openstack/openstack-helm-infra
Code Issues Proposed changes

Merge "Settings for Remote Elasticsearch Clusters"

Browse Source
This commit is contained in:
Zuul 2020-05-08 22:22:06 +00:00 committed by Gerrit Code Review
commit f8c5d06769
8 changed files with 306 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
elasticsearch/templates/deployment-client.yaml
View File

@ -146,6 +146,8 @@ spec:
value: "true" value: "true"
- name: NODE_DATA - name: NODE_DATA
value: "false" value: "false"
- name: NODE_GATEWAY
value: "false"
- name: HTTP_ENABLE - name: HTTP_ENABLE
value: "true" value: "true"
- name: DISCOVERY_SERVICE - name: DISCOVERY_SERVICE

171
elasticsearch/templates/deployment-gateway.yaml Normal file
View File

@ -0,0 +1,171 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.network.remote_clustering.enabled }}
{{- $envAll := . }}
{{- $esUserSecret := .Values.secrets.elasticsearch.user }}
{{- $s3UserSecret := .Values.secrets.rgw.elasticsearch }}
{{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }}
{{- $serviceAccountName := printf "%s-%s" .Release.Name "elasticsearch-remote-gateway" }}
{{ tuple $envAll "elasticsearch_gateway" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: elasticsearch-gateway
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
{{ tuple $envAll "elasticsearch" "gateway" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
replicas: {{ .Values.pod.replicas.gateway }}
selector:
matchLabels:
{{ tuple $envAll "elasticsearch" "gateway" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
template:
metadata:
labels:
{{ tuple $envAll "elasticsearch" "gateway" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin-elasticsearch.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc-elasticsearch.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "elasticsearch-gateway" "containerNames" (list "elasticsearch-remote-gateway") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "gateway" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "elasticsearch" "gateway" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
{{ .Values.labels.gateway.node_selector_key }}: {{ .Values.labels.gateway.node_selector_value | quote }}
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.client.timeout | default "600" }}
initContainers:
{{ tuple $envAll "elasticsearch" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: memory-map-increase
{{ tuple $envAll "memory_init" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.client | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "gateway" "container" "memory_map_increase" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- sysctl
- -w
- vm.max_map_count={{ .Values.conf.init.max_map_count }}
containers:
- name: elasticsearch-gateway
{{ tuple $envAll "elasticsearch" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.gateway | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "gateway" "container" "elasticsearch_gateway" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/elasticsearch.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/elasticsearch.sh
- stop
ports:
- name: transport
containerPort: {{ tuple "elasticsearch" "internal" "discovery" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
livenessProbe:
tcpSocket:
port: {{ tuple "elasticsearch" "internal" "discovery" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 20
periodSeconds: 10
readinessProbe:
tcpSocket:
port: {{ tuple "elasticsearch" "internal" "discovery" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 20
periodSeconds: 10
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NODE_MASTER
value: "false"
- name: NODE_INGEST
value: "true"
- name: NODE_DATA
value: "false"
- name: NODE_GATEWAY
value: "true"
- name: HTTP_ENABLE
value: "false"
- name: DISCOVERY_SERVICE
value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- name: ES_JAVA_OPTS
value: "{{ .Values.conf.elasticsearch.env.java_opts.client }}"
- name: S3_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ $s3UserSecret }}
key: S3_ACCESS_KEY
- name: S3_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ $s3UserSecret }}
key: S3_SECRET_KEY
{{- if .Values.pod.env.gateway }}
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.gateway | indent 12 }}
{{- end }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: elasticsearch-logs
mountPath: {{ .Values.conf.elasticsearch.config.path.logs }}
- name: elasticsearch-bin
mountPath: /tmp/elasticsearch.sh
subPath: elasticsearch.sh
readOnly: true
- name: elasticsearch-etc
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
readOnly: true
- name: elasticsearch-etc
mountPath: /usr/share/elasticsearch/config/log4j2.properties
subPath: log4j2.properties
readOnly: true
- name: elasticsearch-etc
mountPath: /usr/share/elasticsearch/config/jvm.options
subPath: jvm.options
readOnly: true
- name: storage
mountPath: {{ .Values.conf.elasticsearch.config.path.data }}
{{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: elasticsearch-logs
emptyDir: {}
- name: elasticsearch-bin
configMap:
name: elasticsearch-bin
defaultMode: 0555
- name: elasticsearch-etc
secret:
secretName: elasticsearch-etc
defaultMode: 0444
- name: storage
emptyDir: {}
{{ if $mounts_elasticsearch.volumes }}{{ toYaml $mounts_elasticsearch.volumes | indent 8 }}{{ end }}
{{- end }}

17
elasticsearch/templates/secret-ingress-tls.yaml Normal file
View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "elasticsearch" "backendService" "elasticsearch" ) }}
{{- end }}

30
elasticsearch/templates/service-gateway.yaml Normal file
View File

@ -0,0 +1,30 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.network.remote_clustering.enabled }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ tuple "elasticsearch" "gateway" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
spec:
ports:
- name: transport
port: {{ tuple "elasticsearch" "internal" "discovery" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
nodePort: {{ .Values.network.remote_clustering.node_port.port }}
selector:
{{ tuple $envAll "elasticsearch" "gateway" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
type: NodePort
{{- end }}

