dvirlabs/operators
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add eck operator

Browse Source
This commit is contained in:
dvirlabs 2025-05-15 19:00:41 +03:00
parent 13e4bac891
commit 4d27834484
37 changed files with 13298 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
argocd-apps-operators/eck-operator.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: eck-operator
namespace: argocd
spec:
project: observability
source:
repoURL: https://git.dvirlabs.com/dvirlabs/observability-stack.git
targetRevision: master
path: charts/eck-operator
helm:
releaseName: eck-operator
valueFiles:
- ../../manifests/eck-operator/values.yaml
destination:
server: https://kubernetes.default.svc
namespace: monitoring
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

24
charts/eck-operator/.helmignore Normal file
View File

@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
templates/tests

6
charts/eck-operator/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: eck-operator-crds
repository: ""
version: 3.0.0
digest: sha256:a6ea5ae37904b2f98d60199b78af9b89dfd5b3dda8ca64cc03f0fd7c8f5dade1
generated: "2025-04-15T13:08:24.204925263Z"

26
charts/eck-operator/Chart.yaml Normal file
View File

@ -0,0 +1,26 @@
apiVersion: v2
appVersion: 3.0.0
dependencies:
- condition: installCRDs
name: eck-operator-crds
repository: ""
version: 3.0.0
description: Elastic Cloud on Kubernetes (ECK) operator
home: https://github.com/elastic/cloud-on-k8s
icon: https://helm.elastic.co/icons/eck.png
keywords:
- Logstash
- Elasticsearch
- Kibana
- APM Server
- Beats
- Enterprise Search
- Elastic Stack
- Operator
kubeVersion: '>=1.21.0-0'
maintainers:
- email: eck@elastic.co
name: Elastic
name: eck-operator
type: application
version: 3.0.0

93
charts/eck-operator/LICENSE Normal file
View File

@ -0,0 +1,93 @@
Elastic License 2.0
URL: https://www.elastic.co/licensing/elastic-license
## Acceptance
By using the software, you agree to all of the terms and conditions below.
## Copyright License
The licensor grants you a non-exclusive, royalty-free, worldwide,
non-sublicensable, non-transferable license to use, copy, distribute, make
available, and prepare derivative works of the software, in each case subject to
the limitations and conditions below.
## Limitations
You may not provide the software to third parties as a hosted or managed
service, where the service provides users with access to any substantial set of
the features or functionality of the software.
You may not move, change, disable, or circumvent the license key functionality
in the software, and you may not remove or obscure any functionality in the
software that is protected by the license key.
You may not alter, remove, or obscure any licensing, copyright, or other notices
of the licensor in the software. Any use of the licensors trademarks is subject
to applicable law.
## Patents
The licensor grants you a license, under any patent claims the licensor can
license, or becomes able to license, to make, have made, use, sell, offer for
sale, import and have imported the software, in each case subject to the
limitations and conditions in this license. This license does not cover any
patent claims that you cause to be infringed by modifications or additions to
the software. If you or your company make any written claim that the software
infringes or contributes to infringement of any patent, your patent license for
the software granted under these terms ends immediately. If your company makes
such a claim, your patent license ends immediately for work on behalf of your
company.
## Notices
You must ensure that anyone who gets a copy of any part of the software from you
also gets a copy of these terms.
If you modify the software, you must include in any modified copies of the
software prominent notices stating that you have modified the software.
## No Other Rights
These terms do not imply any licenses other than those expressly granted in
these terms.
## Termination
If you use the software in violation of these terms, such use is not licensed,
and your licenses will automatically terminate. If the licensor provides you
with a notice of your violation, and you cease all violation of this license no
later than 30 days after you receive that notice, your licenses will be
reinstated retroactively. However, if you violate these terms after such
reinstatement, any additional violation of these terms will cause your licenses
to terminate automatically and permanently.
## No Liability
*As far as the law allows, the software comes as is, without any warranty or
condition, and the licensor will not be liable to you for any damages arising
out of these terms or the use or nature of the software, under any kind of
legal claim.*
## Definitions
The **licensor** is the entity offering these terms, and the **software** is the
software the licensor makes available under these terms, including any portion
of it.
**you** refers to the individual or entity agreeing to these terms.
**your company** is any legal entity, sole proprietorship, or other kind of
organization that you work for, plus all organizations that have control over,
are under the control of, or are under common control with that
organization. **control** means ownership of substantially all the assets of an
entity, or the power to direct its management and policies by vote, contract, or
otherwise. Control can be direct or indirect.
**your licenses** are all the licenses granted to you for the software under
these terms.
**use** means anything you do with the software requiring one of your licenses.
**trademark** means trademarks, service marks, and similar rights.

20
charts/eck-operator/README.md Normal file
View File

@ -0,0 +1,20 @@
# ECK Operator Helm Chart
[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/elastic)](https://artifacthub.io/packages/helm/elastic/eck-operator)
A Helm chart to install the ECK Operator: the official Kubernetes operator from Elastic to orchestrate Elasticsearch, Kibana, APM Server, Enterprise Search, and Beats on Kubernetes.
For more information about the ECK Operator, see:
- [Documentation](https://www.elastic.co/guide/en/cloud-on-k8s/current/index.html)
- [GitHub repo](https://github.com/elastic/cloud-on-k8s)
## Requirements
- Supported Kubernetes versions are listed in the documentation: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s_supported_versions.html
- Helm >= 3.2.0
## Usage
Refer to the documentation at https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-install-helm.html

23
charts/eck-operator/charts/eck-operator-crds/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

21
charts/eck-operator/charts/eck-operator-crds/Chart.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v2
appVersion: 3.0.0
description: ECK operator Custom Resource Definitions
home: https://github.com/elastic/cloud-on-k8s
icon: https://helm.elastic.co/icons/eck.png
keywords:
- Logstash
- Elasticsearch
- Kibana
- APM Server
- Beats
- Enterprise Search
- Elastic Stack
- Operator
kubeVersion: '>=1.21.0-0'
maintainers:
- email: eck@elastic.co
name: Elastic
name: eck-operator-crds
type: application
version: 3.0.0

16
charts/eck-operator/charts/eck-operator-crds/README.md Normal file
View File

@ -0,0 +1,16 @@
# ECK Operator CRDs Helm Chart
[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/elastic)](https://artifacthub.io/packages/helm/elastic/eck-operator-crds)
A Helm chart to install the Kubernetes Custom Resource Definitions (CRD) required by the ECK Operator: the official Kubernetes operator from Elastic to orchestrate Elasticsearch, Kibana, APM Server, Enterprise Search, and Beats on Kubernetes. This chart is usually automatically installed by the [ECK Operator Helm Chart](https://artifacthub.io/packages/helm/elastic/eck-operator) when installed using the default settings. Refer to the [installation documentation](https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-install-helm.html) for more information.
## Requirements
- Supported Kubernetes versions are listed in the documentation: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s_supported_versions.html
- Helm >= 3.2.0
## Usage
Refer to the documentation at https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-install-helm.html

1
charts/eck-operator/charts/eck-operator-crds/templates/NOTES.txt Normal file
View File

@ -0,0 +1 @@
ECK Custom Resource Definitions installed.

