eck-resources chart (#1)

* eck-resources chart

Signed-off-by: Igor Valente Blackman <[email protected]>

* Update README.md

Co-authored-by: Ben Langfeld <[email protected]>

* re organize repo struct so helm-git works

Signed-off-by: Igor Valente Blackman <[email protected]>

* OIDC

* Improve the beats template

Signed-off-by: Igor Valente Blackman <[email protected]>

* Adds service template

Signed-off-by: Igor Valente Blackman <[email protected]>

* Update values file with more comments

Signed-off-by: Igor Valente Blackman <[email protected]>

* Update chart home url

Signed-off-by: Igor Valente Blackman <[email protected]>

* Add beats

Signed-off-by: Igor Valente Blackman <[email protected]>

* Update readme to reflect the repo objective

Signed-off-by: Igor Valente Blackman <[email protected]>

* Move license to the right folder

Signed-off-by: Igor Valente Blackman <[email protected]>

* Update charts/eck-resources/README.md

Co-authored-by: David Taylor <[email protected]>

* Update charts/eck-resources/README.md

Co-authored-by: David Taylor <[email protected]>

* Update charts/eck-resources/examples/production.yaml

Co-authored-by: David Taylor <[email protected]>

* Update charts/eck-resources/examples/production.yaml

Co-authored-by: David Taylor <[email protected]>

* Add portal files

Signed-off-by: Igor Valente Blackman <[email protected]>

* add reference to prometheus chart

Signed-off-by: Igor Valente Blackman <[email protected]>

Co-authored-by: Ben Langfeld <[email protected]>
Co-authored-by: David Taylor <[email protected]>

README.md

@@ -1,2 +1,2 @@
-# eck-resources-chart
-Helm chart for easily templating ECK resources for deploying Elasticsearch, Kibana etc with reduced duplication.
+# PHRG helm-charts
+Helm charts created by Power Home Remodling Group.

charts/eck-resources/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+description: After ECK is deployed to you cluster this chart creates Elasticsearch and kibana resources.
+home: https://github.com/powerhome/eck-resources-chart/charts/eck-resources
+maintainers:
+- email: [email protected]
+  name: Power HRG
+name: eck-resources
+version: 0.0.1
+appVersion: 7.16.3
+sources:
+  - https://github.com/powerhome/eck-resources-chart/charts/eck-resources

charts/eck-resources/README.md

@@ -0,0 +1,24 @@
+# eck-resources-chart
+Helm chart for easily templating ECK resources for deploying Elasticsearch, Kibana etc with reduced duplication.
+
+It allows the user to create some of the custom resources managed by ECK in a simpler way by taking advantage of Helm templating.
+
+For now the chart can create the following resources:
+* Elasticsearch
+* Kibana
+* Ingress (for kibana)
+* Beats
+
+## Depencies
+This charts expects that the [ECK](https://github.com/elastic/cloud-on-k8s) is already installed and configured in the Kube cluster.
+
+## Configuration
+Each variable has a comment to what is can be used for in the [values.yaml](./values.yaml).
+
+Besides that there are some example files in [examples/](./examples/).
+
+## Configure OIDC
+This chart allows you to configure login using OIDC. Note that this feature isn't available in the basic license.
+
+## References
+We used some of the best practices for helm charts used in  https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack/

