Skip to content

Commit

Permalink
Merge pull request #45 from sonatype/CLM-32923-fluentd-non-sudo-permi…
Browse files Browse the repository at this point in the history 
…ssions

CLM-33094 Optionally run the fluentd forwarder sidecar as non root user
  • Loading branch information
@benflodge
benflodge authored Jan 3, 2025
2 parents 64d3aa8 + 4fd13bc commit 21e0792
Show file tree
Hide file tree
Showing 6 changed files with 133 additions and 68 deletions.
50 changes: 42 additions & 8 deletions chart/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -577,8 +577,8 @@ Some example commands are shown below.
--set hpa.enabled=true
--set iq_server.resources.requests.cpu="500m"
--set iq_server.resources.limits.cpu="1000m"
--set fluentd.resources.requests.cpu="200m"
--set fluentd.resources.limits.cpu="500m"
--set fluentd.sidecar_forwarder.resources.requests.cpu="200m"
--set fluentd.sidecar_forwarder.resources.requests.cpu="500m"
...
sonatype/nexus-iq-server-ha --version <version>
```
Expand Down Expand Up @@ -614,6 +614,27 @@ An example command is shown below.
--set ingress-nginx.enabled=true
sonatype/nexus-iq-server-ha --version <version>
```
### Useful Example For Local Testing

An example command with a persistence host path set useful for testing is shown below.

#### External Database, HostPath, and ingress-nginx
```
helm upgrade --namespace iq-ha iq-cluster \
--set-file iq_server.license="license.lic"
--set iq_server.database.hostname=myhost
--set iq_server.database.port=5432
--set iq_server.database.name=iq
--set iq_server.database.username=postgres
--set iq_server.database.password=admin123
--set iq_server.persistence.hostPath.path="/mnt/iq-server"
--set iq_server.persistence.hostPath.type="DirectoryOrCreate"
--set iq_server.persistence.accessModes[0]="ReadWriteOnce"
--set iq_server.serviceType=NodePort
--set ingress.enabled=true
--set ingress-nginx.enabled=true
sonatype/nexus-iq-server-ha --version <version>
```

## Upgrading

Expand All @@ -624,6 +645,16 @@ To upgrade Sonatype IQ Server and ensure a successful data migration, the follow
3. **Update the helm chart.** Typically, this will also update the Sonatype IQ Server version.
4. **Run your helm chart upgrade command.** The deleted pods will be re-created with the updates.

### To 186.0.0
In this version all the fluentd sidecar options have been moved under the `fluentd.sidecar_forwarder` prefix to avoid confusion.

- Moved iq_server.fluentd.forwarder.enabled to fluentd.sidecar_forwarder.enabled
- Moved fluentd.securityContext to fluentd.sidecar_forwarder.securityContext
- Moved fluentd.resources.requests.cpu to fluentd.sidecar_forwarder.resources.requests.cpu
- Moved fluentd.resources.requests.memory to fluentd.sidecar_forwarder.resources.requests.memory
- Moved fluentd.resources.limits.cpu to fluentd.sidecar_forwarder.resources.limits.cpu
- Moved fluentd.resources.limits.memory to fluentd.sidecar_forwarder.resources.limits.memory