62
charts/eck-operator/charts/eck-operator-crds/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "eck-operator-crds.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "eck-operator-crds.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "eck-operator-crds.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "eck-operator-crds.labels" -}}
helm.sh/chart: {{ include "eck-operator-crds.chart" . }}
{{ include "eck-operator-crds.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "eck-operator-crds.selectorLabels" -}}
app.kubernetes.io/name: {{ include "eck-operator-crds.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Determine effective Kubernetes version
*/}}
{{- define "eck-operator-crds.effectiveKubeVersion" -}}
{{- if .Values.global.manifestGen -}}
{{- semver .Values.global.kubeVersion -}}
{{- else -}}
{{- .Capabilities.KubeVersion.Version -}}
{{- end -}}
{{- end -}}

10726
charts/eck-operator/charts/eck-operator-crds/templates/all-crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

7
charts/eck-operator/charts/eck-operator-crds/values.yaml Normal file
View File

@ -0,0 +1,7 @@
# Globals meant for internal use only
global:
# manifestGen specifies whether the chart is running under manifest generator.
# This is used for tasks specific to generating the all-in-one.yaml file.
manifestGen: false
# kubeVersion is the effective Kubernetes version we target when generating the all-in-one.yaml.
kubeVersion: 1.21.0

29
charts/eck-operator/profile-disable-automounting-api.yaml Normal file
View File

@ -0,0 +1,29 @@
automountServiceAccountToken: false
serviceAccount:
automountServiceAccountToken: false
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: serviceaccount-token
readOnly: true
volumes:
- name: serviceaccount-token
projected:
defaultMode: 0444
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- path: namespace
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace

6
charts/eck-operator/profile-global.yaml Normal file
View File

@ -0,0 +1,6 @@
managedNamespaces: []
createClusterScopedResources: true
webhook:
enabled: true

11
charts/eck-operator/profile-istio.yaml Normal file
View File

@ -0,0 +1,11 @@
managedNamespaces: []
createClusterScopedResources: true
webhook:
enabled: true
podAnnotations:
sidecar.istio.io/inject: "true"
traffic.sidecar.istio.io/includeInboundPorts: "*"
traffic.sidecar.istio.io/excludeInboundPorts: "9443"

12
charts/eck-operator/profile-restricted.yaml Normal file
View File

@ -0,0 +1,12 @@
managedNamespaces: ["elastic-system"]
createClusterScopedResources: false
config:
# no RBAC access to cluster-wide storage classes, hence disable storage class validation
validateStorageClass: false
installCRDs: false
webhook:
enabled: false

18
charts/eck-operator/profile-soft-multi-tenancy.yaml Normal file
View File

@ -0,0 +1,18 @@
managedNamespaces: ["team-a", "team-b"]
createClusterScopedResources: true
refs:
enforceRBAC: true
webhook:
enabled: true
namespaceSelector:
matchExpressions:
- key: "eck.k8s.elastic.co/tenant"
operator: In
values: ["team-a", "team-b"]
softMultiTenancy:
enabled: true

2
charts/eck-operator/templates/NOTES.txt Normal file
View File

@ -0,0 +1,2 @@
1. Inspect the operator logs by running the following command:
kubectl logs -n {{ .Release.Namespace }} sts/{{ .Release.Name }}

381
charts/eck-operator/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,381 @@
{{/*
Expand the name of the chart.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "eck-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "eck-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "eck-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "eck-operator.labels" -}}
{{- include "eck-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
helm.sh/chart: {{ include "eck-operator.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "eck-operator.selectorLabels" -}}
{{- if .Values.global.manifestGen -}}
control-plane: elastic-operator
{{- else -}}
app.kubernetes.io/name: {{ include "eck-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "eck-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "eck-operator.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Determine effective Kubernetes version
*/}}
{{- define "eck-operator.effectiveKubeVersion" -}}
{{- if .Values.global.manifestGen -}}
{{- semver .Values.global.kubeVersion -}}
{{- else -}}
{{- .Capabilities.KubeVersion.Version -}}
{{- end -}}
{{- end -}}
{{/*
Determine the name for the webhook
*/}}
{{- define "eck-operator.webhookName" -}}
{{- if .Values.global.manifestGen -}}
elastic-webhook.k8s.elastic.co
{{- else -}}
{{- $name := include "eck-operator.name" . -}}
{{ printf "%s.%s.k8s.elastic.co" $name .Release.Namespace }}
{{- end -}}
{{- end -}}
{{/*
Determine the name for the webhook secret
*/}}
{{- define "eck-operator.webhookSecretName" -}}
{{- if .Values.global.manifestGen -}}
elastic-webhook-server-cert
{{- else if .Values.webhook.certsSecret -}}
{{- .Values.webhook.certsSecret }}
{{- else -}}
{{- $name := include "eck-operator.name" . -}}
{{ printf "%s-webhook-cert" $name | trunc 63 }}
{{- end -}}
{{- end -}}
{{/*
Determine the name for the webhook service
*/}}
{{- define "eck-operator.webhookServiceName" -}}
{{- if .Values.global.manifestGen -}}
elastic-webhook-server
{{- else -}}
{{- $name := include "eck-operator.name" . -}}
{{ printf "%s-webhook" $name | trunc 63 }}
{{- end -}}
{{- end -}}
{{/*
Determine the metrics port
*/}}
{{- define "eck-operator.metrics.port" -}}
{{- if .Values.config.metrics.port -}}
{{- .Values.config.metrics.port -}}
{{- else if .Values.config.metricsPort -}}
{{- .Values.config.metricsPort -}}
{{- else -}}
0
{{- end -}}
{{- end -}}
{{/*
RBAC permissions
NOTE - any changes made to RBAC permissions below require
updating docs/operating-eck/eck-permissions.asciidoc file.
*/}}
{{- define "eck-operator.rbacRules" -}}
- apiGroups:
- "authorization.k8s.io"
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
resourceNames:
- elastic-operator-leader
verbs:
- get
- watch
- update
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- events
- persistentvolumeclaims
- secrets
- services
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- elasticsearch.k8s.elastic.co
resources:
- elasticsearches
- elasticsearches/status
- elasticsearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- autoscaling.k8s.elastic.co
resources:
- elasticsearchautoscalers
- elasticsearchautoscalers/status
- elasticsearchautoscalers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- kibana.k8s.elastic.co
resources:
- kibanas
- kibanas/status
- kibanas/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- apm.k8s.elastic.co
resources:
- apmservers
- apmservers/status
- apmservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- enterprisesearch.k8s.elastic.co
resources:
- enterprisesearches
- enterprisesearches/status
- enterprisesearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- beat.k8s.elastic.co
resources:
- beats
- beats/status
- beats/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- agent.k8s.elastic.co
resources:
- agents
- agents/status
- agents/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- maps.k8s.elastic.co
resources:
- elasticmapsservers
- elasticmapsservers/status
- elasticmapsservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- stackconfigpolicy.k8s.elastic.co
resources:
- stackconfigpolicies
- stackconfigpolicies/status
- stackconfigpolicies/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- logstash.k8s.elastic.co
resources:
- logstashes
- logstashes/status
- logstashes/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
verbs:
- get
- list
- watch
- create
- update
- patch
{{- end -}}
{{/*
RBAC permissions on non-namespaced resources
*/}}
{{- define "eck-operator.clusterWideRbacRules" -}}
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
{{- end -}}
{{/*
RBAC permissions to read node labels
*/}}
{{- define "eck-operator.readNodeLabelsRbacRule" -}}
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
{{- end -}}

