From 21cd4d9720064f89843551e7da4c1e0528b6cbf5 Mon Sep 17 00:00:00 2001 From: Kevin Smith Date: Thu, 10 Oct 2019 15:43:20 -0400 Subject: [PATCH 1/1] add curator as of 2019-10-10 --- stable/elasticsearch-curator/Chart.yaml | 6 +-- stable/elasticsearch-curator/OWNERS | 6 +-- stable/elasticsearch-curator/README.md | 34 ++++++++++--- .../ci/initcontainer-values.yaml | 9 ++++ .../elasticsearch-curator/templates/_helpers.tpl | 22 +++++++++ .../elasticsearch-curator/templates/cronjob.yaml | 10 ++++ stable/elasticsearch-curator/templates/psp.yml | 35 +++++++++++++ stable/elasticsearch-curator/templates/role.yaml | 23 +++++++++ .../templates/rolebinding.yaml | 21 ++++++++ .../templates/serviceaccount.yaml | 12 +++++ stable/elasticsearch-curator/values.yaml | 57 ++++++++++++++++++++-- 11 files changed, 218 insertions(+), 17 deletions(-) create mode 100644 stable/elasticsearch-curator/ci/initcontainer-values.yaml create mode 100644 stable/elasticsearch-curator/templates/psp.yml create mode 100644 stable/elasticsearch-curator/templates/role.yaml create mode 100644 stable/elasticsearch-curator/templates/rolebinding.yaml create mode 100644 stable/elasticsearch-curator/templates/serviceaccount.yaml diff --git a/stable/elasticsearch-curator/Chart.yaml b/stable/elasticsearch-curator/Chart.yaml index 24a37ce..7a8e0a7 100644 --- a/stable/elasticsearch-curator/Chart.yaml +++ b/stable/elasticsearch-curator/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: "5.5.4" description: A Helm chart for Elasticsearch Curator name: elasticsearch-curator -version: 1.3.2 +version: 2.0.2 home: https://github.com/elastic/curator keywords: - curator @@ -12,7 +12,7 @@ sources: - https://github.com/kubernetes/charts/elasticsearch-curator - https://github.com/pires/docker-elasticsearch-curator maintainers: - - name: tmestdagh - email: mestdagh.tom@gmail.com + - name: desaintmartin + email: cedric.dsm@gmail.com - name: gianrubio email: gianrubio@gmail.com diff --git a/stable/elasticsearch-curator/OWNERS b/stable/elasticsearch-curator/OWNERS index d8c0ba0..89df1c0 100644 --- a/stable/elasticsearch-curator/OWNERS +++ b/stable/elasticsearch-curator/OWNERS @@ -1,6 +1,6 @@ approvers: - - tmestdagh + - desaintmartin - gianrubio reviewers: - - tmestdagh - - gianrubio \ No newline at end of file + - desaintmartin + - gianrubio diff --git a/stable/elasticsearch-curator/README.md b/stable/elasticsearch-curator/README.md index 0a9f311..2057b85 100644 --- a/stable/elasticsearch-curator/README.md +++ b/stable/elasticsearch-curator/README.md @@ -23,6 +23,17 @@ To install the chart, use the following: $ helm install stable/elasticsearch-curator ``` +## Upgrading an existing Release to a new major version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an +incompatible breaking change needing manual actions. + +### To 2.0.0 + +v2.0.0 uses docker image from `elasticsearch-curator` author, which differs in its way to install curator. + +If you have a hardcoded `command` value, please update it to follow the new `curator` executable path: `/curator/curator` (which is not in PATH). + ## Configuration The following table lists the configurable parameters of the docker-registry chart and @@ -31,8 +42,8 @@ their default values. | Parameter | Description | Default | | :----------------------------------- | :---------------------------------------------------------- | :------------------------------------------- | | `image.pullPolicy` | Container pull policy | `IfNotPresent` | -| `image.repository` | Container image to use | `quay.io/pires/docker-elasticsearch-curator` | -| `image.tag` | Container image tag to deploy | `5.5.4` | +| `image.repository` | Container image to use | `untergeek/curator` | +| `image.tag` | Container image tag to deploy | `5.7.6` | | `hooks` | Whether to run job on selected hooks | `{ "install": false, "upgrade": false }` | | `cronjob.schedule` | Schedule for the CronJob | `0 1 * * *` | | `cronjob.annotations` | Annotations to add to the cronjob | {} | @@ -43,15 +54,22 @@ their default values. | `dryrun` | Run Curator in dry-run mode | `false` | | `env` | Environment variables to add to the cronjob container | {} | | `envFromSecrets` | Environment variables from secrets to the cronjob container | {} | -| `envFromSecrets.