charts/eck-resources/examples/oidc.yaml

@@ -0,0 +1,87 @@
+fullnameOverride: eck
+
+elasticsearch:
+  enabled: true
+  credentials:
+    enabled: true
+  version: 7.16.3
+  secretConfig:
+    xpack.security.authc.realms.oidc.dex.rp.client_secret: client_secret
+  config:
+    node.store.allow_mmap: false
+    ingest.geoip.downloader.enabled: false
+    xpack.security.http.ssl.enabled: true
+    xpack.security.authc:
+      token.enabled: true
+      realms.oidc:
+        dex:
+          order: 0
+          op:
+            issuer: "https://dex.example.com/"
+            authorization_endpoint: "https://dex.example.com/auth"
+            token_endpoint: "https://dex.example.com/token"
+            jwkset_path: "https://dex.example.com/keys"
+            userinfo_endpoint: "https://dex.example.com/userinfo"
+          rp:
+            client_id: "infra-eck"
+            response_type: code
+            redirect_uri: "https://kibana.example.com/api/security/oidc/callback"
+            post_logout_redirect_uri: "https://kibana.example.com/security/logged_out"
+            signature_algorithm: RS256
+            requested_scopes:
+            - groups
+            - openid
+            - profile
+            - email
+          claims:
+            principal: name
+            groups: groups
+            mail: email
+  nodeSets:
+  - name: default
+    count: 1
+    config:
+      node:
+        roles: [master, data, ingest]
+    resources:
+      requests:
+        cpu: "2"
+        ephemeral-storage: 100Mi
+        memory: "4Gi"
+      limits:
+        cpu: "4"
+        ephemeral-storage: 100Mi
+        memory: "4Gi"
+    env:
+    - name: ES_JAVA_OPTS
+      value: "-Xmx2g -Xms2g -XX:MaxRAM=3072m"
+kibana:
+  enabled: true
+  version: 7.16.3
+  count: 1
+  config:
+    server.publicBaseUrl: https://kibana.example.com
+    xpack.security.authc.providers:
+      oidc.dex:
+        order: 0
+        realm: "dex"
+      basic.basic1:
+        order: 1
+  http:
+    tls:
+      certificate:
+        secretName: kibana-server-tls #same as ingress secret name
+  ingress:
+    enabled: true
+    port: 5601
+    annotations:
+      cert-manager.io/cluster-issuer: production-certs
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    hosts:
+    - kibana.example.com
+    tls:
+    - secretName: kibana-server-tls
+      hosts:
+      - kibana.example.com
+    routePrefix: /

charts/eck-resources/examples/production.yaml

@@ -0,0 +1,107 @@
+fullnameOverride: eck
+
+elasticsearch:
+  enabled: true
+  credentials:
+    enabled: true
+  version: 7.16.3
+  secretConfig:
+    xpack.security.authc.realms.oidc.dex.rp.client_secret: test
+  config:
+    node.store.allow_mmap: false
+    ingest.geoip.downloader.enabled: false
+    xpack.security.http.ssl.enabled: true
+  nodeSets:
+  - name: data
+    count: 3
+    config:
+      node:
+        roles: [data, ingest]
+    resources:
+      requests:
+        cpu: "2"
+        ephemeral-storage: 100Mi
+        memory: "4Gi"
+      limits:
+        cpu: "4"
+        ephemeral-storage: 100Mi
+        memory: "4Gi"
+    env:
+    - name: ES_JAVA_OPTS
+      value: "-Xmx2g -Xms2g -XX:MaxRAM=3072m"
+    volumeClaimTemplates:
+    - metadata:
+        name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 200Gi
+        storageClassName: "production-performance"
+  - name: master
+    count: 3
+    config:
+      node:
+        roles: [master]
+    resources:
+      requests:
+        cpu: 2
+        ephemeral-storage: 100Mi
+        memory: 2Gi
+      limits:
+        cpu: 2
+        ephemeral-storage: 100Mi
+        memory: 2Gi
+    env:
+    - name: ES_JAVA_OPTS
+      value: "-Xmx1g -Xms1g -XX:MaxRAM=1536m"
+    volumeClaimTemplates:
+    - metadata:
+        name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 2Gi
+        storageClassName: "production-performance"
+kibana:
+  enabled: true
+  version: 7.16.3
+  count: 1
+  config:
+    server.publicBaseUrl: https://kibana.example.com
+    xpack.security.authc.providers:
+      oidc.dex:
+        order: 0
+        realm: "dex"
+      basic.basic1:
+        order: 1
+  http:
+    tls:
+      certificate:
+        secretName: kibana-server-tls #same as ingress secret name
+  resources:
+    requests:
+      cpu: "1"
+      ephemeral-storage: 100Mi
+      memory: "1Gi"
+    limits:
+      cpu: "1"
+      ephemeral-storage: 100Mi
+      memory: "1Gi"
+  ingress:
+    enabled: true
+    port: 5601
+    annotations:
+      cert-manager.io/cluster-issuer: production-certs
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    hosts:
+    - kibana.example.com
+    tls:
+    - secretName: kibana-server-tls
+      hosts:
+      - kibana.example.com
+    routePrefix: /