121
charts/eck-operator/templates/cluster-roles.yaml Normal file
View File

@ -0,0 +1,121 @@
{{- if and (not .Values.createClusterScopedResources) (.Values.config.metrics.secureMode.enabled) -}}
{{ fail "createClusterScopedResources is required to set config.metrics.secureMode.enabled to true" }}
{{- end }}
{{- if .Values.createClusterScopedResources -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "eck-operator.fullname" . }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
rules:
{{ template "eck-operator.rbacRules" . | toYaml | indent 2 }}
{{ template "eck-operator.clusterWideRbacRules" . | toYaml | indent 2 }}
{{ if .Values.config.exposedNodeLabels }}
{{ template "eck-operator.readNodeLabelsRbacRule" . | toYaml | indent 2 }}
{{ end -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: "{{ include "eck-operator.name" . }}-view"
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "eck-operator.labels" . | nindent 4 }}
rules:
- apiGroups: ["elasticsearch.k8s.elastic.co"]
resources: ["elasticsearches"]
verbs: ["get", "list", "watch"]
- apiGroups: ["autoscaling.k8s.elastic.co"]
resources: ["elasticsearchautoscalers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apm.k8s.elastic.co"]
resources: ["apmservers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["kibana.k8s.elastic.co"]
resources: ["kibanas"]
verbs: ["get", "list", "watch"]
- apiGroups: ["enterprisesearch.k8s.elastic.co"]
resources: ["enterprisesearches"]
verbs: ["get", "list", "watch"]
- apiGroups: ["beat.k8s.elastic.co"]
resources: ["beats"]
verbs: ["get", "list", "watch"]
- apiGroups: ["agent.k8s.elastic.co"]
resources: ["agents"]
verbs: ["get", "list", "watch"]
- apiGroups: ["maps.k8s.elastic.co"]
resources: ["elasticmapsservers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["stackconfigpolicy.k8s.elastic.co"]
resources: ["stackconfigpolicies"]
verbs: ["get", "list", "watch"]
- apiGroups: ["logstash.k8s.elastic.co"]
resources: ["logstashes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: "{{ include "eck-operator.name" . }}-edit"
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "eck-operator.labels" . | nindent 4 }}
rules:
- apiGroups: ["elasticsearch.k8s.elastic.co"]
resources: ["elasticsearches"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["autoscaling.k8s.elastic.co"]
resources: ["elasticsearchautoscalers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["apm.k8s.elastic.co"]
resources: ["apmservers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["kibana.k8s.elastic.co"]
resources: ["kibanas"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["enterprisesearch.k8s.elastic.co"]
resources: ["enterprisesearches"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["beat.k8s.elastic.co"]
resources: ["beats"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["agent.k8s.elastic.co"]
resources: ["agents"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["maps.k8s.elastic.co"]
resources: ["elasticmapsservers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["stackconfigpolicy.k8s.elastic.co"]
resources: ["stackconfigpolicies"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["logstash.k8s.elastic.co"]
resources: ["logstashes"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
{{- if .Values.config.metrics.secureMode.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
name: "{{ include "eck-operator.fullname" . }}-metrics-auth-role"
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
{{- end }}
{{- end -}}

81
charts/eck-operator/templates/configmap.yaml Normal file
View File

@ -0,0 +1,81 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "eck-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
data:
eck.yaml: |-
{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
log-verbosity: {{ int .Values.config.logVerbosity }}
{{- if and .Values.config.metrics.secureMode.enabled (eq $metricsPort 0) }}
{{- fail "config.metrics.port must be greater than 0 when config.metrics.secureMode.enabled is true" }}
{{- end }}
metrics-port: {{ $metricsPort }}
metrics-secure: {{ .Values.config.metrics.secureMode.enabled }}
container-registry: {{ .Values.config.containerRegistry }}
{{- with .Values.config.containerSuffix }}
container-suffix: {{ . }}
{{- end }}
{{- with .Values.config.containerRepository }}
container-repository: {{ . }}
{{- end }}
max-concurrent-reconciles: {{ int .Values.config.maxConcurrentReconciles }}
{{- with .Values.config.passwordHashCacheSize }}
password-hash-cache-size: {{ int . }}
{{- end }}
ca-cert-validity: {{ .Values.config.caValidity }}
ca-cert-rotate-before: {{ .Values.config.caRotateBefore }}
{{- with .Values.config.caDir }}
ca-dir: {{ . }}
{{- end }}
cert-validity: {{ .Values.config.certificatesValidity }}
cert-rotate-before: {{ .Values.config.certificatesRotateBefore }}
disable-config-watch: {{ .Values.config.disableConfigWatch }}
{{- with .Values.config.exposedNodeLabels }}
exposed-node-labels: [{{ join "," . }}]
{{- end }}
{{- with .Values.config.ipFamily }}
ip-family: {{ . }}
{{- end }}
set-default-security-context: {{ .Values.config.setDefaultSecurityContext }}
kube-client-timeout: {{ .Values.config.kubeClientTimeout }}
{{- with .Values.config.kubeClientQPS }}
kube-client-qps: {{ int . }}
{{- end }}
elasticsearch-client-timeout: {{ .Values.config.elasticsearchClientTimeout }}
disable-telemetry: {{ .Values.telemetry.disabled }}
distribution-channel: {{ .Values.telemetry.distributionChannel }}
{{- with .Values.telemetry.interval }}
telemetry-interval: {{ . }}
{{- end }}
validate-storage-class: {{ .Values.config.validateStorageClass }}
{{- if .Values.tracing.enabled }}
enable-tracing: true
{{- end }}
{{- if .Values.refs.enforceRBAC }}
enforce-rbac-on-refs: true
{{- end }}
enable-webhook: {{ .Values.webhook.enabled }}
{{- if .Values.webhook.enabled }}
webhook-name: {{ include "eck-operator.webhookName" . }}
{{- if not .Values.webhook.manageCerts }}
manage-webhook-certs: false
webhook-cert-dir: {{ .Values.webhook.certsDir }}
{{- end }}
webhook-port: {{ .Values.webhook.port }}
{{- end }}
{{- with .Values.managedNamespaces }}
namespaces: [{{ join "," . }}]
{{- end }}
operator-namespace: {{ .Release.Namespace }}
enable-leader-election: {{ .Values.config.enableLeaderElection }}
elasticsearch-observation-interval: {{ .Values.config.elasticsearchObservationInterval }}
{{- if not .Values.config.containerSuffix }}
ubi-only: {{ .Values.config.ubiOnly }}
{{- end }}
{{- with .Values.webhook.certsSecret }}
webhook-secret: {{ . }}
{{- end }}

