Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ingress support for Elasticsearch and Kibana Helm Charts #7941

Merged
merged 11 commits into from
Jul 22, 2024
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
# The following is an example of an Elasticsearch resource that is configured to use an Ingress resource in an AKS cluster.
#
ingress:
enabled: true
className: webapprouting.kubernetes.azure.com
annotations:
# This is required for AKS Loadbalancing to understand that it's communicating with
# an HTTPS backend.
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
labels:
my: label
pathType: Prefix
hosts:
- host: "*.company.dev"
path: "/"
nodeSets:
- name: default
count: 3
# Comment out when setting the vm.max_map_count via initContainer, as these are mutually exclusive.
# For production workloads, it is strongly recommended to increase the kernel setting vm.max_map_count to 262144
# and leave node.store.allow_mmap unset.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-virtual-memory.html
#
config:
node.store.allow_mmap: false
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
---
# The following is an example of an Elasticsearch resource that is configured to use an Ingress resource in an EKS cluster
# which provisions an application load balancer.
#
ingress:
enabled: true
className: alb
annotations:
alb.ingress.kubernetes.io/scheme: "internet-facing"
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/backend-protocol: "HTTPS"
alb.ingress.kubernetes.io/target-type: "ip"
# To use an ALB with ECK, you must provide a valid ACM certificate ARN or use certificate discovery.
# There are 2 options for EKS:
# 1. Create a valid ACM certificate, and uncomment the following annotation and update it to the correct ARN.
# 2. Create a valid ACM certificate and ensure that the hosts[0].host matches the certificate's Common Name (CN) and
# certificate discovery *should* find the certificate automatically and use it.
#
# ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/cert_discovery/
#
# alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-east-1:00000000000:certificate/b65be571-8220-4f2e-8cb1-94194535d877"
labels:
my: label
pathType: Prefix
hosts:
- host: "*.company.dev"
path: "/"
nodeSets:
- name: default
count: 3
# Comment out when setting the vm.max_map_count via initContainer, as these are mutually exclusive.
# For production workloads, it is strongly recommended to increase the kernel setting vm.max_map_count to 262144
# and leave node.store.allow_mmap unset.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-virtual-memory.html
#
config:
node.store.allow_mmap: false
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
# The following is an example of an Elasticsearch resource that is configured to deploy a
# network load balancer (NLB) in an EKS cluster. To provision an NLB "ingress" for the
# Elasticsearch cluster, you are required to set annotations on the service,
# and not an Ingress resource.
ingress:
enabled: false
http:
service:
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: external
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
spec:
type: LoadBalancer
nodeSets:
- name: default
count: 3
# Comment out when setting the vm.max_map_count via initContainer, as these are mutually exclusive.
# For production workloads, it is strongly recommended to increase the kernel setting vm.max_map_count to 262144
# and leave node.store.allow_mmap unset.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-virtual-memory.html
#
config:
node.store.allow_mmap: false
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
# The following is an example of an Elasticsearch resource that is configured to use an Ingress resource in a GKE cluster.
#
ingress:
enabled: true
annotations:
my: annotation
labels:
my: label
pathType: Prefix
hosts:
- host: "*.company.dev"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you suggesting to use a wildcard here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No suggestion, it's part of what I tested. I'll update to be a non-wildcard now.

path: "/"
http:
service:
metadata:
annotations:
# This is required for `ClusterIP` services (which are the default ECK service type) to be used with Ingress in GKE clusters.
cloud.google.com/neg: '{"ingress": true}'
# This is required to enable the GKE Ingress Controller to use HTTPS as the backend protocol.
cloud.google.com/app-protocols: '{"https":"HTTPS"}'
nodeSets:
- name: default
count: 3
# Comment out when setting the vm.max_map_count via initContainer, as these are mutually exclusive.
# For production workloads, it is strongly recommended to increase the kernel setting vm.max_map_count to 262144
# and leave node.store.allow_mmap unset.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-virtual-memory.html
#
config:
node.store.allow_mmap: false
# Enable anonymous access to allow GCLB health probes to succeed
xpack.security.authc:
anonymous:
username: anon
roles: monitoring_user
48 changes: 48 additions & 0 deletions deploy/eck-stack/charts/eck-elasticsearch/templates/ingress.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{{- if .Values.ingress.enabled -}}
{{- $pathType := .Values.ingress.pathType | default "Prefix" -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "elasticsearch.fullname" . }}
labels:
{{- include "elasticsearch.labels" . | nindent 4 }}
{{- with .Values.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.ingress.annotations }}
annotations:
{{- with .Values.ingress.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className | quote }}
{{- end }}
{{- if .Values.ingress.tls.enabled }}
tls:
- hosts:
{{- range .Values.ingress.hosts }}
- {{ .host | quote }}
{{- end }}
{{- if .Values.ingress.tls.secretName }}
secretName: {{ .Values.ingress.tls.secretName }}
{{- else }}
secretName: {{ include "elasticsearch.fullname" . }}-es-http-certs-internal
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
{{- $hostPath := .path | default "/" }}
- host: {{ .host | quote }}
http:
paths:
- path: {{ $hostPath }}
pathType: {{ $pathType }}
backend:
service:
name: {{ include "elasticsearch.fullname" $ }}-es-http
port:
number: 9200
{{- end }}
{{ end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
suite: test elasticsearch ingress
templates:
- templates/ingress.yaml
tests:
- it: should render quickstart properly
set:
ingress.enabled: true
release:
name: quickstart
asserts:
- isKind:
of: Ingress
- equal:
path: metadata.name
value: quickstart-eck-elasticsearch
- it: name override should work properly
set:
nameOverride: override
ingress.enabled: true
release:
name: quickstart
asserts:
- isKind:
of: Ingress
- equal:
path: metadata.name
value: quickstart-override
- it: fullname override should work properly
set:
fullnameOverride: override
ingress.enabled: true
release:
name: quickstart
asserts:
- isKind:
of: Ingress
- equal:
path: metadata.name
value: override
- it: should render custom labels, and annotations values properly
set:
ingress:
enabled: true
labels:
test: label
annotations:
test: annotation
release:
name: quickstart
asserts:
- isKind:
of: Ingress
- equal:
path: metadata.labels
value:
app.kubernetes.io/instance: quickstart
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: eck-elasticsearch
helm.sh/chart: eck-elasticsearch-0.12.0-SNAPSHOT
test: label
- equal:
path: metadata.annotations
value:
test: annotation
- it: should render ingress properly
values:
- ../../examples/ingress/elasticsearch-ingress-gke.yaml
release:
name: quickstart
asserts:
- isKind:
of: Ingress
- equal:
path: metadata.name
value: quickstart-eck-elasticsearch
- contains:
path: spec.rules
content:
host: "*.company.dev"
http:
paths:
- backend:
service:
name: quickstart-eck-elasticsearch-es-http
port:
number: 9200
path: /
pathType: Prefix
71 changes: 71 additions & 0 deletions deploy/eck-stack/charts/eck-elasticsearch/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -314,3 +314,74 @@ nodeSets:
# List of volumes that can be mounted by containers belonging to the pod.
# https://kubernetes.io/docs/concepts/storage/volumes
# volumes: []

