDisruptionBudget: enabled: false minAvailable: 1 - tolerations: [] readinessProbe: [] livenessProbe: tcpSocket: port: transport initialDelaySeconds: 60 periodSeconds: 10 + startupProbe: [] nodeSelector: {} + tolerations: [] + ## Weighted anti-affinity to disallow deploying client node to the same worker node as master node + affinity: {} + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 1 + # podAffinityTerm: + # topologyKey: "kubernetes.io/hostname" + # labelSelector: + # matchLabels: + # role: client + podAnnotations: {} + + config: {} + ## Example Config + # opendistro_security.allow_unsafe_democertificates: false + # opendistro_security.allow_default_init_securityindex: true + # opendistro_security.audit.type: internal_elasticsearch + # opendistro_security.enable_snapshot_restore_privilege: true + # opendistro_security.check_snapshot_restore_write_privileges: true + # cluster.routing.allocation.disk.threshold_enabled: false + # opendistro_security.audit.config.disabled_rest_categories: NONE + # opendistro_security.audit.config.disabled_transport_categories: NONE + # cluster: + # name: ${CLUSTER_NAME} + # node: + # master: ${NODE_MASTER} + # data: ${NODE_DATA} + # name: ${NODE_NAME} + # ingest: ${NODE_INGEST} + # max_local_storage_nodes: 1 + # attr.box_type: hot + + # processors: ${PROCESSORS:1} + + # network.host: ${NETWORK_HOST} + + # thread_pool.bulk.queue_size: 800 + + # path: + # data: /usr/share/elasticsearch/data + # logs: /usr/share/elasticsearch/logs + + # http: + # enabled: ${HTTP_ENABLE} + # compression: true + + # discovery: + # zen: + # ping.unicast.hosts: ${DISCOVERY_SERVICE} + # minimum_master_nodes: ${NUMBER_OF_MASTERS} + + # # TLS Configuration Transport Layer + # opendistro_security.ssl.transport.pemcert_filepath: elk-transport-crt.pem + # opendistro_security.ssl.transport.pemkey_filepath: elk-transport-key.pem + # opendistro_security.ssl.transport.pemtrustedcas_filepath: elk-transport-root-ca.pem + # opendistro_security.ssl.transport.enforce_hostname_verification: false + + # # TLS Configuration REST Layer + # opendistro_security.ssl.http.enabled: true + # opendistro_security.ssl.http.pemcert_filepath: elk-rest-crt.pem + # opendistro_security.ssl.http.pemkey_filepath: elk-rest-key.pem + # opendistro_security.ssl.http.pemtrustedcas_filepath: elk-rest-root-ca.pem - - config: - opendistro_security.allow_unsafe_democertificates: false - - # TLS Configuration Transport Layer - opendistro_security.ssl.transport.pemcert_filepath: transport-crt.pem - opendistro_security.ssl.transport.pemkey_filepath: transport-key.pem - opendistro_security.ssl.transport.pemtrustedcas_filepath: transport-root-ca.pem - opendistro_security.ssl.transport.enforce_hostname_verification: false - opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] - - # TLS Configuration REST Layer - opendistro_security.ssl.http.pemcert_filepath: elk-rest-crt.pem - opendistro_security.ssl.http.pemkey_filepath: elk-rest-key.pem - opendistro_security.ssl.http.pemtrustedcas_filepath: elk-rest-root-ca.pem - - opendistro_security.nodes_dn: 'CN=opendistro-es-*,OU=eha,O=eha,L=Berlin,ST=Berlin,C=DE' - opendistro_security.authcz.admin_dn: - - 'CN=admin,OU=eha,O=eha,L=Berlin,ST=Berlin,C=DE' log4jConfig: "" loggingConfig: ## Default config - # you can override this using by setting a system property, for example -Des.logger.level=DEBUG - es.logger.level: DEBUG + ## you can override this using by setting a system property, for example -Des.logger.level=DEBUG + es.logger.level: INFO rootLogger: ${es.logger.level}, console logger: - # log action execution errors for easier debugging + ## log action execution errors for easier debugging action: DEBUG - # reduce the logging for aws, too much is logged under the default INFO + ## reduce the logging for aws, too much is logged under the default INFO com.amazonaws: WARN appender: console: @@ -279,17 +518,20 @@ elasticsearch: maxMapCount: 262144 image: amazon/opendistro-for-elasticsearch - imageTag: 1.8.0 + imageTag: 1.11.0 + ## Specifies the image pull policy. Can be "Always" or "IfNotPresent" or "Never". + ## Default to "Always". + imagePullPolicy: "" configDirectory: /usr/share/elasticsearch/config serviceAccount: - # Specifies whether a ServiceAccount should be created + ## Specifies whether a ServiceAccount should be created create: true - # The name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template name: nameOverride: "" -fullnameOverride: "" +fullnameOverride: "" \ No newline at end of file