Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

[metricbeat] split values for daemonset and deployment #572

Merged
merged 15 commits into from
Apr 17, 2020
Merged

[metricbeat] split values for daemonset and deployment #572

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
cea4e9a
[metricbeat] split configmap for daemonset and deployment
jmlrt Apr 10, 2020
61c96be
[metricbeat] use markdown implicit link name for config table
jmlrt Apr 14, 2020
2a5e45d
[metricbeat] split affinity for daemonset and deployment
jmlrt Apr 14, 2020
c8af71b
[metricbeat] split resources for daemonset and deployment
jmlrt Apr 14, 2020
f667825
[metricbeat] split nodeSelector for daemonset and deployment
jmlrt Apr 14, 2020
bcdab45
[metricbeat] split tolerations for daemonset and deployment
jmlrt Apr 15, 2020
7914ffb
[metricbeat] nit
jmlrt Apr 15, 2020
07877a6
[metricbeat] split security context for daemonset and deployment
jmlrt Apr 15, 2020
d1a96a1
[metricbeat] nit - fix default values in README
jmlrt Apr 15, 2020
bc05368
metricbeat] split extraEnvs for daemonset and deployment
jmlrt Apr 15, 2020
1dd2e84
[metricbeat] split envFrom for daemonset and deployment
jmlrt Apr 15, 2020
593c743
[metricbeat] split volumes and volumeMounts for daemonset and deployment
jmlrt Apr 15, 2020
055313c
[metricbeat] split secretMounts for daemonset and deployment
jmlrt Apr 15, 2020
890428d
[metricbeat] remove unneeded if statement for envFrom
jmlrt Apr 17, 2020
b489901
[metricbeat] nit - add missing trailing lines
jmlrt Apr 17, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
[metricbeat] split secretMounts for daemonset and deployment
  • Loading branch information
@jmlrt
jmlrt committed Apr 15, 2020
commit 055313c7dc9b1eef0dd5a24a101095331d4d64d2
4 changes: 3 additions & 1 deletion metricbeat/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2
| `daemonset.extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function or `DaemonSet`. | `[]` |
| `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] |
| `daemonset.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` |
| `daemonset.secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` |
| `daemonset.securityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` pod execution environment. | `runAsUser: 0`<br>`privileged: false` |
| `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet`. | `requests.cpu: 100m`<br>`requests.memory: 100Mi`<br>`limits.cpu: 1000m`<br>`limits.memory: 200Mi` |
| `daemonset.tolerations` | Configurable [tolerations][] for Metricbeat `DaemonSet`. | `[]` |
Expand All @@ -84,6 +85,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2
| `deployment.extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function or `DaemonSet`. | `[]` |
| `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] |
| `deployment.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `Deployment`. | `{}` |
| `deployment.secretMounts` | Allows you easily mount a secret as a file inside the `Deployment`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` |
| `deployment.securityContext` | Configurable [securityContext][] for Metricbeat `Deployment` pod execution environment. | `runAsUser: 0`<br>`privileged: false` |
| `deployment.resources` | Allows you to set the [resources][] for Metricbeat `Deployment`. | `requests.cpu: 100m`<br>`requests.memory: 100Mi`<br>`limits.cpu: 1000m`<br>`limits.memory: 200Mi` |
| `deployment.tolerations` | Configurable [tolerations][] for Metricbeat `Deployment`. | `[]` |
Expand All @@ -101,7 +103,6 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2
| `livenessProbe` | Parameters to pass to [liveness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |
| `readinessProbe` | Parameters to pass to [readiness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |
| `serviceAccount` | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` |
| `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` |
| `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` |
| `updateStrategy` | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually. | `RollingUpdate` |
| `priorityClassName` | The [name of the PriorityClass][]. No default is supplied as the PriorityClass must be created first. | `""` |
Expand All @@ -120,6 +121,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2
| `nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` |
| `podSecurityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` and `Deployment` pod execution environment. | `{}` |
| `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `{}` |
| `secretMounts` | Allows you easily mount a secret as a file inside `DaemonSet` and `Deployment`. Useful for mounting certificates and other secrets. | `[]` |
| `tolerations` | Configurable [tolerations][] for both Metricbeat `DaemonSet` and `Deployment`. | `[]` |

## Examples
Expand Down
7 changes: 5 additions & 2 deletions metricbeat/examples/security/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,10 @@ daemonset:
hosts: ["security-master:9200"]
ssl.certificate_authorities:
- /usr/share/metricbeat/config/certs/elastic-certificate.pem
secretMounts:
- name: elastic-certificate-pem
secretName: elastic-certificate-pem
path: /usr/share/metricbeat/config/certs

deployment:
extraEnvs:
Expand Down Expand Up @@ -100,8 +104,7 @@ deployment:
hosts: ["security-master:9200"]
ssl.certificate_authorities:
- /usr/share/metricbeat/config/certs/elastic-certificate.pem