13
charts/eck-operator/templates/managed-namespaces.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.softMultiTenancy.enabled -}}
{{- range .Values.managedNamespaces }}
{{- $namespace := . }}
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
eck.k8s.elastic.co/tenant: {{ $namespace }}
{{- end -}}
{{- end -}}

228
charts/eck-operator/templates/managed-ns-network-policy.yaml Normal file
View File

@ -0,0 +1,228 @@
{{- if .Values.softMultiTenancy.enabled -}}
{{- $fullName := include "eck-operator.fullname" . -}}
{{- $name := include "eck-operator.name" . -}}
{{- range .Values.managedNamespaces -}}
{{- $namespace := . }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "{{ $name }}-elasticsearch"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
egress:
# Transport port
- ports:
- port: 9300
to:
# Elasticsearch within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
# DNS
- ports:
- port: 53
protocol: UDP
to: []
ingress:
# HTTP Port
- ports:
- port: 9200
from:
# Operator
- namespaceSelector:
matchLabels:
name: "{{ $.Release.Namespace }}"
podSelector:
matchLabels:
{{- include "eck-operator.selectorLabels" $ | nindent 14 }}
# Within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
# Transport port
- ports:
- port: 9300
from:
# Within namespace (from other Elasticsearch nodes)
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "{{ $name }}-kibana"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
common.k8s.elastic.co/type: "kibana"
egress:
# Elasticsearch HTTP port
- ports:
- port: 9200
to:
# Elasticsearch within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
# DNS
- ports:
- port: 53
protocol: UDP
to: []
ingress:
# HTTP Port
- ports:
- port: 5601
from:
# Within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "{{ $name }}-apm-server"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
common.k8s.elastic.co/type: "apm-server"
egress:
# Elasticsearch HTTP port
- ports:
- port: 9200
to:
# Elasticsearch within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
# Kibana HTTP port
- ports:
- port: 5601
to:
# Kibana within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "kibana"
# DNS
- ports:
- port: 53
protocol: UDP
to: []
ingress:
# HTTP Port
- ports:
- port: 8200
from:
# Within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "{{ $name }}-enterprise-search"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
common.k8s.elastic.co/type: "enterprise-search"
egress:
# Elasticsearch HTTP port
- ports:
- port: 9200
to:
# Elasticsearch within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
# DNS
- ports:
- port: 53
protocol: UDP
to: []
ingress:
# HTTP Port
- ports:
- port: 3002
from:
# Within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "{{ $name }}-beats"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
common.k8s.elastic.co/type: "beat"
egress:
# Elasticsearch HTTP port
- ports:
- port: 9200
to:
# Elasticsearch within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
# Kibana HTTP port
- ports:
- port: 5601
to:
# Kibana within namespace
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: {{ $namespace }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "kibana"
# DNS
- ports:
- port: 53
protocol: UDP
to: []
{{- end }}
{{- end -}}

22
charts/eck-operator/templates/metrics-service.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.config.metrics.secureMode.enabled }}
{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: {{ include "eck-operator.name" . }}-metrics-service
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
helm.sh/chart: {{ include "eck-operator.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
name: "{{ include "eck-operator.fullname" . }}-metrics"
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: https
port: {{ $metricsPort }}
protocol: TCP
targetPort: metrics
selector:
{{- include "eck-operator.selectorLabels" . | nindent 4 }}
{{- end }}

9
charts/eck-operator/templates/operator-namespace.yaml Normal file
View File

@ -0,0 +1,9 @@
{{- if (and .Values.global.manifestGen .Values.global.createOperatorNamespace) -}}
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Release.Namespace }}
labels:
name: {{ .Release.Namespace }}
{{- end -}}

59
charts/eck-operator/templates/operator-network-policy.yaml Normal file
View File

@ -0,0 +1,59 @@
{{- if .Values.softMultiTenancy.enabled -}}
{{- $kubeAPIServerIP := (required "kubeAPIServerIP is required" .Values.kubeAPIServerIP) -}}
{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "eck-operator.fullname" . }}
namespace: {{ .Release.Namespace}}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "eck-operator.selectorLabels" . | nindent 6 }}
egress:
# DNS
- ports:
- port: 53
protocol: UDP
to: []
# API server
- ports:
- port: 443
to:
- ipBlock:
cidr: "{{ $kubeAPIServerIP }}/32"
# Elasticsearch
- ports:
- port: 9200
to:
- namespaceSelector:
matchExpressions:
- key: "eck.k8s.elastic.co/tenant"
operator: In
values:
{{- range .Values.managedNamespaces }}
- {{ . }}
{{- end }}
podSelector:
matchLabels:
common.k8s.elastic.co/type: "elasticsearch"
{{- if or .Values.webhook.enabled (gt $metricsPort 0) }}
ingress:
{{- if .Values.webhook.enabled }}
- ports:
- port: {{ .Values.webhook.port }}
from:
- ipBlock:
cidr: "{{ $kubeAPIServerIP }}/32"
{{- end }}
{{- if gt $metricsPort 0 }}
# Metrics
- ports:
- port: {{ $metricsPort }}
from: []
{{- end }}
{{- end }}
{{- end -}}

19
charts/eck-operator/templates/pdb.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "eck-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "eck-operator.labels" . | indent 4 }}
spec:
{{- with .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- with .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
selector:
matchLabels:
{{- include "eck-operator.selectorLabels" . | indent 6 }}
{{- end -}}

