From cd88fc44fc59acf5b1789e3250bfa4e4b1148f07 Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Tue, 14 Aug 2018 09:57:17 -0500 Subject: [PATCH] Elasticsearch: Add ingress, remove node ports This adds an ingress to the Elasticsearch chart, allowing for the exposure of the Elasticsearch cluster externally if required. This also removes the node ports from the data and discovery services, as these ports should not be used beyond service discovery by the elasticsearch nodes. It moves the node port for the client service under the network.elasticsearch key to match the network tree for the other services Change-Id: Ia989eff87b8c9f112c697ae309bbb971dc699aa5 --- .../templates/ingress-elasticsearch.yaml | 20 +++++++++++++ elasticsearch/templates/service-data.yaml | 6 ---- .../templates/service-discovery.yaml | 6 ---- .../service-ingress-elasticsearch.yaml | 20 +++++++++++++ elasticsearch/templates/service-logging.yaml | 6 ++-- elasticsearch/values.yaml | 30 +++++++++++++------ 6 files changed, 64 insertions(+), 24 deletions(-) create mode 100644 elasticsearch/templates/ingress-elasticsearch.yaml create mode 100644 elasticsearch/templates/service-ingress-elasticsearch.yaml diff --git a/elasticsearch/templates/ingress-elasticsearch.yaml b/elasticsearch/templates/ingress-elasticsearch.yaml new file mode 100644 index 0000000000..209fbfcf50 --- /dev/null +++ b/elasticsearch/templates/ingress-elasticsearch.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.ingress .Values.network.elasticsearch.ingress.public }} +{{- $ingressOpts := dict "envAll" . "backendService" "elasticsearch" "backendServiceType" "elasticsearch" "backendPort" "http" -}} +{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} +{{- end }} diff --git a/elasticsearch/templates/service-data.yaml b/elasticsearch/templates/service-data.yaml index 0dc7e544b7..6ebd632aca 100644 --- a/elasticsearch/templates/service-data.yaml +++ b/elasticsearch/templates/service-data.yaml @@ -25,12 +25,6 @@ spec: ports: - name: transport port: {{ tuple "elasticsearch" "internal" "discovery" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- if .Values.network.data.node_port.enabled }} - nodePort: {{ .Values.network.data.node_port.port }} - {{- end }} selector: {{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - {{- if .Values.network.data.node_port.enabled }} - type: NodePort - {{- end }} {{- end }} diff --git a/elasticsearch/templates/service-discovery.yaml b/elasticsearch/templates/service-discovery.yaml index efe2f0c2b2..8d30c27197 100644 --- a/elasticsearch/templates/service-discovery.yaml +++ b/elasticsearch/templates/service-discovery.yaml @@ -25,12 +25,6 @@ spec: ports: - name: transport port: {{ tuple "elasticsearch" "internal" "discovery" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- if .Values.network.discovery.node_port.enabled }} - nodePort: {{ .Values.network.discovery.node_port.port }} - {{- end }} selector: {{ tuple $envAll "elasticsearch" "master" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - {{- if .Values.network.discovery.node_port.enabled }} - type: NodePort - {{- end }} {{- end }} diff --git a/elasticsearch/templates/service-ingress-elasticsearch.yaml b/elasticsearch/templates/service-ingress-elasticsearch.yaml new file mode 100644 index 0000000000..1f4ec1eff0 --- /dev/null +++ b/elasticsearch/templates/service-ingress-elasticsearch.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.service_ingress .Values.network.elasticsearch.ingress.public }} +{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "elasticsearch" -}} +{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }} +{{- end }} diff --git a/elasticsearch/templates/service-logging.yaml b/elasticsearch/templates/service-logging.yaml index a096617c8d..1a31533f70 100644 --- a/elasticsearch/templates/service-logging.yaml +++ b/elasticsearch/templates/service-logging.yaml @@ -25,12 +25,12 @@ spec: ports: - name: http port: {{ tuple "elasticsearch" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- if .Values.network.client.node_port.enabled }} - nodePort: {{ .Values.network.client.node_port.port }} + {{- if .Values.network.elasticsearch.node_port.enabled }} + nodePort: {{ .Values.network.elasticsearch.node_port.port }} {{- end }} selector: {{ tuple $envAll "elasticsearch" "client" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - {{- if .Values.network.client.node_port.enabled }} + {{- if .Values.network.elasticsearch.node_port.enabled }} type: NodePort {{- end }} {{- end }} diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index f87a69e9b0..78ee47f1dd 100644 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -174,6 +174,10 @@ pod: secrets: elasticsearch: user: elasticsearch-admin-creds + tls: + elasticsearch: + elasticsearch: + public: elasticsearch-tls-public conf: httpd: | @@ -461,6 +465,13 @@ endpoints: public: elasticsearch host_fqdn_override: default: null + # NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public + # endpoints using the following format: + # public: + # host: null + # tls: + # crt: null + # key: null path: default: null scheme: @@ -509,18 +520,17 @@ monitoring: scrape: true network: - client: + elasticsearch: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / node_port: enabled: false port: 30920 - discovery: - node_port: - enabled: false - port: 30930 - data: - node_port: - enabled: false - port: 30931 storage: elasticsearch: @@ -547,6 +557,7 @@ manifests: cron_curator: true deployment_client: true deployment_master: true + ingress: true job_image_repo_sync: true job_snapshot_repository: false helm_tests: true @@ -560,5 +571,6 @@ manifests: pvc_snapshots: true service_data: true service_discovery: true + service_ingress: true service_logging: true statefulset_data: true