Firefly Kubernetes Collector
This repository contains Firefly's Kubernetes Collector, which collects information from a customer's Kubernetes cluster and sends it to the Firefly SaaS. This means it is an on-premises component.
The collector is implemented in the Go programming language and packaged as an OCI image. It uses the official Go client provided by the Kubernetes project for the benefits it provides over manually accessing the Kubernetes API.
The collector is currently implemented as a job meant to be run as a Kubernetes CronJob. While this means the job's execution interval is at the discretion of the customer, this provides the ability to trigger the job manually at any given time without having to restart or add triggering capabilities to a Kubernetes Deployment.
The collector collects various objects from the Kubernetes cluster and sends them as-is to Firefly. There is a default list of resource types the collector fetches, to which more types can be added (or removed) via configuration.
Firefly's Kubernetes Collector requires:
- Kubernetes v1.15+
- Helm v3.5.0+
To start using the collector, follow these simple steps:
-
Use the Kubernetes Integration wizard in the Firefly dashboard to create an access keypair for a Kubernetes Cluster.
-
Install the collector on the cluster using Helm, with the data returned from the wizard:
helm repo add firefly https://gofireflyio.github.io/k8s-collector helm install firefly firefly/firefly-k8s-collector \ --set accessKey=<access_key> \ --set secretKey=<secret_key> \ --set clusterId=<cluster_id>
The collector's OCI-compliant Docker image is hosted in Docker Hub. The image is built from a Dockerfile that uses an Alpine-based Go image and employs a multi-stage build process to compile the collector into a statically-linked binary. The resulting image does not use any base layer, thus keeping its size as small as possible and improving security.
The image is named gofireflyio/k8s-collector
.
Please review the charts/chart/values.yaml file for a list of configuration options that can be modified when installing the Helm Chart. You may wish to modify the "schedule" setting, which controls the schedule for the collector's execution. By default, the collector is executed once every 15 minutes. This can be changed with a cron-compatible string.
When following the steps in the Quick Start section above, the wizard will instruct you to assign a cluster ID for the installation. This is necessary because Kubernetes does not provide a way to access a unique name or ID for a cluster, a cluster identifier must be provided to the collector.
The chart provides this cluster ID to the collector via the CLUSTER_ID
environment
variable. The cluster ID must only contain lowercase alphanumeric characters,
dashes and underscore (spaces are not allowed).
The collector must also be configured with an Firefly-provided access and secret
keys in order to be able to send data to Firefly. These keys are stored by the
chart as Kubernetes Secrets, and provided to the collector via the
INFRALIGHT_ACCESS_KEY
and INFRALIGHT_SECRET_KEY
environment variables,
respectively.
The collector's behavior may also be configured and modified via an optional Kubernetes ConfigMap. The complete list of configuration options supported are not exposed via the chart's values file, but the resulting ConfigMap can be manually modified, if necessary.
The list of resource types that are collected by the collector can be viewed
in the DefaultResourceTypes
variable in collector/config/config.go.
The collector will also collect custom resources (CRDs), assuming it is provided
permission to do so. You can remove or add resource types to the list by
providing the addTypes
and removeTypes
values, which accept lists:
helm install firefly firefly/firefly-k8s-collector \
--set accessKey=<access_key> \
--set secretKey=<secret_key> \
--set clusterId=<cluster_id> \
--set "addTypes={secrets,applications}" \
--set "removeTypes={configmaps}"
Note that "secrets" permission is required in order for the collector to collect
information about Helm v3 releases install directly via helm
.
In order to migrate from our old release to the updated one follow the instructions (either auto or manual)
This script requires the jq package. you can download it using your favorite PM (brew/apt etc.). To check if you have 'jq' installed, type the following command in your terminal:
jq --version
Run the migration script. Please Update the FIREFLY_COLLECTOR_NAMESPACE and the HELM_RELEASE_NAME if it's not the default values.