# Settings for controlling Elasticsearch ingress. Enabling ingress will expose your Elasticsearch instance
# to the public internet, and as such is disabled by default.
#
# Each Cloud Service Provider has different requirements for setting up Ingress. Some links to common documentation are:
# - AWS: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
# - GCP: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress
# - Azure: https://learn.microsoft.com/en-us/azure/aks/app-routing
# - Nginx: https://kubernetes.github.io/ingress-nginx/
#
ingress:
enabled: false

# Annotations that will be applied to the Ingress resource. Note that some ingress controllers are controlled via annotations.
#
# Nginx Annotations: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
#
# Common annotations:
# kubernetes.io/ingress.class: gce # Configures the Ingress resource to use the GCE ingress controller and create an external Application Load Balancer.
# kubernetes.io/ingress.class: gce-internal # Configures the Ingress resource to use the GCE ingress controller and create an internal Application Load Balancer.
# kubernetes.io/ingress.class: nginx # Configures the Ingress resource to use the NGINX ingress controller.
#
annotations: {}

# Labels that will be applied to the Ingress resource.
#
labels: {}

# Some ingress controllers require the use of a specific class name to route traffic to the correct controller, notably AKS and EKS, which
# replaces the use of the 'kubernetes.io/ingress.class' annotation.
#
# className: webapprouting.kubernetes.azure.com | alb

# Ingress paths are required to have a corresponding path type. Defaults to 'Prefix'.
#
# There are 3 supported path types:
# - ImplementationSpecific
# - Prefix
# - Exact
#
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
#
pathType: Prefix

# Hosts are a list of hosts included in the Ingress definition, with a corresponding path at which the default Elasticsearch service
# will be exposed. Each host in the list should be a fully qualified DNS name that will resolve to the exposed Ingress object.
#
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#name-based-virtual-hosting
#
hosts:
- host: chart-example.local
path: /

# TLS defines whether TLS will be enabled on the Ingress resource.
#
# *NOTE* Many Cloud Service Providers handle TLS in a custom manner, and as such, it is recommended to consult their documentation.
# Notably GKE and Nginx Ingress Controllers seems to respect the Ingress TLS settings, AKS and EKS ignore it.
#
# - AKS: https://learn.microsoft.com/en-us/azure/aks/app-routing-dns-ssl
# - GKE: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#options_for_providing_ssl_certificates
# - EKS: https://aws.amazon.com/blogs/containers/serve-distinct-domains-with-tls-powered-by-acm-on-amazon-eks/
# - Nginx: https://kubernetes.github.io/ingress-nginx/user-guide/tls/
#
# Kubernetes ingress TLS documentation:
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
#
tls:
enabled: false
# Optional Kubernetes secret name that contains a base64 encoded PEM certificate and private key that corresponds to the above 'hosts' definitions.
# If tls is enabled, but this field is not set, the self-signed certificate and key created by the ECK operator will be used.
# secretName: chart-example-tls
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# The following is an example of a Kibana resource that is configured to use an Ingress resource in an AKS cluster.
#

# Name of the Kibana instance.
#
fullnameOverride: kibana

spec:
# Reference to ECK-managed Elasticsearch instance, ideally from {{ "elasticsearch.fullname" }}
#
elasticsearchRef:
name: elasticsearch
config:
server:
publicBaseUrl: "https://kibana.company.dev"

ingress:
enabled: true
className: webapprouting.kubernetes.azure.com
annotations:
# This is required for AKS Loadbalancing to understand that it's communicating with
# an HTTPS backend.
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
labels:
my: label
pathType: Prefix
hosts:
- host: "*.company.dev"
path: "/"
Loading