secretMounts:
secretMounts:
- name: elastic-certificate-pem
secretName: elastic-certificate-pem
path: /usr/share/metricbeat/config/certs
4 changes: 2 additions & 2 deletions metricbeat/templates/daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
serviceAccountName: {{ template "metricbeat.serviceAccount" . }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }}
volumes:
{{- range .Values.secretMounts }}
{{- range .Values.secretMounts | default .Values.daemonset.secretMounts }}
- name: {{ .name }}
secret:
secretName: {{ .secretName }}
Expand Down Expand Up @@ -118,7 +118,7 @@ spec:
{{- end }}
securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.daemonset.securityContext ) | nindent 10 }}
volumeMounts:
{{- range .Values.secretMounts }}
{{- range .Values.secretMounts | default .Values.daemonset.secretMounts }}
- name: {{ .name }}
mountPath: {{ .path }}
{{- if .subPath }}
Expand Down
4 changes: 2 additions & 2 deletions metricbeat/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ spec:
serviceAccountName: {{ template "metricbeat.serviceAccount" . }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }}
volumes:
{{- range .Values.secretMounts }}
{{- range .Values.secretMounts | default .Values.deployment.secretMounts }}
- name: {{ .name }}
secret:
secretName: {{ .secretName }}
Expand Down Expand Up @@ -96,7 +96,7 @@ spec:
{{- end }}
securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.deployment.securityContext ) | nindent 10 }}
volumeMounts:
{{- range .Values.secretMounts }}
{{- range .Values.secretMounts | default .Values.deployment.secretMounts }}
- name: {{ .name }}
mountPath: {{ .path }}
{{- if .subPath }}
Expand Down
97 changes: 94 additions & 3 deletions metricbeat/tests/metricbeat_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -545,18 +545,109 @@ def test_adding_in_deprecated_metricbeat_config():

def test_adding_a_secret_mount():
config = """
daemonset:
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates-name
path: /usr/share/metricbeat/config/certs
"""
r = helm_template(config)
assert (
{
"mountPath": "/usr/share/metricbeat/config/certs",
"name": "elastic-certificates",
}
in r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][
"volumeMounts"
]
)
assert {
"name": "elastic-certificates",
"secret": {"secretName": "elastic-certificates-name"},
} in r["daemonset"][name]["spec"]["template"]["spec"]["volumes"]

assert (
{
"mountPath": "/usr/share/metricbeat/config/certs",
"name": "elastic-certificates",
}
not in r["deployment"][name + "-metrics"]["spec"]["template"]["spec"][
"containers"
][0]["volumeMounts"]
)
assert {
"name": "elastic-certificates",
"secret": {"secretName": "elastic-certificates-name"},
} not in r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["volumes"]

config = """
deployment:
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates-name
path: /usr/share/metricbeat/config/certs
"""
r = helm_template(config)
assert (
{
"mountPath": "/usr/share/metricbeat/config/certs",
"name": "elastic-certificates",
}
in r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][
0
]["volumeMounts"]
)
assert {
"name": "elastic-certificates",
"secret": {"secretName": "elastic-certificates-name"},
} in r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["volumes"]

assert (
{
"mountPath": "/usr/share/metricbeat/config/certs",
"name": "elastic-certificates",
}
not in r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][
"volumeMounts"
]
)
assert {
"name": "elastic-certificates",
"secret": {"secretName": "elastic-certificates-name"},
} not in r["daemonset"][name]["spec"]["template"]["spec"]["volumes"]


def test_adding_a_deprecated_secret_mount():
config = """
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates-name
path: /usr/share/metricbeat/config/certs
"""
r = helm_template(config)
s = r["daemonset"][name]["spec"]["template"]["spec"]
assert s["containers"][0]["volumeMounts"][0] == {
assert (
{
"mountPath": "/usr/share/metricbeat/config/certs",
"name": "elastic-certificates",
}
in r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][
"volumeMounts"
]
)
assert {
"name": "elastic-certificates",
"secret": {"secretName": "elastic-certificates-name"},
} in r["daemonset"][name]["spec"]["template"]["spec"]["volumes"]

assert r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][
0
]["volumeMounts"][0] == {
"mountPath": "/usr/share/metricbeat/config/certs",
"name": "elastic-certificates",
}
assert s["volumes"][0] == {
assert r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["volumes"][
0
] == {
"name": "elastic-certificates",
"secret": {"secretName": "elastic-certificates-name"},
}
Expand Down
20 changes: 13 additions & 7 deletions metricbeat/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,12 @@ daemonset:
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}'
nodeSelector: {}
# A list of secrets and their paths to mount inside the pod
# This is useful for mounting certificates for security other sensitive values
secretMounts: []
# - name: metricbeat-certificates
# secretName: metricbeat-certificates
# path: /usr/share/metricbeat/certs
# Various pod security context settings. Bear in mind that many of these have an impact on metricbeat functioning properly.
# - Filesystem group for the metricbeat user. The official elastic docker images always have an id of 1000.
# - User that the container will execute as. Typically necessary to run as root (0) in order to properly collect host container logs.
Expand Down Expand Up @@ -117,6 +123,12 @@ deployment:
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}'
nodeSelector: {}
# A list of secrets and their paths to mount inside the pod
# This is useful for mounting certificates for security other sensitive values
secretMounts: []
# - name: metricbeat-certificates
# secretName: metricbeat-certificates
# path: /usr/share/metricbeat/certs
securityContext:
runAsUser: 0
privileged: false
Expand Down Expand Up @@ -211,13 +223,6 @@ podAnnotations: {}
# Custom service account override that the pod will use
serviceAccount: ""

# A list of secrets and their paths to mount inside the pod
# This is useful for mounting certificates for security other sensitive values
secretMounts: []
# - name: metricbeat-certificates
# secretName: metricbeat-certificates
# path: /usr/share/metricbeat/certs

# How long to wait for metricbeat pods to stop gracefully
terminationGracePeriod: 30

Expand All @@ -244,4 +249,5 @@ metricbeatConfig: {}
nodeSelector: {}
podSecurityContext: {}
resources: {}
secretMounts: []
tolerations: []