*.from.secret` | - `secretKeyRef.name` used for environment variable | | -| `envFromSecrets.*.from.key` | - `secretKeyRef.key` used for environment variable | | -| `command` | Command to execute | ["curator"] | -| `configMaps.action_file_yml` | Contents of the Curator action_file.yml | See values.yaml | -| `configMaps.config_yml` | Contents of the Curator config.yml (overrides config) | See values.yaml | +| `envFromSecrets.*.from.secret` | - `secretKeyRef.name` used for environment variable | | +| `envFromSecrets.*.from.key` | - `secretKeyRef.key` used for environment variable | | +| `command` | Command to execute | ["/curator/curator"] | +| `configMaps.action_file_yml` | Contents of the Curator action_file.yml | See values.yaml | +| `configMaps.config_yml` | Contents of the Curator config.yml (overrides config) | See values.yaml | | `resources` | Resource requests and limits | {} | | `priorityClassName` | priorityClassName | `nil` | | `extraVolumeMounts` | Mount extra volume(s), | | | `extraVolumes` | Extra volumes | | -| `securityContext` | Configure PodSecurityContext | +| `extraInitContainers` | Init containers to add to the cronjob container | {} | +| `securityContext` | Configure PodSecurityContext | `false` | +| `rbac.enabled` | Enable RBAC resources | `false` | +| `psp.create` | Create pod security policy resources | `false` | +| `serviceAccount.create` | Create a default serviceaccount for elasticsearch curator | `true` | +| `serviceAccount.name` | Name for elasticsearch curator serviceaccount | `""` | + + Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. diff --git a/stable/elasticsearch-curator/ci/initcontainer-values.yaml b/stable/elasticsearch-curator/ci/initcontainer-values.yaml new file mode 100644 index 0000000..578becf --- /dev/null +++ b/stable/elasticsearch-curator/ci/initcontainer-values.yaml @@ -0,0 +1,9 @@ +extraInitContainers: + test: + image: alpine:latest + command: + - "/bin/sh" + - "-c" + args: + - | + true diff --git a/stable/elasticsearch-curator/templates/_helpers.tpl b/stable/elasticsearch-curator/templates/_helpers.tpl index c786fb5..8018c5d 100644 --- a/stable/elasticsearch-curator/templates/_helpers.tpl +++ b/stable/elasticsearch-curator/templates/_helpers.tpl @@ -12,6 +12,17 @@ Return the appropriate apiVersion for cronjob APIs. {{- end -}} {{/* +Return the appropriate apiVersion for podsecuritypolicy. +*/}} +{{- define "podsecuritypolicy.apiVersion" -}} +{{- if semverCompare "<1.10-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* Expand the name of the chart. */}} {{- define "elasticsearch-curator.name" -}} @@ -42,3 +53,14 @@ Create chart name and version as used by the chart label. {{- define "elasticsearch-curator.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "elasticsearch-curator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "elasticsearch-curator.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/stable/elasticsearch-curator/templates/cronjob.yaml b/stable/elasticsearch-curator/templates/cronjob.yaml index d0388f4..37274f6 100644 --- a/stable/elasticsearch-curator/templates/cronjob.yaml +++ b/stable/elasticsearch-curator/templates/cronjob.yaml @@ -53,6 +53,16 @@ spec: imagePullSecrets: - name: {{ .Values.image.pullSecret }} {{- end }} +{{- if .Values.extraInitContainers }} + initContainers: +{{- range $key, $value := .Values.extraInitContainers }} + - name: "{{ $key }}" +{{ toYaml $value | indent 12 }} +{{- end }} +{{- end }} + {{- if .Values.rbac.enabled }} + serviceAccountName: {{ template "elasticsearch-curator.serviceAccountName" .}} + {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" diff --git a/stable/elasticsearch-curator/templates/psp.yml b/stable/elasticsearch-curator/templates/psp.yml new file mode 100644 index 0000000..5f62985 --- /dev/null +++ b/stable/elasticsearch-curator/templates/psp.yml @@ -0,0 +1,35 @@ +{{- if .Values.psp.create }} +apiVersion: {{ template "podsecuritypolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + labels: + app: {{ template "elasticsearch-curator.name" . }} + chart: {{ template "elasticsearch-curator.