42
charts/eck-operator/templates/podMonitor.yaml Normal file
View File

@ -0,0 +1,42 @@
{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
{{- if and .Values.config.metrics.secureMode.enabled (eq $metricsPort 0) }}
{{- fail "config.metrics.port must be greater than 0 when config.metrics.secureMode.enabled is true" }}
{{- end }}
{{- if and .Values.podMonitor.enabled (gt $metricsPort 0) }}
{{- if and .Values.podMonitor.enabled .Values.config.metrics.secureMode.enabled }}
{{- fail "podMonitor and config.metrics.secureMode are mutually exclusive" }}
{{- end }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ include "eck-operator.fullname" . }}
namespace: {{ ternary .Values.podMonitor.namespace .Release.Namespace (not (and (.Values.podMonitor) (empty .Values.podMonitor.namespace))) }}
labels: {{- include "eck-operator.labels" . | nindent 4 }}
{{- with .Values.podMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.podMonitor.annotations }}
annotations: {{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.podMonitor.podTargetLabels }}
podTargetLabels: {{- toYaml . | nindent 4 }}
{{- end }}
podMetricsEndpoints:
- port: metrics
path: /metrics
{{- with .Values.podMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.podMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
{{- with .Values.podMonitor.podMetricsEndpointConfig }}
{{- toYaml . | nindent 6 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels: {{- include "eck-operator.selectorLabels" . | nindent 6 }}
{{- end }}

98
charts/eck-operator/templates/role-bindings.yaml Normal file
View File

@ -0,0 +1,98 @@
{{- $operatorNSIsManaged := has .Release.Namespace .Values.managedNamespaces -}}
{{- $fullName := include "eck-operator.fullname" . -}}
{{- $svcAccount := include "eck-operator.serviceAccountName" . }}
{{- $enableSecureMetrics := .Values.config.metrics.secureMode.enabled -}}
{{- if not .Values.createClusterScopedResources }}
{{- range .Values.managedNamespaces }}
{{- $namespace := . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "{{ $fullName }}"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
rules:
{{ template "eck-operator.rbacRules" $ | toYaml | indent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ $fullName }}"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ $fullName }}"
subjects:
- kind: ServiceAccount
name: {{ $svcAccount }}
namespace: {{ $.Release.Namespace }}
{{- end }} {{- /* end of range over managed namespaces */}}
{{- /* If createClusterScopedResources is false and operator namespace is not in the managed namespaces list, create additional role binding */}}
{{- if not $operatorNSIsManaged }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $fullName }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
rules:
{{ template "eck-operator.rbacRules" $ | toYaml | indent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ $fullName }}"
namespace: {{ $.Release.Namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ $fullName }}"
subjects:
- kind: ServiceAccount
name: {{ $svcAccount }}
namespace: {{ $.Release.Namespace }}
{{- end }} {{- /* end of operator role binding if operator namespace is not managed */}}
{{- else }} {{- /* we can create cluster-scoped resources so just create a cluster role binding */}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $fullName }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $fullName }}
subjects:
- kind: ServiceAccount
name: {{ $svcAccount }}
namespace: {{ $.Release.Namespace }}
{{- if $enableSecureMetrics }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
name: "{{ include "eck-operator.fullname" . }}-metrics-auth-rolebinding"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "{{ include "eck-operator.fullname" . }}-metrics-auth-role"
subjects:
- kind: ServiceAccount
name: {{ $svcAccount }}
namespace: {{ $.Release.Namespace }}
{{- end }}
{{- end }}

15
charts/eck-operator/templates/service-account.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if .Values.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "eck-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

34
charts/eck-operator/templates/service-monitor.yaml Normal file
View File

@ -0,0 +1,34 @@
{{- if and .Values.config.metrics.secureMode.enabled .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "eck-operator.fullname" . }}
namespace: {{ ternary .Values.serviceMonitor.namespace .Release.Namespace (not (and (.Values.serviceMonitor) (empty .Values.serviceMonitor.namespace))) }}
labels: {{- include "eck-operator.labels" . | nindent 4 }}
spec:
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "eck-operator.name" . }}-metrics-service
app.kubernetes.io/instance: {{ .Release.Name }}
endpoints:
- port: https
path: /metrics
scheme: https
interval: 30s
tlsConfig:
{{- $insecureSkipVerify := (ternary .Values.config.metrics.secureMode.tls.insecureSkipVerify .Values.serviceMonitor.insecureSkipVerify (hasKey .Values.config.metrics.secureMode.tls "insecureSkipVerify")) }}
insecureSkipVerify: {{ $insecureSkipVerify }}
{{- if (not $insecureSkipVerify) }}
{{- $caMountDirectory := or (.Values.config.metrics.secureMode.tls.caMountDirectory) (.Values.serviceMonitor.caMountDirectory) -}}
{{- $leading_path := trimSuffix "/" $caMountDirectory }}
{{- $caSecret := or (.Values.config.metrics.secureMode.tls.caSecret) (.Values.serviceMonitor.caSecret) -}}
{{- with $caSecret }}
caFile: "{{ $leading_path }}/{{ . }}/ca.crt"
{{- end }}
serverName: "{{ include "eck-operator.fullname" . }}-metrics.{{ .Release.Namespace }}.svc"
{{- end }}
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
{{- end }}

162
charts/eck-operator/templates/statefulset.yaml Normal file
View File

@ -0,0 +1,162 @@
---
{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "eck-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- with .Values.statefulsetAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
{{- with .Values.statefulsetLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "eck-operator.selectorLabels" . | nindent 6 }}
serviceName: {{ include "eck-operator.fullname" . }}
replicas: {{ .Values.replicaCount }}
template:
metadata:
annotations:
# Rename the fields "error" to "error.message" and "source" to "event.source"
# This is to avoid a conflict with the ECS "error" and "source" documents.
"co.elastic.logs/raw": "[{\"type\":\"container\",\"json.keys_under_root\":true,\"paths\":[\"/var/log/containers/*${data.kubernetes.container.id}.log\"],\"processors\":[{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"error\",\"to\":\"_error\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_error\",\"to\":\"error.message\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"source\",\"to\":\"_source\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_source\",\"to\":\"event.source\"}]}}]}]"
"checksum/config": {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "eck-operator.selectorLabels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
terminationGracePeriodSeconds: 10
serviceAccountName: {{ include "eck-operator.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- with .Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- image: "{{ .Values.image.repository }}{{- if .Values.config.ubiOnly -}}-ubi{{- end -}}{{- if .Values.image.fips -}}-fips{{- end -}}:{{ default .Chart.AppVersion .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: manager
args:
- "manager"
- "--config=/conf/eck.yaml"
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.webhook.enabled }}
- name: WEBHOOK_SECRET
value: {{ include "eck-operator.webhookSecretName" . }}
{{- end }}
{{- with .Values.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.tracing.enabled -}}
{{- range $name, $value := .Values.tracing.config }}
- name: {{ $name }}
value: {{ $value }}
{{- end }}
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if or .Values.webhook.enabled (gt $metricsPort 0) }}
ports:
{{- if (gt $metricsPort 0) }}
- containerPort: {{ $metricsPort }}
name: metrics
protocol: TCP
{{- end }}
{{- if .Values.webhook.enabled }}
- containerPort: {{ .Values.webhook.port }}
name: https-webhook
protocol: TCP
{{- end }}
{{- end }}
volumeMounts:
- mountPath: "/conf"
name: conf
readOnly: true
{{- if .Values.webhook.enabled }}
- mountPath: {{ .Values.webhook.certsDir }}
name: cert
readOnly: true
{{- end }}
{{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
- mountPath: "/tmp/k8s-metrics-server/serving-certs"
name: tls-certificate
readOnly: true
{{- end }}
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: conf
configMap:
name: {{ include "eck-operator.fullname" . }}
{{- if .Values.webhook.enabled }}
- name: cert
secret:
defaultMode: 420
secretName: {{ include "eck-operator.webhookSecretName" . }}
{{- end }}
{{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
- name: tls-certificate
secret:
defaultMode: 420
secretName: {{ .Values.config.metrics.secureMode.tls.certificateSecret }}
{{- end }}
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.hostNetwork }}
hostNetwork: true
{{- end }}
{{- if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- else if .Values.hostNetwork }}
dnsPolicy: ClusterFirstWithHostNet
{{- end }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