In order to migrate from our old release to the updated one please follow the following steps:
- run the following command and save the values of accessKey, secretKey, clusterId
helm -n firefly get values firefly
- run:
helm uninstall firefly -n firefly && helm repo remove firefly
- run the next command. Please fill with the variables from step 1
helm repo add firefly https://gofireflyio.github.io/k8s-collector && helm install firefly firefly/firefly-k8s-collector --set accessKey=<enter your secret key> --set secretKey=<enter your access key> --set clusterId=<enter your cluster id> --set schedule="*/15 * * * *" --namespace=firefly --create-namespace
During development, the collector may be run outside of the cluster without
having to package it in an image, or inside the cluster. It is recommended to
use minikube
for local development.
The collector sends the collected objects to the Firefly endpoint serialized
via JSON. Requests will be compressed using the gzip algorithm, unless
compression fails, in which case no compression will be used. The server MUST
inspect the contents of the Content-Encoding
request header to check whether
the request body is compressed or not, and only attempt to decompress using
gzip
if the header's value is "gzip"
.
The JSON format of each request is as follows:
{
"objects": [
{ "kind": "Pod", "metadata": { "name": "bla", "namespace": "default" } },
{ "kind": "CronJob", "metadata": { "name": "bla", "namespace": "default" } }
]
}
The format of object types themselves is generally consistent, and is documented here. See this for an example of the structure of an object of type Pod.
When a request is handled by the Firefly endpoint, it is expected to return a 204 No Content response with no body, unless an error has occurred.
- Make sure you have the App Server running. Create an access/secret keypair through the User Management page of the dashboard.
- Start minikube on top of Docker:
minikube start --driver=docker
- Load environment variables so the Docker client works against the local
minikube
Docker daemon:eval $(minikube docker-env)
- Build the collector's Docker image:
docker build -t gofireflyio/k8s-collector:<appVersion in Chart.yaml> .
- Install the collector via Helm (from the project's root directory):
helm install firefly ./charts/chart \ --set accessKey=<access_key> \ --set secretKey=<secret_key> \ --set clusterId=<cluster_id>
- While the collector will now be automatically triggered every 15 minutes,
you can also run it out-of-cluster at will, directly from the code. Simply
execute:
Note that you must first create a ".config" directory in the project root, and at the very least store the API endpoint in a file called ".config/endpoint". Other configuration options can be included as well. You can also provide the
FIREFLY_ACCESS_KEY=<accessKey> FIREFLY_SECRET_KEY=<secretKey> \ go run main.go \ -external ~/.kube/config \ -config `pwd`/.config \ -debug \ <clusterId>
-dry-run
flag to prevent any communication with Firefly (when used, access and secret keys need not be provided). - Inspect the job using the command line or the minikube dashboard:
minikube dashboard
- Cleanup:
helm uninstall firefly eval $(minikube docker-env -u)
The collector includes standard Go unit tests, and uses golangci-lint to run a comprehensive suite of static code analysis tools. The GitHub repository is set-up to compile the collector, run the unit tests and execute the static code analysis tools on every commit. The Dockerfile is also set-up to do the same thing when building the image.
Locally, these steps can be executed like so:
$ go build
$ go test ./...
$ golangci-lint run ./...
The project's Helm chart is located within this repository itself, in the
charts/chart directory, which is served via GitHub Pages (branch gh-pages
).
To release a new version of the chart, follow these directions:
- Perform changes to the collector's source code, if any.
- Update charts/chart/Chart.yaml by modifying the values of "version" and "appVersion" to new version numbers.
- Commit and push to the repository.
- An automated workflow will trigger, that creates a release & updates the
GitHub Pages at the
gh-pages
branch. - Manually run the "Build K8s Collector Image" workflow, providing it a tag whose value is the new version number you've used in Chart.yaml.
There are three locations where one should add a new resource type, if we want to collect more types by default:
- To the
DefaultResourceTypes
slice in collector/config/config.go. - To the
$resources
list in charts/chart/templates/clusterrole.yaml. - To the
$resources
list in charts/chart/templates/configmap.yaml.
This project is distributed under the terms of the Apache License 2.0.