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + name: {{ template "elasticsearch-curator.fullname" . }}-psp +spec: + privileged: true + #requiredDropCapabilities: + volumes: + - 'configMap' + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/stable/elasticsearch-curator/templates/role.yaml b/stable/elasticsearch-curator/templates/role.yaml new file mode 100644 index 0000000..8867f67 --- /dev/null +++ b/stable/elasticsearch-curator/templates/role.yaml @@ -0,0 +1,23 @@ +{{- if .Values.rbac.enabled }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + app: {{ template "elasticsearch-curator.name" . }} + chart: {{ template "elasticsearch-curator.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: elasticsearch-curator-configmap + name: {{ template "elasticsearch-curator.name" . }}-role +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["update", "patch"] +{{- if .Values.psp.create }} +- apiGroups: ["extensions"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ template "elasticsearch-curator.fullname" . }}-psp +{{- end -}} +{{- end -}} diff --git a/stable/elasticsearch-curator/templates/rolebinding.yaml b/stable/elasticsearch-curator/templates/rolebinding.yaml new file mode 100644 index 0000000..d25d2e1 --- /dev/null +++ b/stable/elasticsearch-curator/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.enabled -}} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + app: {{ template "elasticsearch-curator.name" . }} + chart: {{ template "elasticsearch-curator.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: elasticsearch-curator-configmap + name: {{ template "elasticsearch-curator.name" . }}-rolebinding +roleRef: + kind: Role + name: {{ template "elasticsearch-curator.name" . }}-role + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ template "elasticsearch-curator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} + diff --git a/stable/elasticsearch-curator/templates/serviceaccount.yaml b/stable/elasticsearch-curator/templates/serviceaccount.yaml new file mode 100644 index 0000000..ad9c5c9 --- /dev/null +++ b/stable/elasticsearch-curator/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.serviceAccount.create .Values.rbac.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "elasticsearch-curator.serviceAccountName" .}} + labels: + app: {{ template "elasticsearch-curator.fullname" . }} + chart: {{ template "elasticsearch-curator.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +{{- end }} + diff --git a/stable/elasticsearch-curator/values.yaml b/stable/elasticsearch-curator/values.yaml index 3779be1..460f2a4 100644 --- a/stable/elasticsearch-curator/values.yaml +++ b/stable/elasticsearch-curator/values.yaml @@ -13,9 +13,25 @@ cronjob: pod: annotations: {} +rbac: + # Specifies whether RBAC should be enabled + enabled: false + +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + + +psp: + # Specifies whether a podsecuritypolicy should be created + create: false + image: - repository: quay.io/pires/docker-elasticsearch-curator - tag: 5.5.4 + repository: untergeek/curator + tag: 5.7.6 pullPolicy: IfNotPresent hooks: @@ -25,7 +41,7 @@ hooks: # run curator in dry-run mode dryrun: false -command: ["curator"] +command: ["/curator/curator"] env: {} configMaps: @@ -101,5 +117,40 @@ priorityClassName: "" # mountPath: /certs # readOnly: true +# Add your own init container or uncomment and modify the given example. +extraInitContainers: {} + ## Don't configure S3 repository till Elasticsearch is reachable. + ## Ensure that it is available at http://elasticsearch:9200 + ## + # elasticsearch-s3-repository: + # image: jwilder/dockerize:latest + # imagePullPolicy: "IfNotPresent" + # command: + # - "/bin/sh" + # - "-c" + # args: + # - | + # ES_HOST=elasticsearch + # ES_PORT=9200 + # ES_REPOSITORY=backup + # S3_REGION=us-east-1 + # S3_BUCKET=bucket + # S3_BASE_PATH=backup + # S3_COMPRESS=true + # S3_STORAGE_CLASS=standard + # apk add curl --no-cache && \ + # dockerize -wait http://${ES_HOST}:${ES_PORT} --timeout 120s && \ + # cat <