29
charts/eck-operator/templates/validate-chart.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if .Values.softMultiTenancy.enabled -}}
{{- if has .Release.Namespace .Values.managedNamespaces -}}
{{- fail "Operator namespace cannot be in managed namespaces when soft multi-tenancy is enabled" -}}
{{- end -}}
{{- if empty .Values.managedNamespaces -}}
{{- fail "Managed namespaces must be defined when soft multi-tenancy is enabled" -}}
{{- end -}}
{{- if empty .Values.kubeAPIServerIP -}}
{{- fail "Soft multi-tenancy requires kubeAPIServerIP to be defined" -}}
{{- end -}}
{{- end -}}
{{- if (not .Values.createClusterScopedResources) -}}
{{- if .Values.webhook.enabled -}}
{{- fail "Webhook cannot be enabled when cluster-scoped resource creation is disabled" -}}
{{- end -}}
{{- if .Values.config.validateStorageClass -}}
{{- fail "Storage class validation cannot be enabled when cluster-scoped resource creation is disabled" -}}
{{- end -}}
{{- end -}}
{{- if (not .Values.config.enableLeaderElection) -}}
{{- if gt (int .Values.replicaCount) 1 -}}
{{- fail "Leader election must be enabled with more than one replica" -}}
{{- end -}}
{{- end -}}

473
charts/eck-operator/templates/webhook.yaml Normal file
View File

@ -0,0 +1,473 @@
{{- if .Values.webhook.enabled -}}
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "eck-operator.webhookName" . }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
{{- with .Values.webhook.certManagerCert }}
annotations:
cert-manager.io/inject-ca-from: "{{ $.Release.Namespace }}/{{ . }}"
{{- end }}
webhooks:
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-agent-k8s-elastic-co-v1alpha1-agent
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-agent-validation-v1alpha1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- agent.k8s.elastic.co
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- agents
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-apm-k8s-elastic-co-v1-apmserver
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-apm-validation-v1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- apm.k8s.elastic.co
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- apmservers
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-apm-k8s-elastic-co-v1beta1-apmserver
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-apm-validation-v1beta1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- apm.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- apmservers
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-beat-k8s-elastic-co-v1beta1-beat
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-beat-validation-v1beta1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- beat.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- beats
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-enterprisesearch-k8s-elastic-co-v1-enterprisesearch
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-ent-validation-v1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- enterprisesearch.k8s.elastic.co
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- enterprisesearches
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-enterprisesearch-k8s-elastic-co-v1beta1-enterprisesearch
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-ent-validation-v1beta1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- enterprisesearch.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- enterprisesearches
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-es-validation-v1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- elasticsearch.k8s.elastic.co
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- elasticsearches
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-es-validation-v1beta1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- elasticsearch.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- elasticsearches
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-ems-k8s-elastic-co-v1alpha1-mapsservers
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-ems-validation-v1alpha1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- maps.k8s.elastic.co
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- mapsservers
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-kibana-k8s-elastic-co-v1-kibana
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-kb-validation-v1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- kibana.k8s.elastic.co
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- kibanas
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-kibana-k8s-elastic-co-v1beta1-kibana
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-kb-validation-v1beta1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- kibana.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- kibanas
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-autoscaling-k8s-elastic-co-v1alpha1-elasticsearchautoscaler
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-esa-validation-v1alpha1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- autoscaling.k8s.elastic.co
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- elasticsearchautoscalers
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-scp-k8s-elastic-co-v1alpha1-stackconfigpolicies
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-scp-validation-v1alpha1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- stackconfigpolicy.k8s.elastic.co
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- stackconfigpolicies
- clientConfig:
{{- if and (not .Values.webhook.manageCerts) (not .Values.webhook.certManagerCert) }}
caBundle: {{ .Values.webhook.caBundle }}
{{- end }}
service:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /validate-logstash-k8s-elastic-co-v1alpha1-logstash
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: elastic-logstash-validation-v1alpha1.k8s.elastic.co
matchPolicy: Exact
admissionReviewVersions: [v1,v1beta1]
sideEffects: None
rules:
- apiGroups:
- logstash.k8s.elastic.co
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- logstashes
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "eck-operator.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
spec:
ports:
- name: https
port: 443
targetPort: {{ .Values.webhook.port }}
selector:
{{- include "eck-operator.selectorLabels" . | nindent 4 }}
{{- if .Values.webhook.manageCerts }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "eck-operator.webhookSecretName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "eck-operator.labels" . | nindent 4 }}
{{- end }}
{{- end -}}

