diff --git a/README.md b/README.md index 39404bb..6862655 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,2 @@ -# eck-resources-chart -Helm chart for easily templating ECK resources for deploying Elasticsearch, Kibana etc with reduced duplication. +# PHRG helm-charts +Helm charts created by Power Home Remodling Group. diff --git a/charts/eck-resources/Chart.yaml b/charts/eck-resources/Chart.yaml new file mode 100644 index 0000000..6612a26 --- /dev/null +++ b/charts/eck-resources/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +description: After ECK is deployed to you cluster this chart creates Elasticsearch and kibana resources. +home: https://github.com/powerhome/eck-resources-chart/charts/eck-resources +maintainers: +- email: phrgadmin@powerhrg.com + name: Power HRG +name: eck-resources +version: 0.0.1 +appVersion: 7.16.3 +sources: + - https://github.com/powerhome/eck-resources-chart/charts/eck-resources diff --git a/charts/eck-resources/README.md b/charts/eck-resources/README.md new file mode 100644 index 0000000..6b3ef6f --- /dev/null +++ b/charts/eck-resources/README.md @@ -0,0 +1,24 @@ +# eck-resources-chart +Helm chart for easily templating ECK resources for deploying Elasticsearch, Kibana etc with reduced duplication. + +It allows the user to create some of the custom resources managed by ECK in a simpler way by taking advantage of Helm templating. + +For now the chart can create the following resources: +* Elasticsearch +* Kibana +* Ingress (for kibana) +* Beats + +## Depencies +This charts expects that the [ECK](https://github.com/elastic/cloud-on-k8s) is already installed and configured in the Kube cluster. + +## Configuration +Each variable has a comment to what is can be used for in the [values.yaml](./values.yaml). + +Besides that there are some example files in [examples/](./examples/). + +## Configure OIDC +This chart allows you to configure login using OIDC. Note that this feature isn't available in the basic license. + +## References +We used some of the best practices for helm charts used in https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack/ diff --git a/charts/eck-resources/examples/oidc.yaml b/charts/eck-resources/examples/oidc.yaml new file mode 100644 index 0000000..87360c7 --- /dev/null +++ b/charts/eck-resources/examples/oidc.yaml @@ -0,0 +1,87 @@ +fullnameOverride: eck + +elasticsearch: + enabled: true + credentials: + enabled: true + version: 7.16.3 + secretConfig: + xpack.security.authc.realms.oidc.dex.rp.client_secret: client_secret + config: + node.store.allow_mmap: false + ingest.geoip.downloader.enabled: false + xpack.security.http.ssl.enabled: true + xpack.security.authc: + token.enabled: true + realms.oidc: + dex: + order: 0 + op: + issuer: "https://dex.example.com/" + authorization_endpoint: "https://dex.example.com/auth" + token_endpoint: "https://dex.example.com/token" + jwkset_path: "https://dex.example.com/keys" + userinfo_endpoint: "https://dex.example.com/userinfo" + rp: + client_id: "infra-eck" + response_type: code + redirect_uri: "https://kibana.example.com/api/security/oidc/callback" + post_logout_redirect_uri: "https://kibana.example.com/security/logged_out" + signature_algorithm: RS256 + requested_scopes: + - groups + - openid + - profile + - email + claims: + principal: name + groups: groups + mail: email + nodeSets: + - name: default + count: 1 + config: + node: + roles: [master, data, ingest] + resources: + requests: + cpu: "2" + ephemeral-storage: 100Mi + memory: "4Gi" + limits: + cpu: "4" + ephemeral-storage: 100Mi + memory: "4Gi" + env: + - name: ES_JAVA_OPTS + value: "-Xmx2g -Xms2g -XX:MaxRAM=3072m" +kibana: + enabled: true + version: 7.16.3 + count: 1 + config: + server.publicBaseUrl: https://kibana.example.com + xpack.security.authc.providers: + oidc.dex: + order: 0 + realm: "dex" + basic.basic1: + order: 