## Chart Configuration Options
| Parameter | Description | Default |
|--------------------------------------------------------------------|------------------------------------------------------------------------------------------------------|----------------------------|
Expand Down Expand Up @@ -675,7 +706,6 @@ To upgrade Sonatype IQ Server and ensure a successful data migration, the follow
| `iq_server.livenessProbe.periodSeconds` | Period seconds for liveness probe | `20` |
| `iq_server.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe | `3` |
| `iq_server.livenessProbe.failureThreshold` | Failure threshold for liveness probe | `3` |
| `iq_server.fluentd.forwarder.enabled` | Enable Fluentd forwarder | `true` |
| `iq_server.config` | A YAML block which will be used as a configuration block for IQ Server | See `values.yaml` |
| `iq_server.useGitSsh` | Use SSH to execute git operations for SCM integrations | `false` |
| `iq_server.sshPrivateKey` | SSH private key file to store on the nodes for ssh git operations | `nil` |
Expand Down Expand Up @@ -722,13 +752,17 @@ To upgrade Sonatype IQ Server and ensure a successful data migration, the follow
| `existingApplicationLoadBalancer.applicationTargetGroupARN` | Target group ARN for target synchronization with application endpoints | `nil` |
| `existingApplicationLoadBalancer.adminTargetGroupARN` | Target group ARN for target synchronization with admin endpoints | `nil` |
| `aggregateLogFileRetention.deleteCron` | Cron schedule expression for when to delete old aggregate log files if needed | `0 1 * * *` |
| `aggregateLogFileRetention.maxLastModifiedDays` | Maximum last modified time of an aggregate log file in days (0 disables deletion) | 50 |
| `aggregateLogFileRetention.maxLastModifiedDays` | Maximum last modified time of an aggregate log file in days (0 disables deletion) | `50` |
| `fluentd.enabled` | Enable Fluentd | `true` |
| `fluentd.resources.requests.cpu` | Fluentd sidecar cpu request | `nil` |
| `fluentd.resources.limits.cpu` | Fluentd sidecar cpu limit | `nil` |
| `fluentd.resources.requests.memory` | Fluentd sidecar memory request | `nil` |
| `fluentd.resources.limits.memory` | Fluentd sidecar memory limit | `nil` |
| `fluentd.config` | Fluentd configuration | See `values.yaml` |
| `fluentd.sidecar_forwarder.enabled` | Enable Fluentd sidecar forwarder | `true` |
| `fluentd.sidecar_forwarder.resources.requests.cpu` | Fluentd sidecar forwarder cpu request | `nil` |
| `fluentd.sidecar_forwarder.resources.limits.cpu` | Fluentd sidecar forwarder cpu limit | `nil` |
| `fluentd.sidecar_forwarder.resources.requests.memory` | Fluentd sidecar forwarder memory request | `nil` |
| `fluentd.sidecar_forwarder.resources.limits.memory` | Fluentd sidecar forwarder memory limit | `nil` |
| `fluentd.sidecar_forwarder.daemonUser` | Fluentd sidecar forwarder daemon user (set to root by default because it reads from host paths) | `root` |
| `fluentd.sidecar_forwarder.daemonGroup` | Fluentd sidecar forwarder daemon group (set to root by default because it reads from host paths) | `root` |
| `fluentd.sidecar_forwarder.securityContext` | Fluentd sidecar forwarder security context (See `values.yaml` for non root example) | `nil` |
| `hpa.enabled` | Enable Horizontal Pod Autoscaler | `false` |
| `hpa.minReplicas` | Minimum number of replicas | `2` |
| `hpa.maxReplicas` | Maximum number of replicas | `4` |
Expand Down
2 changes: 1 addition & 1 deletion chart/templates/fluentd-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- if .Values.fluentd.enabled }}
{{- if .Values.iq_server.fluentd.forwarder.enabled }}
{{- if .Values.fluentd.sidecar_forwarder.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
Expand Down
54 changes: 33 additions & 21 deletions chart/templates/iq-server-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,11 @@ spec:
items:
- key: config
path: config.yml
{{- if and (.Values.fluentd.enabled) (.Values.iq_server.fluentd.forwarder.enabled) }}
{{- if and (.Values.fluentd.enabled) (.Values.fluentd.sidecar_forwarder.enabled) }}
- name: {{ .Release.Name }}-iq-server-pod-logs
emptyDir: {}
- name: {{ .Release.Name }}-fluentd-empty-dir
emptyDir: {}
- name: {{ .Release.Name }}-fluentd-pod-config-volume
configMap:
name: {{ .Release.Name }}-fluentd-sidecar-forwarder-configmap
Expand Down Expand Up @@ -85,6 +87,8 @@ spec:
- mountPath: "/opt/sonatype/nexus-iq-server/.ssh"
name: {{ .Release.Name }}-iq-server-pod-volume
subPath: .ssh
- mountPath: "/etc/nexus-iq-server"
name: {{ .Release.Name }}-iq-server-pod-config-volume
{{- if or (.Values.secret.arn) (.Values.secret.license.arn) (.Values.secret.rds.arn) (.Values.secret.sshPrivateKey.arn) (.Values.secret.sshKnownHosts.arn) }}
- mountPath: "/iq-secrets"
name: {{ .Release.Name }}-iq-server-secrets-volume
Expand All @@ -95,9 +99,7 @@ spec:
name: {{ .Release.Name }}-iq-server-pod-license-volume
readOnly: true
{{- end }}
- mountPath: "/etc/nexus-iq-server"
name: {{ .Release.Name }}-iq-server-pod-config-volume
{{- if and (.Values.fluentd.enabled) (.Values.iq_server.fluentd.forwarder.enabled) }}
{{- if and (.Values.fluentd.enabled) (.Values.fluentd.sidecar_forwarder.enabled) }}
- mountPath: "/var/log/nexus-iq-server"
name: {{ .Release.Name }}-iq-server-pod-logs
{{- end }}
Expand Down Expand Up @@ -204,37 +206,47 @@ spec:
curl -If {{ .type }}://localhost:{{ .port }}/{{- if include "nexus-iq-server-ha.trimSpaceAndForwardSlashes" $.Values.iq_server.config.server.adminContextPath }}{{ include "nexus-iq-server-ha.trimSpaceAndForwardSlashes" $.Values.iq_server.config.server.adminContextPath }}/{{- end }}healthcheck/threadDeadlock
{{- end }}
{{- end }}
{{- if and (.Values.fluentd.enabled) (.Values.iq_server.fluentd.forwarder.enabled) }}
{{- if and (.Values.fluentd.enabled) (.Values.fluentd.sidecar_forwarder.enabled) }}
- name: {{ .Release.Name }}-fluentd-container
{{- with .Values.fluentd.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: {{ .Values.fluentd.image.repository }}:{{ .Values.fluentd.image.tag }}
imagePullPolicy: {{ .Values.fluentd.image.pullPolicy }}
resources:
requests:
{{- if .Values.fluentd.resources.requests.cpu }}
cpu: {{ .Values.fluentd.resources.requests.cpu }}
{{- if .Values.fluentd.sidecar_forwarder.resources.requests.cpu }}
cpu: {{ .Values.fluentd.sidecar_forwarder.resources.requests.cpu }}
{{- end }}
{{- if .Values.fluentd.resources.requests.memory }}
memory: {{ .Values.fluentd.resources.requests.memory }}
{{- if .Values.fluentd.sidecar_forwarder.resources.requests.memory }}
memory: {{ .Values.fluentd.sidecar_forwarder.resources.requests.memory }}
{{- end }}
limits:
{{- if .Values.fluentd.resources.limits.cpu }}
cpu: {{ .Values.fluentd.resources.limits.cpu }}
{{- if .Values.fluentd.sidecar_forwarder.resources.limits.cpu }}
cpu: {{ .Values.fluentd.sidecar_forwarder.resources.limits.cpu }}
{{- end }}
{{- if .Values.fluentd.resources.limits.memory }}
memory: {{ .Values.fluentd.resources.limits.memory }}
{{- if .Values.fluentd.sidecar_forwarder.resources.limits.memory }}
memory: {{ .Values.fluentd.sidecar_forwarder.resources.limits.memory }}
{{- end }}
volumeMounts:
- mountPath: "/opt/bitnami/fluentd/conf"
name: {{ .Release.Name }}-fluentd-pod-config-volume
- mountPath: "/var/log/nexus-iq-server"
name: {{ .Release.Name }}-iq-server-pod-logs
- name: {{ .Release.Name }}-fluentd-pod-config-volume
mountPath: "/opt/bitnami/fluentd/conf"
- name: {{ .Release.Name }}-iq-server-pod-logs
mountPath: "/var/log/nexus-iq-server"
- name: {{ .Release.Name }}-fluentd-empty-dir
mountPath: /opt/bitnami/fluentd/logs/buffers
env:
- name: FLUENTD_CONF
value: fluentd.yaml
{{- if .Values.fluentd.sidecar_forwarder.daemonUser }}
- name: FLUENTD_DAEMON_USER
value: {{ .Values.fluentd.sidecar_forwarder.daemonUser }}