372
charts/eck-operator/values.yaml Normal file
View File

@ -0,0 +1,372 @@
# nameOverride is the short name for the deployment. Leave empty to let Helm generate a name using chart values.
nameOverride: "elastic-operator"
# fullnameOverride is the full name for the deployment. Leave empty to let Helm generate a name using chart values.
fullnameOverride: "elastic-operator"
# managedNamespaces is the set of namespaces that the operator manages. Leave empty to manage all namespaces.
managedNamespaces: []
# installCRDs determines whether Custom Resource Definitions (CRD) are installed by the chart.
# Note that CRDs are global resources and require cluster admin privileges to install.
# If you are sharing a cluster with other users who may want to install ECK on their own namespaces, setting this to true can have unintended consequences.
# 1. Upgrades will overwrite the global CRDs and could disrupt the other users of ECK who may be running a different version.
# 2. Uninstalling the chart will delete the CRDs and potentially cause Elastic resources deployed by other users to be removed as well.
installCRDs: true
# replicaCount is the number of operator pods to run.
replicaCount: 1
image:
# repository is the container image prefixed by the registry name.
repository: docker.elastic.co/eck/eck-operator
# pullPolicy is the container image pull policy.
pullPolicy: IfNotPresent
# tag is the container image tag. If not defined, defaults to chart appVersion.
tag: null
# fips specifies whether the operator will use a FIPS compliant container image for its own StatefulSet image.
# This setting does not apply to Elastic Stack applications images.
# Can be combined with config.ubiOnly.
fips: false
# priorityClassName defines the PriorityClass to be used by the operator pods.
priorityClassName: ""
# imagePullSecrets defines the secrets to use when pulling the operator container image.
imagePullSecrets: []
# resources define the container resource limits for the operator.
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 100m
memory: 150Mi
# statefulsetAnnotations define the annotations that should be added to the operator StatefulSet.
statefulsetAnnotations: {}
# statefulsetLabels define additional labels that should be added to the operator StatefulSet.
statefulsetLabels: {}
# podAnnotations define the annotations that should be added to the operator pod.
podAnnotations: {}
## podLabels define additional labels that should be added to the operator pod.
podLabels: {}
# podSecurityContext defines the pod security context for the operator pod.
podSecurityContext:
runAsNonRoot: true
# securityContext defines the security context of the operator container.
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
# nodeSelector defines the node selector for the operator pod.
nodeSelector: {}
# tolerations defines the node tolerations for the operator pod.
tolerations: []
# affinity defines the node affinity rules for the operator pod.
affinity: {}
# podDisruptionBudget configures the minimum or the maxium available pods for voluntary disruptions,
# set to either an integer (e.g. 1) or a percentage value (e.g. 25%).
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 3
# additional environment variables for the operator container.
env: []
# additional volume mounts for the operator container.
volumeMounts: []
# additional volumes to add to the operator pod.
volumes: []
# createClusterScopedResources determines whether cluster-scoped resources (ClusterRoles, ClusterRoleBindings) should be created.
createClusterScopedResources: true
# Automount API credentials for the Service Account into the pod.
automountServiceAccountToken: true
serviceAccount:
# create specifies whether a service account should be created for the operator.
create: true
# Specifies whether a service account should automount API credentials.
automountServiceAccountToken: true
# annotations to add to the service account
annotations: {}
# name of the service account to use. If not set and create is true, a name is generated using the fullname template.
name: ""
tracing:
# enabled specifies whether APM tracing is enabled for the operator.
enabled: false
# config is a map of APM Server configuration variables that should be set in the environment.
config:
ELASTIC_APM_SERVER_URL: http://localhost:8200
ELASTIC_APM_SERVER_TIMEOUT: 30s
refs:
# enforceRBAC specifies whether RBAC should be enforced for cross-namespace associations between resources.
enforceRBAC: false
webhook:
# enabled determines whether the webhook is installed.
enabled: true
# caBundle is the PEM-encoded CA trust bundle for the webhook certificate. Only required if manageCerts is false and certManagerCert is null.
caBundle: Cg==
# certManagerCert is the name of the cert-manager certificate to use with the webhook.
certManagerCert: null
# certsDir is the directory to mount the certificates.
certsDir: "/tmp/k8s-webhook-server/serving-certs"
# failurePolicy of the webhook.
failurePolicy: Ignore
# manageCerts determines whether the operator manages the webhook certificates automatically.
manageCerts: true
# namespaceSelector corresponds to the namespaceSelector property of the webhook.
# Setting this restricts the webhook to act only on objects submitted to namespaces that match the selector.
namespaceSelector: {}
# objectSelector corresponds to the objectSelector property of the webhook.
# Setting this restricts the webhook to act only on objects that match the selector.
objectSelector: {}
# port is the port that the validating webhook binds to.
port: 9443
# secret specifies the Kubernetes secret to be mounted into the path designated by the certsDir value to be used for webhook certificates.
certsSecret: ""
# hostNetwork allows a Pod to use the Node network namespace.
# This is required to allow for communication with the kube API when using some alternate CNIs in conjunction with webhook enabled.
# If hostNetwork is enabled, dnsPolicy defaults to ClusterFirstWithHostNet unless explicitly set.
# CAUTION: Proceed at your own risk. This setting has security concerns such as allowing malicious users to access workloads running on the host.
hostNetwork: false
# dnsPolicy defines the DNS policy for the operator pod.
# Check https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy for more details.
dnsPolicy: ""
# dnsConfig defines the DNS configuration for the operator pod.
# Check https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config for more details.
# dnsConfig:
# nameservers:
# - 169.254.20.10
# searches:
# - svc.cluster.local
# options:
# - name: ndots
# value: "2"
dnsConfig: {}
softMultiTenancy:
# enabled determines whether the operator is installed with soft multi-tenancy extensions.
# This requires network policies to be enabled on the Kubernetes cluster.
enabled: false
# kubeAPIServerIP is required when softMultiTenancy is enabled.
kubeAPIServerIP: null
telemetry:
# disabled determines whether the operator periodically updates ECK telemetry data for Kibana to consume.
disabled: false
# distributionChannel denotes which distribution channel was used to install the operator.
distributionChannel: "helm"
# config values for the operator.
config:
# logVerbosity defines the logging level. Valid values are as follows:
# -2: Errors only
# -1: Errors and warnings
# 0: Errors, warnings, and information
# number greater than 0: Errors, warnings, information, and debug details.
logVerbosity: "0"
# (Deprecated: use metrics.port: will be removed in v2.14.0) metricsPort defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
metricsPort: 0
metrics:
# port defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
port: "0"
# secureMode contains the options for enabling and configuring RBAC and TLS/HTTPs for the metrics endpoint.
secureMode:
# secureMode.enabled specifies whether to enable RBAC and TLS/HTTPs for the metrics endpoint.
# * This option makes most sense when using a ServiceMonitor to scrape the metrics and is therefore mutually exclusive with the podMonitor.enabled option.
# * This option also requires using cluster scoped resources (ClusterRole, ClusterRoleBinding) to
# grant access to the /metrics endpoint. (createClusterScopedResources: true is required)
#
enabled: false