1 + http: + tls: + certificate: + secretName: kibana-server-tls #same as ingress secret name + ingress: + enabled: true + port: 5601 + annotations: + cert-manager.io/cluster-issuer: production-certs + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + hosts: + - kibana.example.com + tls: + - secretName: kibana-server-tls + hosts: + - kibana.example.com + routePrefix: / diff --git a/charts/eck-resources/examples/production.yaml b/charts/eck-resources/examples/production.yaml new file mode 100644 index 0000000..6e67b2d --- /dev/null +++ b/charts/eck-resources/examples/production.yaml @@ -0,0 +1,107 @@ +fullnameOverride: eck + +elasticsearch: + enabled: true + credentials: + enabled: true + version: 7.16.3 + secretConfig: + xpack.security.authc.realms.oidc.dex.rp.client_secret: test + config: + node.store.allow_mmap: false + ingest.geoip.downloader.enabled: false + xpack.security.http.ssl.enabled: true + nodeSets: + - name: data + count: 3 + config: + node: + roles: [data, ingest] + resources: + requests: + cpu: "2" + ephemeral-storage: 100Mi + memory: "4Gi" + limits: + cpu: "4" + ephemeral-storage: 100Mi + memory: "4Gi" + env: + - name: ES_JAVA_OPTS + value: "-Xmx2g -Xms2g -XX:MaxRAM=3072m" + volumeClaimTemplates: + - metadata: + name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path. + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 200Gi + storageClassName: "production-performance" + - name: master + count: 3 + config: + node: + roles: [master] + resources: + requests: + cpu: 2 + ephemeral-storage: 100Mi + memory: 2Gi + limits: + cpu: 2 + ephemeral-storage: 100Mi + memory: 2Gi + env: + - name: ES_JAVA_OPTS + value: "-Xmx1g -Xms1g -XX:MaxRAM=1536m" + volumeClaimTemplates: + - metadata: + name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path. + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + storageClassName: "production-performance" +kibana: + enabled: true + version: 7.16.3 + count: 1 + config: + server.publicBaseUrl: https://kibana.example.com + xpack.security.authc.providers: + oidc.dex: + order: 0 + realm: "dex" + basic.basic1: + order: 1 + http: + tls: + certificate: + secretName: kibana-server-tls #same as ingress secret name + resources: + requests: + cpu: "1" + ephemeral-storage: 100Mi + memory: "1Gi" + limits: + cpu: "1" + ephemeral-storage: 100Mi + memory: "1Gi" + ingress: + enabled: true + port: 5601 + annotations: + cert-manager.io/cluster-issuer: production-certs + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + hosts: + - kibana.example.com + tls: + - secretName: kibana-server-tls + hosts: + - kibana.example.com + routePrefix: / diff --git a/charts/eck-resources/templates/NOTES.txt b/charts/eck-resources/templates/NOTES.txt new file mode 100644 index 0000000..9708793 --- /dev/null +++ b/charts/eck-resources/templates/NOTES.txt @@ -0,0 +1,2 @@ +{ $.Chart.Name }} has been installed. Check its status by running: + kubectl --namespace {{ template "eck-resources.namespace" . }} get pods -l "release={{ $.Release.Name }}" diff --git a/charts/eck-resources/templates/_helpers.tpl b/charts/eck-resources/templates/_helpers.tpl new file mode 100644 index 0000000..432b971 --- /dev/null +++ b/charts/eck-resources/templates/_helpers.tpl @@ -0,0 +1,111 @@ +{{/* vim: set filetype=mustache: */}} +{{/* Expand the name of the chart. This is suffixed with -elasticsearch, which means subtract 13 from longest 63 available */}} +{{- define "eck-resources.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 50 | trimSuffix "-" -}} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +The components in this chart create additional resources that expand the longest created name strings. +The longest name that gets created adds and extra 37 characters, so truncation should be 63-35=26. +*/}} +{{- define "eck-resources.