diff options
Diffstat (limited to 'clover/logging/install')
-rw-r--r-- | clover/logging/install/elasticsearch-statefulset-service.yaml | 129 | ||||
-rw-r--r-- | clover/logging/install/fluentd-daemonset-elasticsearch-rbac.yaml | 96 | ||||
-rw-r--r-- | clover/logging/install/fluentd-istio.yaml | 40 | ||||
-rw-r--r-- | clover/logging/install/logging-stack.yaml | 205 | ||||
-rw-r--r-- | clover/logging/install/proxy-access-control-sidecar.yml | 32 |
5 files changed, 502 insertions, 0 deletions
diff --git a/clover/logging/install/elasticsearch-statefulset-service.yaml b/clover/logging/install/elasticsearch-statefulset-service.yaml new file mode 100644 index 0000000..0fcc832 --- /dev/null +++ b/clover/logging/install/elasticsearch-statefulset-service.yaml @@ -0,0 +1,129 @@ +# RBAC authn and authz +apiVersion: v1 +kind: ServiceAccount +metadata: + name: elasticsearch-logging + namespace: kube-system + labels: + k8s-app: elasticsearch-logging + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: elasticsearch-logging + labels: + k8s-app: elasticsearch-logging + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - "" + resources: + - "services" + - "namespaces" + - "endpoints" + verbs: + - "get" +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: kube-system + name: elasticsearch-logging + labels: + k8s-app: elasticsearch-logging + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +subjects: +- kind: ServiceAccount + name: elasticsearch-logging + namespace: kube-system + apiGroup: "" +roleRef: + kind: ClusterRole + name: elasticsearch-logging + apiGroup: "" +--- +# Elasticsearch deployment itself +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: elasticsearch-logging + namespace: kube-system + labels: + k8s-app: elasticsearch-logging + version: v5.6.4 + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +spec: + serviceName: elasticsearch-logging + replicas: 2 + selector: + matchLabels: + k8s-app: elasticsearch-logging + version: v5.6.4 + template: + metadata: + labels: + k8s-app: elasticsearch-logging + version: v5.6.4 + kubernetes.io/cluster-service: "true" + spec: + serviceAccountName: elasticsearch-logging + containers: + - image: k8s.gcr.io/elasticsearch:v5.6.4 + name: elasticsearch-logging + resources: + # need more cpu upon initialization, therefore burstable class + limits: + cpu: 1000m + requests: + cpu: 100m + ports: + - containerPort: 9200 + name: db + protocol: TCP + - containerPort: 9300 + name: transport + protocol: TCP + volumeMounts: + - name: elasticsearch-logging + mountPath: /data + env: + - name: "NAMESPACE" + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumes: + - name: elasticsearch-logging + emptyDir: {} + # Elasticsearch requires vm.max_map_count to be at least 262144. + # If your OS already sets up this number to a higher value, feel free + # to remove this init container. + initContainers: + - image: alpine:3.6 + command: ["/sbin/sysctl", "-w", "vm.max_map_count=262144"] + name: elasticsearch-logging-init + securityContext: + privileged: true +--- +# Elasticsearch Service +apiVersion: v1 +kind: Service +metadata: + name: elasticsearch-logging + namespace: kube-system + labels: + k8s-app: elasticsearch-logging + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/name: "Elasticsearch" +spec: + ports: + - port: 9200 + protocol: TCP + targetPort: db + selector: + k8s-app: elasticsearch-logging diff --git a/clover/logging/install/fluentd-daemonset-elasticsearch-rbac.yaml b/clover/logging/install/fluentd-daemonset-elasticsearch-rbac.yaml new file mode 100644 index 0000000..8131ef5 --- /dev/null +++ b/clover/logging/install/fluentd-daemonset-elasticsearch-rbac.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fluentd + namespace: kube-system + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: fluentd + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - pods + - namespaces + verbs: + - get + - list + - watch + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: fluentd +roleRef: + kind: ClusterRole + name: fluentd + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: fluentd + namespace: kube-system +--- +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: fluentd + namespace: kube-system + labels: + k8s-app: fluentd-logging + version: v1 + kubernetes.io/cluster-service: "true" +spec: + template: + metadata: + labels: + k8s-app: fluentd-logging + version: v1 + kubernetes.io/cluster-service: "true" + spec: + serviceAccount: fluentd + serviceAccountName: fluentd + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: fluentd + image: fluent/fluentd-kubernetes-daemonset:elasticsearch + env: + - name: FLUENT_ELASTICSEARCH_HOST + value: "elasticsearch-logging" + - name: FLUENT_ELASTICSEARCH_PORT + value: "9200" + - name: FLUENT_ELASTICSEARCH_SCHEME + value: "http" + # X-Pack Authentication + # ===================== + - name: FLUENT_ELASTICSEARCH_USER + value: "elastic" + - name: FLUENT_ELASTICSEARCH_PASSWORD + value: "changeme" + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + terminationGracePeriodSeconds: 30 + volumes: + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers diff --git a/clover/logging/install/fluentd-istio.yaml b/clover/logging/install/fluentd-istio.yaml new file mode 100644 index 0000000..1853831 --- /dev/null +++ b/clover/logging/install/fluentd-istio.yaml @@ -0,0 +1,40 @@ +# Configuration for logentry instances +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: newlog + namespace: istio-system +spec: + severity: '"info"' + timestamp: request.time + variables: + source: source.labels["app"] | source.service | "unknown" + user: source.user | "unknown" + destination: destination.labels["app"] | destination.service | "unknown" + responseCode: response.code | 0 + responseSize: response.size | 0 + latency: response.duration | "0ms" + monitored_resource_type: '"UNSPECIFIED"' +--- +# Configuration for a fluentd handler +apiVersion: "config.istio.io/v1alpha2" +kind: fluentd +metadata: + name: handler + namespace: istio-system +spec: + address: "fluentd-es.logging:24224" +--- +# Rule to send logentry instances to the fluentd handler +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: newlogtofluentd + namespace: istio-system +spec: + match: "true" # match for all requests + actions: + - handler: handler.fluentd + instances: + - newlog.logentry +--- diff --git a/clover/logging/install/logging-stack.yaml b/clover/logging/install/logging-stack.yaml new file mode 100644 index 0000000..9542496 --- /dev/null +++ b/clover/logging/install/logging-stack.yaml @@ -0,0 +1,205 @@ +# Logging Namespace. All below are a part of this namespace. +apiVersion: v1 +kind: Namespace +metadata: + name: logging +--- +# Elasticsearch Service +apiVersion: v1 +kind: Service +metadata: + name: elasticsearch + namespace: logging + labels: + app: elasticsearch +spec: + ports: + - port: 9200 + protocol: TCP + targetPort: db + selector: + app: elasticsearch + type: NodePort +--- +# Elasticsearch Deployment +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: elasticsearch + namespace: logging + labels: + app: elasticsearch + annotations: + sidecar.istio.io/inject: "false" +spec: + template: + metadata: + labels: + app: elasticsearch + spec: + containers: + - image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.1.1 + name: elasticsearch + resources: + # need more cpu upon initialization, therefore burstable class + limits: + cpu: 1000m + requests: + cpu: 100m + env: + - name: discovery.type + value: single-node + ports: + - containerPort: 9200 + name: db + protocol: TCP + - containerPort: 9300 + name: transport + protocol: TCP + volumeMounts: + - name: elasticsearch + mountPath: /data + volumes: + - name: elasticsearch + emptyDir: {} +--- +# Fluentd Service +apiVersion: v1 +kind: Service +metadata: + name: fluentd-es + namespace: logging + labels: + app: fluentd-es +spec: + ports: + - name: fluentd-tcp + port: 24224 + protocol: TCP + targetPort: 24224 + - name: fluentd-udp + port: 24224 + protocol: UDP + targetPort: 24224 + selector: + app: fluentd-es +--- +# Fluentd Deployment +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: fluentd-es + namespace: logging + labels: + app: fluentd-es + annotations: + sidecar.istio.io/inject: "false" +spec: + template: + metadata: + labels: + app: fluentd-es + spec: + containers: + - name: fluentd-es + image: gcr.io/google-containers/fluentd-elasticsearch:v2.0.1 + env: + - name: FLUENTD_ARGS + value: --no-supervisor -q + resources: + limits: + memory: 500Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: config-volume + mountPath: /etc/fluent/config.d + terminationGracePeriodSeconds: 30 + volumes: + - name: config-volume + configMap: + name: fluentd-es-config +--- +# Fluentd ConfigMap, contains config files. +kind: ConfigMap +apiVersion: v1 +data: + forward.input.conf: |- + # Takes the messages sent over TCP + <source> + type forward + </source> + output.conf: |- + <match **> + type elasticsearch + log_level info + include_tag_key true + host elasticsearch + port 9200 + logstash_format true + # Set the chunk limits. + buffer_chunk_limit 2M + buffer_queue_limit 8 + flush_interval 5s + # Never wait longer than 5 minutes between retries. + max_retry_wait 30 + # Disable the limit on the number of retries (retry forever). + disable_retry_limit + # Use multiple threads for processing. + num_threads 2 + </match> +metadata: + name: fluentd-es-config + namespace: logging +--- +# Kibana Service +apiVersion: v1 +kind: Service +metadata: + name: kibana + namespace: logging + labels: + app: kibana +spec: + ports: + - port: 5601 + protocol: TCP + targetPort: ui + selector: + app: kibana + type: NodePort +--- +# Kibana Deployment +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: kibana + namespace: logging + labels: + app: kibana + annotations: + sidecar.istio.io/inject: "false" +spec: + template: + metadata: + labels: + app: kibana + spec: + containers: + - name: kibana + image: docker.elastic.co/kibana/kibana-oss:6.1.1 + resources: + # need more cpu upon initialization, therefore burstable class + limits: + cpu: 1000m + requests: + cpu: 100m + env: + - name: ELASTICSEARCH_URL + value: http://elasticsearch:9200 + ports: + - containerPort: 5601 + name: ui + protocol: TCP +--- diff --git a/clover/logging/install/proxy-access-control-sidecar.yml b/clover/logging/install/proxy-access-control-sidecar.yml new file mode 100644 index 0000000..833f9f7 --- /dev/null +++ b/clover/logging/install/proxy-access-control-sidecar.yml @@ -0,0 +1,32 @@ +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: proxy-access-control + labels: + app: proxy-access-control +spec: + template: + metadata: + labels: + app: proxy-access-control + spec: + containers: + - name: proxy-access-control + image: opnfv/clover-ns-nginx-proxy:latest + ports: + - containerPort: 50054 + - containerPort: 9180 +# inject nginx access log streaming + volumeMounts: + - name: nginxlog + mountPath: /var/log/nginx + - name: nginx-access-log + image: busybox + args: [/bin/sh, -c, 'tail -n+1 -f /var/log/nginx/access.log'] + volumeMounts: + - name: nginxlog + mountPath: /var/log/nginx + volumes: + - name: nginxlog + emptyDir: {} |