tls:
# certificateSecret is the name of the tls secret containing the custom TLS certificate and key for the secure metrics endpoint.
#
# * This is an optional setting and is only required if you are using a custom TLS certificate. A self-signed certificate will be generated by default.
# * TLS secret key must be named tls.crt.
# * TLS key's secret key must be named tls.key.
# * It is assumed to be in the same namespace as the ServiceMonitor.
#
# example: kubectl create secret tls eck-metrics-tls-certificate -n elastic-system \
# --cert=/path/to/tls.crt --key=/path/to/tls.key
certificateSecret: ""
# containerRegistry to use for pulling Elasticsearch and other application container images.
containerRegistry: docker.elastic.co
# containerRepository to use for pulling Elasticsearch and other application container images.
# containerRepository: ""
# containerSuffix suffix to be appended to container images by default. Cannot be combined with -ubiOnly flag
# containerSuffix: ""
# maxConcurrentReconciles is the number of concurrent reconciliation operations to perform per controller.
maxConcurrentReconciles: "3"
# caValidity defines the validity period of the CA certificates generated by the operator.
caValidity: 8760h
# caRotateBefore defines when to rotate a CA certificate that is due to expire.
caRotateBefore: 24h
# caDir defines the directory containing a CA certificate (tls.crt) and its associated private key (tls.key) to be used for all managed resources.
# Setting this makes caRotateBefore and caValidity values ineffective.
caDir: ""
# certificatesValidity defines the validity period of certificates generated by the operator.
certificatesValidity: 8760h
# certificatesRotateBefore defines when to rotate a certificate that is due to expire.
certificatesRotateBefore: 24h
# disableConfigWatch specifies whether the operator watches the configuration file for changes.
disableConfigWatch: false
# exposedNodeLabels is an array of regular expressions of node labels which are allowed to be copied as annotations on Elasticsearch Pods.
exposedNodeLabels: [ "topology.kubernetes.io/.*", "failure-domain.beta.kubernetes.io/.*" ]
# ipFamily specifies the IP family to use. Possible values: IPv4, IPv6 and "" (auto-detect)
ipFamily: ""
# setDefaultSecurityContext determines whether a default security context is set on application containers created by the operator.
# *note* that the default option now is "auto-detect" to attempt to set this properly automatically when both running
# in an openshift cluster, and a standard kubernetes cluster. Valid values are as follows:
# "auto-detect" : auto detect
# "true" : set pod security context when creating resources.
# "false" : do not set pod security context when creating resources.
setDefaultSecurityContext: "auto-detect"
# kubeClientTimeout sets the request timeout for Kubernetes API calls made by the operator.
kubeClientTimeout: 60s
# elasticsearchClientTimeout sets the request timeout for Elasticsearch API calls made by the operator.
elasticsearchClientTimeout: 180s
# validateStorageClass specifies whether storage classes volume expansion support should be verified.
# Can be disabled if cluster-wide storage class RBAC access is not available.
validateStorageClass: true
# enableLeaderElection specifies whether leader election should be enabled
enableLeaderElection: true
# Interval between observations of Elasticsearch health, non-positive values disable asynchronous observation.
elasticsearchObservationInterval: 10s
# ubiOnly specifies whether the operator will use only UBI container images to deploy Elastic Stack applications as well as for its own StatefulSet image. UBI images are only available from 7.10.0 onward.
# Cannot be combined with the containerSuffix value.
ubiOnly: false
# Prometheus PodMonitor configuration
# Reference: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmonitor
podMonitor:
# enabled determines whether a podMonitor should deployed to scrape the eck metrics.
# This requires the prometheus operator and the config.metrics.port not to be 0
enabled: false
# labels adds additional labels to the podMonitor
labels: {}
# annotations adds additional annotations to the podMonitor
annotations: {}
# namespace determines in which namespace the podMonitor will be deployed.
# If not set the podMonitor will be created in the namespace where the Helm release is installed into
# namespace: monitoring
# interval specifies the interval at which metrics should be scraped
interval: 5m
# scrapeTimeout specifies the timeout after which the scrape is ended
scrapeTimeout: 30s
# podTargetLabels transfers labels on the Kubernetes Pod onto the target.
podTargetLabels: []
# podMetricsEndpointConfig allows to add an extended configuration to the podMonitor
podMetricsEndpointConfig: {}
# honorTimestamps: true
# Prometheus ServiceMonitor configuration
# Only used when config.enableSecureMetrics is true
# Reference: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#servicemonitor
serviceMonitor:
# This option requires the following settings within Prometheus to function:
# 1. RBAC settings for the Prometheus instance to access the metrics endpoint.
#
# - nonResourceURLs:
# - /metrics
# verbs:
# - get
#
# 2. If using the Prometheus Operator and your Prometheus instance is not in the same namespace as the operator you will need
# the Prometheus Operator configured with the following Helm values:
#
# prometheus:
# prometheusSpec:
# serviceMonitorNamespaceSelector: {}
# serviceMonitorSelectorNilUsesHelmValues: false
#
# allows to disable the serviceMonitor, enabled by default for backwards compatibility
enabled: true
# namespace determines in which namespace the serviceMonitor will be deployed.
# If not set the serviceMonitor will be created in the namespace where the Helm release is installed into
# namespace: monitoring
# caSecret is the name of the secret containing the custom CA certificate used to generate the custom TLS certificate for the secure metrics endpoint.
#
# * This *must* be the name of the secret containing the CA certificate used to sign the custom TLS certificate for the metrics endpoint.
# * This secret *must* be in the same namespace as the Prometheus instance that will scrape the metrics.
# * If using the Prometheus operator this secret must be within the `spec.secrets` field of the `Prometheus` custom resource such that it is mounted into the Prometheus pod at `caMountDirectory`, which defaults to /etc/prometheus/secrets/{secret-name}.
# * This is an optional setting and is only required if you are using a custom TLS certificate.
# * Key must be named ca.crt.
#
# example: kubectl create secret generic eck-metrics-tls-ca -n monitoring \
# --from-file=ca.crt=/path/to/ca.pem
caSecret: ""
# caMountDirectory is the directory at which the CA certificate is mounted within the Prometheus pod.
#
# * You should only need to adjust this if you are *not* using the Prometheus operator.
caMountDirectory: "/etc/prometheus/secrets/"
# insecureSkipVerify specifies whether to skip verification of the TLS certificate for the secure metrics endpoint.
#
# * If this setting is set to false, then the following settings are required:
# - certificateSecret
# - caSecret
insecureSkipVerify: true
# Globals meant for internal use only
global:
# manifestGen specifies whether the chart is running under manifest generator.
# This is used for tasks specific to generating the all-in-one.yaml file.
manifestGen: false
# createOperatorNamespace defines whether the operator namespace manifest should be generated when in manifestGen mode.
# Usually we do want that to happen (e.g. all-in-one.yaml) but, sometimes we don't (e.g. E2E tests).
createOperatorNamespace: true
# kubeVersion is the effective Kubernetes version we target when generating the all-in-one.yaml.
kubeVersion: 1.21.0

13
manifests/eck-operator/values.yaml Normal file
View File

@ -0,0 +1,13 @@
replicaCount: 1
image:
repository: docker.elastic.co/eck/eck-operator
tag: 2.10.0
webhook:
enabled: true
certManager:
enabled: false
resources: {}