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 26 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 26 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 26 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Fullname suffixed with operator */}} +{{- define "eck-resources.elasticsearch.fullname" -}} +{{- printf "%s-elasticsearch" (include "eck-resources.fullname" .) -}} +{{- end }} + +{{/* Kibana service suffixed */}} +{{- define "eck-resources.elasticsearch.serviceName" -}} +{{- printf "%s-elasticsearch-es-http" (include "eck-resources.fullname" .) -}} +{{- end }} + +{{/* Fullname suffixed */}} +{{- define "eck-resources.kibana.fullname" -}} +{{- printf "%s-kibana" (include "eck-resources.fullname" .) -}} +{{- end }} + +{{/* Kibana service suffixed */}} +{{- define "eck-resources.kibana.serviceName" -}} +{{- printf "%s-kibana-kb-http" (include "eck-resources.fullname" .) -}} +{{- end }} + +{{/* Create chart name and version as used by the chart label. */}} +{{- define "eck-resources.chartref" -}} +{{- replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name -}} +{{- end }} + +{{/* Generate basic labels */}} +{{- define "eck-resources.labels" -}} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +app.kubernetes.io/part-of: {{ template "eck-resources.name" . }} +chart: {{ template "eck-resources.chartref" . }} +release: {{ $.Release.Name | quote }} +heritage: {{ $.Release.Service | quote }} +{{- if .Values.commonLabels}} +{{ toYaml .Values.commonLabels }} +{{- end }} +{{- end }} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "eck-resources.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* Allow KubeVersion to be overridden. */}} +{{- define "eck-resources.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}} +{{- end -}} + +{{/* Get Ingress API Version */}} +{{- define "eck-resources.ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" (include "eck-resources.kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* Check Ingress stability */}} +{{- define "eck-resources.ingress.isStable" -}} + {{- eq (include "eck-resources.ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* Check Ingress supports pathType */}} +{{/* pathType was added to networking.k8s.io/v1beta1 in Kubernetes 1.18 */}} +{{- define "eck-resources.ingress.supportsPathType" -}} + {{- or (eq (include "eck-resources.ingress.isStable" .) "true") (and (eq (include "eck-resources.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" (include "eck-resources.kubeVersion" .))) -}} +{{- end -}} + +{{/* Get Policy API Version */}} +{{- define "eck-resources.pdb.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">= 1.21-0" (include "eck-resources.kubeVersion" .)) -}} + {{- print "policy/v1" -}} + {{- else -}} + {{- print "policy/v1beta1" -}} + {{- end -}} + {{- end -}} diff --git a/charts/eck-resources/templates/beats.yaml b/charts/eck-resources/templates/beats.yaml new file mode 100644 index 0000000..e1bc167 --- /dev/null +++ b/charts/eck-resources/templates/beats.yaml @@ -0,0 +1,51 @@ +{{- $root := . }} +{{- range .Values.beat.instances }} +--- +{{/* Beats verification */}} +{{- if and .deployment .daemonSet }} +{{- fail (printf "You can't define a deployment and a daemonset at the same time for beat '%s'" .name) }} +{{- end }} +apiVersion: beat.k8s.elastic.co/v1beta1 +kind: Beat +metadata: + name: {{ .name }} + labels: + beat: {{ .name }} +{{ include "eck-resources.labels" $root | indent 4 }} +spec: + type: {{ .type | default $root.Values.beat.default.type }} + version: {{ .version | default $root.Values.beat.default.version }} + elasticsearchRef: + name: {{ .elasticsearchRef | default (include "eck-resources.elasticsearch.fullname" $root ) }} + kibanaRef: + name: {{ .kibanaRef | default (include "eck-resources.kibana.fullname" $root ) }} + config: +{{ toYaml .config | indent 4}} + {{- if $root.Values.elasticsearch.credentials.enabled }} + output.elasticsearch: + username: "{{ $root.Values.elasticsearch.credentials.username }}" + password: "{{ $root.Values.elasticsearch.credentials.password }}" + {{- end }} + {{- if $root.Values.kibana.http.tls }} + setup.kibana: + ssl.verification_mode: certificate + {{- if $root.Values.elasticsearch.credentials.enabled }} + username: "{{ $root.Values.elasticsearch.credentials.username }}" + password: "{{ $root.Values.elasticsearch.credentials.password }}" + {{- end }} + {{- end }} + {{- if $root.Values.elasticsearch.credentials.enabled }} + monitoring.elasticsearch: + hosts: ["{{ include "eck-resources.elasticsearch.serviceName" $root }}:9200"] + username: "{{ $root.Values.elasticsearch.credentials.username }}" + password: "{{ $root.Values.elasticsearch.credentials.password }}" + {{- end }} + {{- if .daemonSet }} + daemonSet: +{{ toYaml .daemonSet | indent 4}} + {{- end }} + {{- if .deployment }} + deployment: +{{ toYaml .deployment | indent 4}} + {{- end }} +{{- end }} diff --git a/charts/eck-resources/templates/elasticsearch.yaml b/charts/eck-resources/templates/elasticsearch.yaml new file mode 100644 index 0000000..84aa488 --- /dev/null +++ b/charts/eck-resources/templates/elasticsearch.yaml @@ -0,0 +1,139 @@ +{{- if .Values.elasticsearch.enabled }} +{{- $root := . -}} +apiVersion: elasticsearch.k8s.elastic.co/v1 +kind: Elasticsearch +metadata: + name: {{ template "eck-resources.fullname" . }}-elasticsearch + labels: + app: {{ template "eck-resources.name" . }}-elasticsearch +{{ include "eck-resources.labels" . | indent 4 }} +{{- if .Values.elasticsearch.annotations }} + annotations: +{{ toYaml .Values.elasticsearch.annotations | indent 4 }} +{{- end }} +spec: + version: {{ .Values.elasticsearch.version }} + {{- if .Values.elasticsearch.http }} + http: +{{ toYaml .Values.elasticsearch.http | indent 4 }} + {{- end }} + + {{- if .Values.elasticsearch.auth }} + auth: +{{ toYaml .Values.elasticsearch.auth | indent 4 }} + {{- end }} + + {{- if .Values.elasticsearch.image }} + image: +{{ toYaml .Values.elasticsearch.image | indent 4 }} + {{- end }} + + {{- if .Values.elasticsearch.nodeSets }} + nodeSets: + {{- range .Values.elasticsearch.nodeSets }} + - name: {{.name }} + count: {{ .count }} + config: +{{ toYaml $root.Values.elasticsearch.config | indent 6 }} +{{ toYaml .config | indent 6 }} + podTemplate: + spec: + {{- if or $root.Values.elasticsearch.credentials.enabled $root.Values.elasticsearch.secretConfig }} + initContainers: + {{- if $root.Values.elasticsearch.secretConfig }} + - name: elastic-custom-init-keystore + command: + - /usr/bin/env + - bash + - -c + - |- + #!/usr/bin/env bash + + echo "Initializing keystore." + + # create a keystore in the default data path + bin/elasticsearch-keystore create + + # add all existing secret entries into it + {{- range $key,$value := $root.Values.elasticsearch.secretConfig }} + echo "Adding {{ $key }} to keystore." + echo ${{ $key | replace "." "_" |upper }} | bin/elasticsearch-keystore add --stdin {{ $key }} + {{- end }} + + echo "Keystore initialization successful." + env: + {{- range $key,$value := $root.Values.elasticsearch.secretConfig }} + - name: {{ $key | replace "." "_" |upper }} + valueFrom: + secretKeyRef: + name: {{ template "eck-resources.fullname" $root }}-keystore + key: {{ $key }} + {{- end }} + resources: +{{ toYaml $root.Values.elasticsearch.secretResources | indent 12 }} + ephemeral-storage: 200Mi + {{- end }} + + {{- if $root.Values.elasticsearch.credentials.enabled }} + - name: elastic-init-auth-user + command: + - /usr/bin/env + - bash + - -c + - |- + #!