charts/eck-resources/templates/NOTES.txt

@@ -0,0 +1,2 @@
+{ $.Chart.Name }} has been installed. Check its status by running:
+  kubectl --namespace {{ template "eck-resources.namespace" . }} get pods -l "release={{ $.Release.Name }}"

charts/eck-resources/templates/_helpers.tpl

@@ -0,0 +1,111 @@
+{{/* vim: set filetype=mustache: */}}
+{{/* Expand the name of the chart. This is suffixed with -elasticsearch, which means subtract 13 from longest 63 available */}}
+{{- define "eck-resources.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 50 | trimSuffix "-" -}}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+The components in this chart create additional resources that expand the longest created name strings.
+The longest name that gets created adds and extra 37 characters, so truncation should be 63-35=26.
+*/}}
+{{- define "eck-resources.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 26 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 26 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 26 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Fullname suffixed with operator */}}
+{{- define "eck-resources.elasticsearch.fullname" -}}
+{{- printf "%s-elasticsearch" (include "eck-resources.fullname" .) -}}
+{{- end }}
+
+{{/* Kibana service suffixed */}}
+{{- define "eck-resources.elasticsearch.serviceName" -}}
+{{- printf "%s-elasticsearch-es-http" (include "eck-resources.fullname" .) -}}
+{{- end }}
+
+{{/* Fullname suffixed */}}
+{{- define "eck-resources.kibana.fullname" -}}
+{{- printf "%s-kibana" (include "eck-resources.fullname" .) -}}
+{{- end }}
+
+{{/* Kibana service suffixed */}}
+{{- define "eck-resources.kibana.serviceName" -}}
+{{- printf "%s-kibana-kb-http" (include "eck-resources.fullname" .) -}}
+{{- end }}
+
+{{/* Create chart name and version as used by the chart label. */}}
+{{- define "eck-resources.chartref" -}}
+{{- replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name -}}
+{{- end }}
+
+{{/* Generate basic labels */}}
+{{- define "eck-resources.labels" -}}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: "{{ .Chart.Version }}"
+app.kubernetes.io/part-of: {{ template "eck-resources.name" . }}
+chart: {{ template "eck-resources.chartref" . }}
+release: {{ $.Release.Name | quote }}
+heritage: {{ $.Release.Service | quote }}
+{{- if .Values.commonLabels}}
+{{ toYaml .Values.commonLabels }}
+{{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "eck-resources.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/* Allow KubeVersion to be overridden. */}}
+{{- define "eck-resources.kubeVersion" -}}
+  {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}}
+{{- end -}}
+
+{{/* Get Ingress API Version */}}
+{{- define "eck-resources.ingress.apiVersion" -}}
+  {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" (include "eck-resources.kubeVersion" .)) -}}
+      {{- print "networking.k8s.io/v1" -}}
+  {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}}
+    {{- print "networking.k8s.io/v1beta1" -}}
+  {{- else -}}
+    {{- print "extensions/v1beta1" -}}
+  {{- end -}}
+{{- end -}}
+
+{{/* Check Ingress stability */}}
+{{- define "eck-resources.ingress.isStable" -}}
+  {{- eq (include "eck-resources.ingress.apiVersion" .) "networking.k8s.io/v1" -}}
+{{- end -}}
+
+{{/* Check Ingress supports pathType */}}
+{{/* pathType was added to networking.k8s.io/v1beta1 in Kubernetes 1.18 */}}
+{{- define "eck-resources.ingress.supportsPathType" -}}
+  {{- or (eq (include "eck-resources.ingress.isStable" .) "true") (and (eq (include "eck-resources.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" (include "eck-resources.kubeVersion" .))) -}}
+{{- end -}}
+
+{{/* Get Policy API Version */}}
+{{- define "eck-resources.pdb.apiVersion" -}}
+  {{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">= 1.21-0" (include "eck-resources.kubeVersion" .)) -}}
+      {{- print "policy/v1" -}}
+  {{- else -}}
+    {{- print "policy/v1beta1" -}}
+  {{- end -}}
+  {{- end -}}