Ingress support for Elasticsearch and Kibana Helm Charts

deploy/eck-stack/charts/eck-elasticsearch/examples/ingress/elasticsearch-ingress-aks.yaml

@@ -0,0 +1,26 @@
+---
+# The following is an example of an Elasticsearch resource that is configured to use an Ingress resource in an AKS cluster.
+#
+ingress:
+  enabled: true
+  className: webapprouting.kubernetes.azure.com
+  annotations:
+    # This is required for AKS Loadbalancing to understand that it's communicating with
+    # an HTTPS backend.
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+  labels:
+    my: label
+  pathType: Prefix
+  hosts:
+  - host: "*.company.dev"
+  path: "/"
+nodeSets:
+- name: default
+  count: 3
+  # Comment out when setting the vm.max_map_count via initContainer, as these are mutually exclusive.
+  # For production workloads, it is strongly recommended to increase the kernel setting vm.max_map_count to 262144
+  # and leave node.store.allow_mmap unset.
+  # ref: https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-virtual-memory.html
+  #
+  config:
+    node.store.allow_mmap: false

deploy/eck-stack/charts/eck-elasticsearch/examples/ingress/elasticsearch-ingress-eks-alb.yaml

@@ -0,0 +1,32 @@
+---
+# The following is an example of an Elasticsearch resource that is configured to use an Ingress resource in an EKS cluster
+# which provisions an application load balancer.
+#
+ingress:
+  enabled: true
+  className: alb
+  annotations:
+    alb.ingress.kubernetes.io/scheme: "internet-facing"
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
+    alb.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    alb.ingress.kubernetes.io/target-type: "ip"
+    # To use an ALB with ECK, you must provide a valid ACM certificate ARN or use certificate discovery:
+    # ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/cert_discovery/
+    #
+    # alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-east-1:00000000000:certificate/b65be571-8220-4f2e-8cb1-94194535d877"
+  labels:
+    my: label
+  pathType: Prefix
+  hosts:
+  - host: "*.company.dev"
+  path: "/"
+nodeSets:
+- name: default
+  count: 3
+  # Comment out when setting the vm.max_map_count via initContainer, as these are mutually exclusive.
+  # For production workloads, it is strongly recommended to increase the kernel setting vm.max_map_count to 262144
+  # and leave node.store.allow_mmap unset.
+  # ref: https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-virtual-memory.html
+  #
+  config:
+    node.store.allow_mmap: false

deploy/eck-stack/charts/eck-elasticsearch/examples/ingress/elasticsearch-ingress-eks-nlb.yaml

@@ -0,0 +1,27 @@
+---
+# The following is an example of an Elasticsearch resource that is configured to deploy a
+# network load balancer (NLB) in an EKS cluster. To provision an NLB "ingress" for the
+# Elasticsearch cluster, you are required to set annotations on the service,
+# and not an Ingress resource.
+ingress:
+  enabled: false
+http:
+  service:
+    metadata:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-type: external
+        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
+    spec:
+      type: LoadBalancer
+nodeSets:
+- name: default
+  count: 3
+  # Comment out when setting the vm.max_map_count via initContainer, as these are mutually exclusive.
+  # For production workloads, it is strongly recommended to increase the kernel setting vm.max_map_count to 262144
+  # and leave node.store.allow_mmap unset.
+  # ref: https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-virtual-memory.html
+  #
+  config:
+    node.store.allow_mmap: false

deploy/eck-stack/charts/eck-elasticsearch/examples/ingress/elasticsearch-ingress-gke.yaml

@@ -0,0 +1,36 @@
+---
+# The following is an example of an Elasticsearch resource that is configured to use an Ingress resource in a GKE cluster.
+#
+ingress:
+  enabled: true
+  annotations:
+    my: annotation
+  labels:
+    my: label
+  pathType: Prefix
+  hosts:
+  - host: "*.company.dev"
+    path: "/"
+http:
+  service:
+    metadata:
+      annotations:
+        # This is required for `ClusterIP` services (which are the default ECK service type) to be used with Ingress in GKE clusters.
+        cloud.google.com/neg: '{"ingress": true}'
+        # This is required to enable the GKE Ingress Controller to use HTTPS as the backend protocol.
+        cloud.google.com/app-protocols: '{"https":"HTTPS"}'
+nodeSets:
+- name: default
+  count: 3
+  # Comment out when setting the vm.max_map_count via initContainer, as these are mutually exclusive.
+  # For production workloads, it is strongly recommended to increase the kernel setting vm.max_map_count to 262144
+  # and leave node.store.allow_mmap unset.
+  # ref: https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-virtual-memory.html
+  #
+  config:
+    node.store.allow_mmap: false
+    # Enable anonymous access to allow GCLB health probes to succeed
+    xpack.security.authc:
+      anonymous:
+        username: anon
+        roles: monitoring_user

