From 790cb8bb365e3abeeb455452024acfc593d1c8ad Mon Sep 17 00:00:00 2001 From: Michael Russell Date: Tue, 9 Jul 2019 19:10:40 +0200 Subject: [PATCH 1/3] [kibana] Update healthCheckPath to mention basePath usage Make it clear that this setting needs to be updated if you are using a custom basePath like in #216 --- kibana/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kibana/README.md b/kibana/README.md index c37e8e53d..1022a6475 100644 --- a/kibana/README.md +++ b/kibana/README.md @@ -48,14 +48,14 @@ helm install --name kibana elastic/kibana --version 7.2.0 --set imageTag=7.2.0 | `image` | The Kibana docker image | `docker.elastic.co/kibana/kibana` | | `imageTag` | The Kibana docker image tag | `7.2.0` | | `imagePullPolicy` | The Kubernetes [imagePullPolicy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) value | `IfNotPresent` | -| `podAnnotations` | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Kibana pods | `{}` | +| `podAnnotations` | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Kibana pods | `{}` | | `resources` | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the statefulset | `requests.cpu: 100m`
`requests.memory: 2Gi`
`limits.cpu: 1000m`
`limits.memory: 2Gi` | | `protocol` | The protocol that will be used for the readinessProbe. Change this to `https` if you have `server.ssl.enabled: true` set | `http` | | `serverHost` | The [`server.host`](https://www.elastic.co/guide/en/kibana/current/settings.html) Kibana setting. This is set explicitly so that the default always matches what comes with the docker image. | `0.0.0.0` | -| `healthCheckPath` | The path used for the readinessProbe to check that Kibana is ready | `/app/kibana` | +| `healthCheckPath` | The path used for the readinessProbe to check that Kibana is ready. If you are setting `server.basePath` you will also need to update this to `/${basePath}/app/kibana` | `/app/kibana` | | `kibanaConfig` | Allows you to add any config files in `/usr/share/kibana/config/` such as `kibana.yml`. See [values.yaml](./values.yaml) for an example of the formatting. | `{}` | -| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000` | -| `securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the container | `capabilities.drop:[ALL]`
`runAsNonRoot: true`
`runAsUser: 1000` | +| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000` | +| `securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the container | `capabilities.drop:[ALL]`
`runAsNonRoot: true`
`runAsUser: 1000` | | `serviceAccount` | Allows you to overwrite the "default" [serviceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) for the pod | `[]` | | `priorityClassName` | The [name of the PriorityClass](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). No default is supplied as the PriorityClass must be created first. | `` | | `antiAffinityTopologyKey` | The [anti-affinity topology key](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). By default this will prevent multiple Kibana instances from running on the same Kubernetes node | `kubernetes.io/hostname` | From b1914ada1bf2cfd3ce149b58812b44d80f34767f Mon Sep 17 00:00:00 2001 From: Michael Russell Date: Tue, 9 Jul 2019 20:11:42 +0200 Subject: [PATCH 2/3] [meta] Add retries and actual failures for vault auth If you immediately export the result of a command it will never fail even with `set -euo pipefail` --- .ci/jobs/elastic+helm-charts+master+cluster-cleanup.yml | 5 ++++- .ci/jobs/elastic+helm-charts+master+cluster-creation.yml | 5 ++++- .../elastic+helm-charts+master+integration-elasticsearch.yml | 5 ++++- .ci/jobs/elastic+helm-charts+master+integration-filebeat.yml | 5 ++++- .ci/jobs/elastic+helm-charts+master+integration-kibana.yml | 5 ++++- .../elastic+helm-charts+master+integration-metricbeat.yml | 5 ++++- .../elastic+helm-charts+pull-request+cluster-cleanup.yml | 5 ++++- .../elastic+helm-charts+pull-request+cluster-creation.yml | 5 ++++- ...ic+helm-charts+pull-request+integration-elasticsearch.yml | 5 ++++- ...elastic+helm-charts+pull-request+integration-filebeat.yml | 5 ++++- .../elastic+helm-charts+pull-request+integration-kibana.yml | 5 ++++- ...astic+helm-charts+pull-request+integration-metricbeat.yml | 5 ++++- 12 files changed, 48 insertions(+), 12 deletions(-) diff --git a/.ci/jobs/elastic+helm-charts+master+cluster-cleanup.yml b/.ci/jobs/elastic+helm-charts+master+cluster-cleanup.yml index 1467a2d44..37862f81a 100644 --- a/.ci/jobs/elastic+helm-charts+master+cluster-cleanup.yml +++ b/.ci/jobs/elastic+helm-charts+master+cluster-cleanup.yml @@ -21,8 +21,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x diff --git a/.ci/jobs/elastic+helm-charts+master+cluster-creation.yml b/.ci/jobs/elastic+helm-charts+master+cluster-creation.yml index 0a1bd9dab..c1698c76d 100644 --- a/.ci/jobs/elastic+helm-charts+master+cluster-creation.yml +++ b/.ci/jobs/elastic+helm-charts+master+cluster-creation.yml @@ -21,8 +21,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x