2
elasticsearch/templates/statefulset-data.yaml
View File

@ -124,6 +124,8 @@ spec:
value: "false" value: "false"
- name: NODE_DATA - name: NODE_DATA
value: "true" value: "true"
- name: NODE_GATEWAY
value: "false"
- name: HTTP_ENABLE - name: HTTP_ENABLE
value: "false" value: "false"
- name: ES_JAVA_OPTS - name: ES_JAVA_OPTS

2
elasticsearch/templates/statefulset-master.yaml
View File

@ -117,6 +117,8 @@ spec:
value: "false" value: "false"
- name: NODE_DATA - name: NODE_DATA
value: "false" value: "false"
- name: NODE_GATEWAY
value: "false"
- name: HTTP_ENABLE - name: HTTP_ENABLE
value: "false" value: "false"
- name: DISCOVERY_SERVICE - name: DISCOVERY_SERVICE

52
elasticsearch/values.yaml
View File

@ -58,6 +58,9 @@ labels:
test: test:
node_selector_key: openstack-control-plane node_selector_key: openstack-control-plane
node_selector_value: enabled node_selector_value: enabled
gateway:
node_selector_key: openstack-control-plane
node_selector_value: enabled
dependencies: dependencies:
dynamic: dynamic:
@ -84,6 +87,10 @@ dependencies:
- endpoint: discovery - endpoint: discovery
service: elasticsearch service: elasticsearch
jobs: null jobs: null
elasticsearch_gateway:
services:
- endpoint: discovery
service: elasticsearch
elasticsearch_data: elasticsearch_data:
services: services:
- endpoint: internal - endpoint: internal
@ -136,6 +143,18 @@ pod:
client: null client: null
data: null data: null
master: null master: null
gateway: null
secrets: null
mandatory_access_control:
type: apparmor
elasticsearch-master:
elasticsearch-master: runtime/default
elasticsearch-data:
elasticsearch-data: runtime/default
elasticsearch-client:
elasticsearch-client: runtime/default
elasticsearch-gateway:
elasticsearch-gateway: runtime/default
security_context: security_context:
exporter: exporter:
pod: pod:
@ -209,6 +228,22 @@ pod:
# recovery scenarios when the data pods are unexpectedly lost due to # recovery scenarios when the data pods are unexpectedly lost due to
# node outages and shard/index recovery is required # node outages and shard/index recovery is required
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
gateway:
pod:
runAsUser: 0
container:
memory_map_increase:
privileged: true
readOnlyRootFilesystem: true
apache_proxy:
readOnlyRootFilesystem: false
elasticsearch_gateway:
privileged: true
capabilities:
add:
- IPC_LOCK
- SYS_RESOURCE
readOnlyRootFilesystem: false
affinity: affinity:
anti: anti:
type: type:
@ -221,6 +256,7 @@ pod:
master: 3 master: 3
data: 3 data: 3
client: 3 client: 3
gateway: 3
lifecycle: lifecycle:
upgrades: upgrades:
statefulsets: statefulsets:
@ -282,6 +318,13 @@ pod:
limits: limits:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"
gateway:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs: jobs:
curator: curator:
requests: requests:
@ -656,6 +699,8 @@ conf:
memory_lock: true memory_lock: true
cluster: cluster:
name: elasticsearch name: elasticsearch
remote:
connect: ${NODE_GATEWAY}
discovery: discovery:
# NOTE(srwilkers): This gets configured dynamically via endpoint lookups # NOTE(srwilkers): This gets configured dynamically via endpoint lookups
seed_hosts: null seed_hosts: null
@ -749,6 +794,7 @@ endpoints:
data: elasticsearch-data data: elasticsearch-data
default: elasticsearch-logging default: elasticsearch-logging
discovery: elasticsearch-discovery discovery: elasticsearch-discovery
gateway: elasticsaerch-gateway
public: elasticsearch public: elasticsearch
host_fqdn_override: host_fqdn_override:
default: null default: null
@ -763,6 +809,7 @@ endpoints:
default: null default: null
scheme: scheme:
default: http default: http
gateway: tcp
port: port:
client: client:
default: 9200 default: 9200
@ -843,6 +890,10 @@ network:
node_port: node_port:
enabled: false enabled: false
port: 30920 port: 30920
remote_clustering:
enabled: false
node_port:
port: 30930
storage: storage:
data: data:
@ -889,6 +940,7 @@ manifests:
network_policy_exporter: false network_policy_exporter: false
service_exporter: true service_exporter: true
network_policy: false network_policy: false
secret_ingress_tls: true
service_data: true service_data: true
service_discovery: true service_discovery: true
service_ingress: true service_ingress: true

30
elasticsearch/values_overrides/remote-cluster.yaml Normal file
View File

@ -0,0 +1,30 @@
# Can't use these settings at startup yet becuse of
# https://github.com/elastic/elasticsearch/issues/27006
# conf:
# elasticsearch:
# config:
# cluster:
# remote:
# remote_elasticsearch:
# seeds:
# - elasticsearch-gateway-1.remote_host:9301
# - elasticsearch-gateway-2.remote_host:9301
# - elasticsearch-gateway-3.remote_host:9301
# skip_unavailale: true
network:
remote_clustering:
enabled: true
manifests:
cron_curator: false
cron_verify_repositories: false
job_snapshot_repository: false
pod:
replicas:
master: 2
data: 1
client: 1
gateway: 1
images:
tags:
elasticsearch: docker.io/openstackhelm/elasticsearch-s3:7_6_2-centos_7