{{- end }}
{{- if .Values.fluentd.sidecar_forwarder.daemonGroup }}
- name: FLUENTD_DAEMON_GROUP
value: {{ .Values.fluentd.sidecar_forwarder.daemonGroup }}
{{- end }}
{{- with .Values.fluentd.sidecar_forwarder.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
initContainers:
- name: {{ .Release.Name }}-set-iq-persistence-ownership
Expand Down
12 changes: 4 additions & 8 deletions chart/tests/fluentd-config_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -283,12 +283,10 @@ tests:
enabled: true
forwarder:
enabled: true
sidecar_forwarder:
enabled: true
aggregator:
enabled: true
iq_server:
fluentd:
forwarder:
enabled: true
asserts:
- hasDocuments:
count: 3
Expand All @@ -311,12 +309,10 @@ tests:
enabled: true
forwarder:
enabled: true
sidecar_forwarder:
enabled: false
aggregator:
enabled: false
iq_server:
fluentd:
forwarder:
enabled: false
asserts:
- hasDocuments:
count: 1
Expand Down
51 changes: 35 additions & 16 deletions chart/tests/iq-server-deployment_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,8 @@ tests:
name: RELEASE-NAME-fluentd-pod-config-volume
- mountPath: /var/log/nexus-iq-server
name: RELEASE-NAME-iq-server-pod-logs
- mountPath: /opt/bitnami/fluentd/logs/buffers
name: RELEASE-NAME-fluentd-empty-dir
initContainers:
- command:
- /bin/sh
Expand All @@ -149,8 +151,10 @@ tests:
path: config.yml
name: RELEASE-NAME-iq-server-config-configmap
name: RELEASE-NAME-iq-server-pod-config-volume
- emptyDir: { }
- emptyDir: {}
name: RELEASE-NAME-iq-server-pod-logs
- emptyDir: {}
name: RELEASE-NAME-fluentd-empty-dir
- configMap:
items:
- key: fluentd
Expand Down Expand Up @@ -254,17 +258,22 @@ tests:
image: busybox2
tag: "1.29"
fluentd:
resources:
requests:
cpu: 2
memory: "500M"
limits:
cpu: 4
memory: "1Gi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
sidecar_forwarder:
resources:
requests:
cpu: 2
memory: "500M"
limits:
cpu: 4
memory: "1Gi"
daemonUser: fluentd
daemonGroup: fluentd
securityContext:
runAsUser: 1001
runAsGroup: 1001
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
asserts:
- hasDocuments:
count: 1
Expand Down Expand Up @@ -381,20 +390,26 @@ tests:
- mountPath: "/opt/sonatype/nexus-iq-server/.ssh"
name: RELEASE-NAME-iq-server-pod-volume
subPath: .ssh
- mountPath: /etc/nexus-iq-server
name: RELEASE-NAME-iq-server-pod-config-volume
- mountPath: /license
name: RELEASE-NAME-iq-server-pod-license-volume
readOnly: true
- mountPath: /etc/nexus-iq-server
name: RELEASE-NAME-iq-server-pod-config-volume
- mountPath: /var/log/nexus-iq-server
name: RELEASE-NAME-iq-server-pod-logs
- env:
- name: FLUENTD_CONF
value: fluentd.yaml
- name: FLUENTD_DAEMON_USER
value: fluentd
- name: FLUENTD_DAEMON_GROUP
value: fluentd
image: bitnami/fluentd:1.18.0-debian-12-r0
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-fluentd-container
securityContext:
runAsUser: 1001
runAsGroup: 1001
allowPrivilegeEscalation: false
capabilities:
drop: [ "ALL" ]
Expand All @@ -410,6 +425,8 @@ tests:
name: RELEASE-NAME-fluentd-pod-config-volume
- mountPath: /var/log/nexus-iq-server
name: RELEASE-NAME-iq-server-pod-logs
- mountPath: /opt/bitnami/fluentd/logs/buffers
name: RELEASE-NAME-fluentd-empty-dir
initContainers:
- command:
- /bin/sh
Expand Down Expand Up @@ -440,8 +457,10 @@ tests:
path: config.yml
name: RELEASE-NAME-iq-server-config-configmap
name: RELEASE-NAME-iq-server-pod-config-volume
- emptyDir: { }
- emptyDir: {}
name: RELEASE-NAME-iq-server-pod-logs
- emptyDir: {}
name: RELEASE-NAME-fluentd-empty-dir
- configMap:
items:
- key: fluentd
Expand All @@ -468,7 +487,7 @@ tests:
secretName: "someLicenseSecret"
documentIndex: 0
- equal:
path: spec.template.spec.containers[0].volumeMounts[2].mountPath
path: spec.template.spec.containers[0].volumeMounts[3].mountPath
value: "/license"
documentIndex: 0
- equal:
Expand Down
Loading

0 comments on commit 21e0792

Please sign in to comment.