diff --git a/.ci/jobs/elastic+helm-charts+master+integration-elasticsearch.yml b/.ci/jobs/elastic+helm-charts+master+integration-elasticsearch.yml index bf3f68450..5b5ccc95c 100644 --- a/.ci/jobs/elastic+helm-charts+master+integration-elasticsearch.yml +++ b/.ci/jobs/elastic+helm-charts+master+integration-elasticsearch.yml @@ -25,8 +25,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x diff --git a/.ci/jobs/elastic+helm-charts+master+integration-filebeat.yml b/.ci/jobs/elastic+helm-charts+master+integration-filebeat.yml index 0e45fd1cc..661d5e993 100644 --- a/.ci/jobs/elastic+helm-charts+master+integration-filebeat.yml +++ b/.ci/jobs/elastic+helm-charts+master+integration-filebeat.yml @@ -25,8 +25,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x diff --git a/.ci/jobs/elastic+helm-charts+master+integration-kibana.yml b/.ci/jobs/elastic+helm-charts+master+integration-kibana.yml index 73ac04282..d689e9143 100644 --- a/.ci/jobs/elastic+helm-charts+master+integration-kibana.yml +++ b/.ci/jobs/elastic+helm-charts+master+integration-kibana.yml @@ -25,8 +25,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x diff --git a/.ci/jobs/elastic+helm-charts+master+integration-metricbeat.yml b/.ci/jobs/elastic+helm-charts+master+integration-metricbeat.yml index 6e3a4663a..480b700e2 100644 --- a/.ci/jobs/elastic+helm-charts+master+integration-metricbeat.yml +++ b/.ci/jobs/elastic+helm-charts+master+integration-metricbeat.yml @@ -25,8 +25,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x diff --git a/.ci/jobs/elastic+helm-charts+pull-request+cluster-cleanup.yml b/.ci/jobs/elastic+helm-charts+pull-request+cluster-cleanup.yml index 39521ca39..cbd0d55eb 100644 --- a/.ci/jobs/elastic+helm-charts+pull-request+cluster-cleanup.yml +++ b/.ci/jobs/elastic+helm-charts+pull-request+cluster-cleanup.yml @@ -21,8 +21,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x diff --git a/.ci/jobs/elastic+helm-charts+pull-request+cluster-creation.yml b/.ci/jobs/elastic+helm-charts+pull-request+cluster-creation.yml index ad0c27d8b..d1b491080 100644 --- a/.ci/jobs/elastic+helm-charts+pull-request+cluster-creation.yml +++ b/.ci/jobs/elastic+helm-charts+pull-request+cluster-creation.yml @@ -21,8 +21,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x diff --git a/.ci/jobs/elastic+helm-charts+pull-request+integration-elasticsearch.yml b/.ci/jobs/elastic+helm-charts+pull-request+integration-elasticsearch.yml index 438bc82db..a476a1d85 100644 --- a/.ci/jobs/elastic+helm-charts+pull-request+integration-elasticsearch.yml +++ b/.ci/jobs/elastic+helm-charts+pull-request+integration-elasticsearch.yml @@ -25,8 +25,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x diff --git a/.ci/jobs/elastic+helm-charts+pull-request+integration-filebeat.yml b/.ci/jobs/elastic+helm-charts+pull-request+integration-filebeat.yml index fe86038a3..3a1621fbb 100644 --- a/.ci/jobs/elastic+helm-charts+pull-request+integration-filebeat.yml +++ b/.ci/jobs/elastic+helm-charts+pull-request+integration-filebeat.yml @@ -25,8 +25,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x diff --git a/.ci/jobs/elastic+helm-charts+pull-request+integration-kibana.yml b/.ci/jobs/elastic+helm-charts+pull-request+integration-kibana.yml index f60f3ac29..ed2e6ec4a 100644 --- a/.ci/jobs/elastic+helm-charts+pull-request+integration-kibana.yml +++ b/.ci/jobs/elastic+helm-charts+pull-request+integration-kibana.yml @@ -25,8 +25,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x diff --git a/.ci/jobs/elastic+helm-charts+pull-request+integration-metricbeat.yml b/.ci/jobs/elastic+helm-charts+pull-request+integration-metricbeat.yml index fe53b9a70..34c6ac2fb 100644 --- a/.ci/jobs/elastic+helm-charts+pull-request+integration-metricbeat.yml +++ b/.ci/jobs/elastic+helm-charts+pull-request+integration-metricbeat.yml @@ -25,8 +25,11 @@ #!/usr/local/bin/runbld set -euo pipefail + source /usr/local/bin/bash_standard_lib.sh + set +x - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x From 2eb8641c4b72ba41eba93c0efc4c455facb0d468 Mon Sep 17 00:00:00 2001 From: Michael Russell Date: Wed, 10 Jul 2019 16:04:11 +0200 Subject: [PATCH 3/3] Update .ci/jobs/elastic+helm-charts+master+integration-elasticsearch.yml Co-Authored-By: Tyler Langlois --- .../elastic+helm-charts+master+integration-elasticsearch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/jobs/elastic+helm-charts+master+integration-elasticsearch.yml b/.ci/jobs/elastic+helm-charts+master+integration-elasticsearch.yml index 5b5ccc95c..7bb9ea7f6 100644 --- a/.ci/jobs/elastic+helm-charts+master+integration-elasticsearch.yml +++ b/.ci/jobs/elastic+helm-charts+master+integration-elasticsearch.yml @@ -28,7 +28,7 @@ source /usr/local/bin/bash_standard_lib.sh set +x - VAULT_TOKEN=$(retry 5 retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") + VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID") export VAULT_TOKEN unset VAULT_ROLE_ID VAULT_SECRET_ID set -x