deploy/eck-stack/charts/eck-elasticsearch/templates/ingress.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.ingress.enabled -}}
+{{- $pathType := .Values.ingress.pathType | default "Prefix" -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "elasticsearch.fullname" . }}
+  labels:
+    {{- with .Values.ingress.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    eck.k8s.elastic.co/license: basic
+    {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className | quote }}
+  {{- end }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+  - hosts:
+  {{- range .Values.ingress.hosts }}
+    - {{ .host | quote }}
+  {{- end }}
+  {{- if .Values.ingress.tls.secretName }}
+    secretName: {{ .Values.ingress.tls.secretName }}
+  {{- else }}
+    secretName: {{ include "elasticsearch.fullname" . }}-es-http-certs-internal
+  {{- end }}
+  {{- end }}
+  rules:
+  {{- range .Values.ingress.hosts }}
+  {{- $hostPath := .path | default "/" }}
+  - host: {{ .host | quote }}
+    http:
+      paths:
+      - path: {{ $hostPath }}
+        pathType: {{ $pathType }}
+        backend:
+          service:
+            name: {{ include "elasticsearch.fullname" $ }}-es-http
+            port:
+              number: 9200
+  {{- end }}
+{{ end }}

deploy/eck-stack/charts/eck-elasticsearch/values.yaml

@@ -314,3 +314,74 @@ nodeSets:
     # List of volumes that can be mounted by containers belonging to the pod.
     # https://kubernetes.io/docs/concepts/storage/volumes
     # volumes: []
+
+# Settings for controlling Elasticsearch ingress. Enabling ingress will expose your Elasticsearch instance
+# to the public internet, and as such is disabled by default.
+#
+# Each Cloud Service Provider has different requirements for setting up Ingress. Some links to common documentation are:
+# - AWS:   https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
+# - GCP:   https://cloud.google.com/kubernetes-engine/docs/concepts/ingress
+# - Azure: https://learn.microsoft.com/en-us/azure/aks/app-routing
+# - Nginx: https://kubernetes.github.io/ingress-nginx/
+#
+ingress:
+  enabled: false
+
+  # Annotations that will be applied to the Ingress resource. Note that some ingress controllers are controlled via annotations.
+  # 
+  # Nginx Annotations: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
+  #
+  # Common annotations:
+  #   kubernetes.io/ingress.class: gce          # Configures the Ingress resource to use the GCE ingress controller and create an external Application Load Balancer.
+  #   kubernetes.io/ingress.class: gce-internal # Configures the Ingress resource to use the GCE ingress controller and create an internal Application Load Balancer.
+  #   kubernetes.io/ingress.class: nginx        # Configures the Ingress resource to use the NGINX ingress controller.
+  #
+  annotations: {}
+
+  # Labels that will be applied to the Ingress resource.
+  #
+  labels: {}
+
+  # Some ingress controllers require the use of a specific class name to route traffic to the correct controller, notably AKS and EKS, which
+  # replaces the use of the 'kubernetes.io/ingress.class' annotation.
+  #
+  # className: webapprouting.kubernetes.azure.com | alb
+
+  # Ingress paths are required to have a corresponding path type. Defaults to 'Prefix'.
+  #
+  # There are 3 supported path types:
+  # - ImplementationSpecific
+  # - Prefix
+  # - Exact
+  #
+  # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
+  #
+  pathType: Prefix
+
+  # Hosts are a list of hosts included in the Ingress definition, with a corresponding path at which the default Elasticsearch service
+  # will be exposed. Each host in the list should be a fully qualified DNS name that will resolve to the exposed Ingress object.
+  #
+  # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#name-based-virtual-hosting
+  #
+  hosts:
+    - host: chart-example.local
+      path: /
+
+  # TLS defines whether TLS will be enabled on the Ingress resource.
+  #
+  # *NOTE* Many Cloud Service Providers handle TLS in a custom manner, and as such, it is recommended to consult their documentation.
+  # Notably GKE and Nginx Ingress Controllers seems to respect the Ingress TLS settings, AKS and EKS ignore it.
+  #
+  # - AKS:   https://learn.microsoft.com/en-us/azure/aks/app-routing-dns-ssl
+  # - GKE:   https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#options_for_providing_ssl_certificates
+  # - EKS:   https://aws.amazon.com/blogs/containers/serve-distinct-domains-with-tls-powered-by-acm-on-amazon-eks/
+  # - Nginx: https://kubernetes.github.io/ingress-nginx/user-guide/tls/
+  #
+  # Kubernetes ingress TLS documentation:
+  # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
+  #
+  tls:
+    enabled: false
+    # Optional Kubernetes secret name that contains a base64 encoded PEM certificate and private key that corresponds to the above 'hosts' definitions.
+    # If tls is enabled, but this field is not set, the self-signed certificate and key created by the ECK operator will be used.
+    # secretName: chart-example-tls