/usr/bin/env bash + echo "Create elasticsearch user." + # create a keystore in the default data path + bin/elasticsearch-users useradd $USER_USERNAME -p $USER_PASSWORD -r superuser + env: + - name: USER_USERNAME + valueFrom: + secretKeyRef: + name: {{ template "eck-resources.fullname" $root }}-credentials + key: auth_username + - name: USER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "eck-resources.fullname" $root }}-credentials + key: auth_password + resources: +{{ toYaml $root.Values.elasticsearch.credentials.resources | indent 12 }} + {{- end }} + {{- end }} + + containers: + - name: elasticsearch + {{- if .resources }} + resources: +{{ toYaml .resources | indent 12 }} + {{- end }} + + {{- if .env }} + env: +{{ toYaml .env | indent 12 }} + {{- end }} + {{- if .volumeClaimTemplates }} + volumeClaimTemplates: +{{ toYaml .volumeClaimTemplates | indent 6 }} + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.elasticsearch.podDisruptionBudget }} + podDisruptionBudget: +{{ toYaml .Values.elasticsearch.podDisruptionBudget | indent 4 }} + {{- end }} + + {{- if .Values.elasticsearch.secureSettings }} + secureSettings: +{{ toYaml .Values.elasticsearch.secureSettings | indent 4 }} + {{- end }} + + {{- if .Values.elasticsearch.updateStrategy }} + updateStrategy: +{{ toYaml .Values.elasticsearch.updateStrategy | indent 4 }} + {{- end }} + {{- if .Values.elasticsearch.extraSpec }} +{{ toYaml .Values.elasticsearch.extraSpec | indent 2 }} + {{- end }} +{{- end }} diff --git a/charts/eck-resources/templates/ingress.yaml b/charts/eck-resources/templates/ingress.yaml new file mode 100644 index 0000000..bbc1281 --- /dev/null +++ b/charts/eck-resources/templates/ingress.yaml @@ -0,0 +1,77 @@ +{{- if and .Values.kibana.enabled .Values.kibana.ingress.enabled -}} + {{- $pathType := .Values.kibana.ingress.pathType | default "ImplementationSpecific" -}} + {{- $serviceName := include "eck-resources.kibana.serviceName" . -}} + {{- $servicePort := .Values.kibana.ingress.port -}} + {{- $routePrefix := list .Values.kibana.ingress.routePrefix -}} + {{- $paths := .Values.kibana.ingress.paths | default $routePrefix -}} + {{- $apiIsStable := eq (include "eck-resources.ingress.isStable" .) "true" -}} + {{- $ingressSupportsPathType := eq (include "eck-resources.ingress.supportsPathType" .) "true" -}} +apiVersion: {{ include "eck-resources.ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.kibana.ingress.annotations }} + annotations: +{{ toYaml .Values.kibana.ingress.annotations | indent 4 }} +{{- end }} + name: {{ include "eck-resources.fullname" . }}-kibana + namespace: {{ template "eck-resources.namespace" . }} + labels: + app: {{ template "eck-resources.name" . }}-kibana +{{ include "eck-resources.labels" . | indent 4 }} +{{- if .Values.kibana.ingress.labels }} +{{ toYaml .Values.kibana.ingress.labels | indent 4 }} +{{- end }} +spec: + {{- if $apiIsStable }} + {{- if .Values.kibana.ingress.ingressClassName }} + ingressClassName: {{ .Values.kibana.ingress.ingressClassName }} + {{- end }} + {{- end }} + rules: + {{- if .Values.kibana.ingress.hosts }} + {{- range $host := .Values.kibana.ingress.hosts }} + - host: {{ tpl $host $ }} + http: + paths: + {{- range $p := $paths }} + - path: {{ tpl $p $ }} + {{- if and $pathType $ingressSupportsPathType }} + pathType: {{ $pathType }} + {{- end }} + backend: + {{- if $apiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} + {{- end -}} + {{- else }} + - http: + paths: + {{- range $p := $paths }} + - path: {{ tpl $p $ }} + {{- if and $pathType $ingressSupportsPathType }} + pathType: {{ $pathType }} + {{- end }} + backend: + {{- if $apiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} + {{- end -}} + {{- if .Values.kibana.ingress.tls }} + tls: +{{ tpl (toYaml .Values.kibana.ingress.tls | indent 4) . }} + {{- end -}} +{{- end -}} diff --git a/charts/eck-resources/templates/kibana.yaml b/charts/eck-resources/templates/kibana.yaml new file mode 100644 index 0000000..fbbd775 --- /dev/null +++ b/charts/eck-resources/templates/kibana.yaml @@ -0,0 +1,35 @@ +{{- if .Values.kibana.enabled }} +apiVersion: kibana.k8s.elastic.co/v1 +kind: Kibana +metadata: + name: {{ template "eck-resources.fullname" . }}-kibana + labels: + app: {{ template "eck-resources.name" . }}-kibana +{{ include "eck-resources.labels" . | indent 4 }} +{{- if .Values.kibana.annotations }} + annotations: +{{ toYaml .Values.kibana.annotations | indent 4 }} +{{- end }} +spec: + version: {{ .Values.kibana.version }} + count: {{ .Values.kibana.count }} + {{- if .Values.kibana.http }} + http: +{{ toYaml .Values.kibana.http | indent 4 }} + {{- end }} + {{- if .Values.kibana.config }} + config: +{{ toYaml .Values.kibana.config | indent 4 }} + {{- end }} + elasticsearchRef: + name: "{{ .Values.kibana.externalElasticsearchRef | default (printf "%s-elasticsearch" (include "eck-resources.fullname" . )) }}" + podTemplate: + spec: + containers: + - name: kibana + resources: +{{ toYaml .Values.kibana.resources | indent 10 }} + {{- if .Values.kibana.extraSpec }} +{{ toYaml .Values.kibana.extraSpec | indent 2 }} + {{- end }} +{{- end }} diff --git a/charts/eck-resources/templates/secret.yaml b/charts/eck-resources/templates/secret.yaml new file mode 100644 index 0000000..00b7019 --- /dev/null +++ b/charts/eck-resources/templates/secret.yaml @@ -0,0 +1,28 @@ +--- +{{- if .Values.elasticsearch.credentials.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "eck-resources.fullname" . }}-credentials + labels: +{{ include "eck-resources.labels" . | indent 4 }} +type: Opaque +data: + auth_username: {{ .Values.elasticsearch.credentials.username | b64enc | quote }} + auth_password: {{ .Values.elasticsearch.credentials.password | b64enc | quote }} +{{- end }} + +--- +{{- if .Values.elasticsearch.secretConfig -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "eck-resources.fullname" . }}-keystore + labels: +{{ include "eck-resources.labels" . | indent 4 }} +type: Opaque +data: + {{- range $key,$value := .Values.elasticsearch.secretConfig }} + {{ $key }}: {{ $value | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/eck-resources/templates/service.yaml b/charts/eck-resources/templates/service.yaml new file mode 100644 index 0000000..d191fe1 --- /dev/null +++ b/charts/eck-resources/templates/service.yaml @@ -0,0 +1,33 @@ +{{- $root := . }} +{{- range .Values.services }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .name }} + labels: +{{ include "eck-resources.labels" $root | indent 4 }} +{{- if .annotations }} + annotations: +{{ toYaml .annotations | indent 4 }} +{{- end }} +spec: +{{- if .clusterIP }} + clusterIP: {{ .clusterIP }} +{{- end }} +{{- if .externalIPs }} + externalIPs: +{{ toYaml .externalIPs | indent 4 }} +{{- end }} +{{- if .loadBalancerIP }} + loadBalancerIP: {{ .loadBalancerIP }} +{{- end }} + ports: +{{ toYaml .ports | indent 4 }} + selector: +{{ toYaml .selector | indent 4 }} +{{- if .sessionAffinity }} + sessionAffinity: {{ .sessionAffinity }} +{{- end }} + type: "{{ .type }}" +{{- end }} diff --git a/charts/eck-resources/templates/serviceaccount.yaml b/charts/eck-resources/templates/serviceaccount.yaml new file mode 100644 index 0000000..2a214d9 --- /dev/null +++ b/charts/eck-resources/templates/serviceaccount.yaml @@ -0,0 +1,47 @@ +{{- $root := . }} +{{- range .Values.serviceAccounts }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .name }}-role + labels: +{{ include "eck-resources.labels" $root | indent 4 }} +{{- if .annotations }} + annotations: +{{ toYaml .annotations | indent 4 }} +{{- end }} +rules: +{{ toYaml .rules }} + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .name }} + labels: +{{ include "eck-resources.labels" $root | indent 4 }} +{{- if .annotations }} + annotations: +{{ toYaml .annotations | indent 4 }} +{{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .name }}-rb + labels: +{{ include "eck-resources.labels" $root | indent 4 }} +{{- if .annotations }} + annotations: +{{ toYaml .annotations | indent 4 }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ .name }} +roleRef: + kind: Role + name: {{ .name }}-role + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/eck-resources/values.yaml b/charts/eck-resources/values.yaml new file mode 100644 index 0000000..c87a36e --- /dev/null +++ b/charts/eck-resources/values.yaml @@ -0,0 +1,208 @@ +# Default values for eck-resources. +# This is a YAML-formatted file. + +# fullnameOverride: eck + +## elasticsearch values +elasticsearch: + ## controls if it will generate the ES resources + enabled: false + ## allow you to create local user + credentials: + enabled: false + username: elasticsearch + password: password + ## create local user init container resources + resources: + requests: + memory: 200Mi + cpu: 100m + ephemeral-storage: 100Mi + limits: + memory: 400Mi + cpu: 200m + ephemeral-storage: 200Mi + ## values to be stored in keystore + # secretConfig: + # xpack.security.authc.realms.oidc.dex.rp.client_secret: test + ## init container that store values in keystore resources + secretResources: + requests: + memory: 200Mi + cpu: 100m + ephemeral-storage: 100Mi + limits: + memory: 400Mi + cpu: 200m + ephemeral-storage: 200Mi + ## for doc about the `auth` specs check https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-api-elasticsearch-k8s-elastic-co-v1.html#k8s-api-github-com-elastic-cloud-on-k8s-pkg-apis-elasticsearch-v1-auth + # auth: + ## elasticsearch version + version: 7.16.3 + ## for doc about the `http` specs check https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-api-common-k8s-elastic-co-v1.html#k8s-api-github-com-elastic-cloud-on-k8s-pkg-apis-common-v1-httpconfig + # http: + ## override default elasticsearch image + # image: + ## config that will be added to all nodeSets elemets + config: + node.store.allow_mmap: false + # ingest.geoip.downloader.enabled: false + # xpack.security.http.ssl.enabled: true + ## for doc about `nodeSets` check https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-api-elasticsearch-k8s-elastic-co-v1.html#k8s-api-github-com-elastic-cloud-on-k8s-pkg-apis-elasticsearch-v1-nodeset + nodeSets: + - name: default + count: 1 + ## nodeSet element specific config + config: + node: + roles: ["master","data","ingest"] + ## for doc about `podDisruptionBudget` check https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-api-common-k8s-elastic-co-v1.html#k8s-api-github-com-elastic-cloud-on-k8s-pkg-apis-common-v1-poddisruptionbudgettemplate + # podDisruptionBudget: + ## for doc about `secureSettings` check https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-api-common-k8s-elastic-co-v1.html#k8s-api-github-com-elastic-cloud-on-k8s-pkg-apis-common-v1-secretsource + # secureSettings: + ## for doc about `updateStrategy` check https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-api-elasticsearch-k8s-elastic-co-v1.html#k8s-api-github-com-elastic-cloud-on-k8s-pkg-apis-elasticsearch-v1-updatestrategy + # updateStrategy: + ## even none of the above works for you `extraSpec` lets you pass whatever config you want to the elasticsearch resource + # extraSpec: + +## kibana values +kibana: + ## controls if it will generate the kibana resources + enabled: false + ## kibana version + version: 7.16.3 + ## number of replicas + count: 1 + ## for doc about the `http` specs check https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-api-common-k8s-elastic-co-v1.html#k8s-api-github-com-elastic-cloud-on-k8s-pkg-apis-common-v1-httpconfig + # http: + ## points to an external elasticsearch + # externalElasticsearchRef: + ## pod resources + resources: + requests: + cpu: "1" + ephemeral-storage: 100Mi + memory: "1Gi" + limits: + cpu: "1" + ephemeral-storage: 100Mi + memory: "1Gi" + ## ingress config + ingress: + enabled: false + port: 5601 + annotations: + cert-manager.io/cluster-issuer: production-certs + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + hosts: + - kibana.example.com + tls: + - secretName: kibana-server-tls + hosts: + - kibana.example.com + routePrefix: / + ## for doc about the specs check https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-api-common-k8s-elastic-co-v1.html#k8s-api-github-com-elastic-cloud-on-k8s-pkg-apis-common-v1-config + config: + server.publicBaseUrl: https://kibana.example.com + ## even none of the above works for you `extraSpec` lets you pass whatever config you want to the elasticsearch resource + # extraSpec: + +## beats values +beat: + default: + type: filebeat + version: 7.16.3 + ## Can define multiple beats, no specified values will use the default above + instances: [] + # instances: + # - name: filebeat1 + # type: filebeat + # elasticsearchRef: + # name: elasticsearch + # kibanaRef: + # name: kibana + # config: + # filebeat: + # autodiscover: + # providers: + # - type: kubernetes + # node: ${NODE_NAME} + # hints: + # enabled: true + # default_config: + # type: container + # paths: + # - /var/log/containers/*${data.kubernetes.container.id}.log + # processors: + # - add_cloud_metadata: {} + # - add_host_metadata: {} + # ## Can be a daemonSet or deployment + # daemonSet: #deployment: + # podTemplate: + # spec: + # serviceAccountName: filebeat1 + # automountServiceAccountToken: true + # terminationGracePeriodSeconds: 30 + # dnsPolicy: ClusterFirstWithHostNet + # hostNetwork: true # Allows to provide richer host metadata + # containers: + # - name: filebeat + # securityContext: + # runAsUser: 0 + # volumeMounts: + # - name: varlogcontainers + # mountPath: /var/log/containers + # - name: varlogpods + # mountPath: /var/log/pods + # - name: varlibdockercontainers + # mountPath: /var/lib/docker/containers + # env: + # - name: NODE_NAME + # valueFrom: + # fieldRef: + # fieldPath: spec.nodeName + # volumes: + # - name: varlogcontainers + # hostPath: + # path: /var/log/containers + # - name: varlogpods + # hostPath: + # path: /var/log/pods + # - name: varlibdockercontainers + # hostPath: + # path: /var/lib/docker/containers + # # Can be a deployment or daemonSet + # deployment: + # podTemplate: + # spec: + # containers: + # - name: test + +services: [] +# services: +# - name: filebeat-netflow-svc +# ports: +# - name: netflow +# nodePort: 31955 +# port: 2055 +# protocol: TCP +# targetPort: 2055 +# selector: +# beat: filebeat-netflow +# type: nodePort + +## serviceAccount values +serviceAccounts: [] +# serviceAccounts: +# - name: filebeat1 +# rules: +# - apiGroups: [""] # "" indicates the core API group +# resources: +# - namespaces +# - pods +# - nodes +# verbs: +# - get +# - watch +# - list diff --git a/mkdocs.yaml b/mkdocs.yaml new file mode 100644 index 0000000..a9fe0a8 --- /dev/null +++ b/mkdocs.yaml @@ -0,0 +1,7 @@ +site_name: helm-charts +site_description: PHRG helm-charts repo +nav: + - "Home": "README.md" + - "Chart eck-resources": "charts/eck-resources/README.md" +plugins: + - techdocs-core diff --git a/portal.yaml b/portal.yaml new file mode 100644 index 0000000..a2cf84a --- /dev/null +++ b/portal.yaml @@ -0,0 +1,27 @@ +apiVersion: backstage.io/v1alpha1 +kind: System +metadata: + name: helm-charts + title: PHRG helm-charts + description: Helm charts created by Power Home Remodling Group. + annotations: + backstage.io/techdocs-ref: dir:. + github.com/project-slug: powerhome/helm-charts +spec: + owner: watchtower + domain: technology-foundations-and-tools + lifecycle: production +--- +apiVersion: backstage.io/v1alpha1 +kind: Component +metadata: + name: eck-resources-chart + title: Chart eck-resources + description: This component is a helm chart that manages ECK resources. + annotations: + backstage.io/techdocs-ref: dir:. +spec: + type: library + owner: watchtower + lifecycle: production + subcomponentOf: helm-charts