deploy/eck-stack/charts/eck-kibana/examples/ingress/kibana-aks.yaml

@@ -0,0 +1,29 @@
+# The following is an example of a Kibana resource that is configured to use an Ingress resource in an AKS cluster.
+#
+
+# Name of the Kibana instance.
+#
+fullnameOverride: kibana
+
+spec:
+  # Reference to ECK-managed Elasticsearch instance, ideally from {{ "elasticsearch.fullname" }}
+  #
+  elasticsearchRef:
+    name: elasticsearch
+  config:
+    server:
+      publicBaseUrl: "https://kibana.company.dev"
+
+ingress:
+  enabled: true
+  className: webapprouting.kubernetes.azure.com
+  annotations:
+    # This is required for AKS Loadbalancing to understand that it's communicating with
+    # an HTTPS backend.
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+  labels:
+    my: label
+  pathType: Prefix
+  hosts:
+  - host: "*.company.dev"
+  path: "/"

deploy/eck-stack/charts/eck-kibana/examples/ingress/kibana-eks.yaml

@@ -0,0 +1,44 @@
+# The following is an example of a Kibana resource that is configured to use an Ingress resource in an EKS cluster.
+#
+
+# Name of the Kibana instance.
+#
+fullnameOverride: kibana
+
+spec:
+  # Reference to ECK-managed Elasticsearch instance, ideally from {{ "elasticsearch.fullname" }}
+  #
+  elasticsearchRef:
+    name: elasticsearch
+  config:
+    server:
+      publicBaseUrl: "https://kibana.company.dev"
+
+ingress:
+  enabled: true
+  className: alb
+  annotations:
+    alb.ingress.kubernetes.io/scheme: "internet-facing"
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
+    alb.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    alb.ingress.kubernetes.io/target-type: "ip"
+    # To use an ALB with ECK, you must provide a valid ACM certificate ARN or use certificate discovery:
+    # ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/cert_discovery/
+    #
+    # alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-east-1:00000000000:certificate/b65be571-8220-4f2e-8cb1-94194535d877"
+  labels:
+    my: label
+  pathType: Prefix
+  hosts:
+  - host: "*.company.dev"
+  path: "/"
+nodeSets:
+- name: default
+  count: 3
+  # Comment out when setting the vm.max_map_count via initContainer, as these are mutually exclusive.
+  # For production workloads, it is strongly recommended to increase the kernel setting vm.max_map_count to 262144
+  # and leave node.store.allow_mmap unset.
+  # ref: https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-virtual-memory.html
+  #
+  config:
+    node.store.allow_mmap: false

deploy/eck-stack/charts/eck-kibana/examples/ingress/kibana-gke.yaml

@@ -0,0 +1,32 @@
+# The following is an example of a Kibana resource that is configured to use an Ingress resource in a GKE cluster.
+#
+
+# Name of the Kibana instance.
+#
+fullnameOverride: kibana
+
+spec:
+  # Reference to ECK-managed Elasticsearch instance, ideally from {{ "elasticsearch.fullname" }}
+  #
+  elasticsearchRef:
+    name: elasticsearch
+  config:
+    server:
+      publicBaseUrl: "https://kibana.company.dev"
+  http:
+    service:
+      metadata:
+        annotations:
+          # This is required for `ClusterIP` services (which are the default ECK service type) to be used with Ingress in GKE clusters.
+          cloud.google.com/neg: '{"ingress": true}'
+          # This is required to enable the GKE Ingress Controller to use HTTPS as the backend protocol.
+          cloud.google.com/app-protocols: '{"https":"HTTPS"}'
+          # cloud.google.com/backend-config: '{"default": "kibana"}'
+
+ingress:
+  enabled: true
+  pathType: Prefix
+  hosts:
+  - host: "*.company.dev"
+    path: "/"
+  tls: true