From 4fd13bca4b716ca599c46dd52a6d46b582a027c4 Mon Sep 17 00:00:00 2001 From: Ben Lodge Date: Tue, 17 Dec 2024 16:04:32 +0000 Subject: [PATCH] CLM-33094 Optionally run the fluentd forwarder sidecar as non root user --- chart/README.md | 50 ++++++++++++++++---- chart/templates/fluentd-config.yaml | 2 +- chart/templates/iq-server-deployment.yaml | 54 +++++++++++++--------- chart/tests/fluentd-config_test.yaml | 12 ++--- chart/tests/iq-server-deployment_test.yaml | 51 +++++++++++++------- chart/values.yaml | 32 +++++++------ 6 files changed, 133 insertions(+), 68 deletions(-) diff --git a/chart/README.md b/chart/README.md index 46d939d..08eaee2 100644 --- a/chart/README.md +++ b/chart/README.md @@ -577,8 +577,8 @@ Some example commands are shown below. --set hpa.enabled=true --set iq_server.resources.requests.cpu="500m" --set iq_server.resources.limits.cpu="1000m" - --set fluentd.resources.requests.cpu="200m" - --set fluentd.resources.limits.cpu="500m" + --set fluentd.sidecar_forwarder.resources.requests.cpu="200m" + --set fluentd.sidecar_forwarder.resources.requests.cpu="500m" ... sonatype/nexus-iq-server-ha --version ``` @@ -614,6 +614,27 @@ An example command is shown below. --set ingress-nginx.enabled=true sonatype/nexus-iq-server-ha --version ``` +### Useful Example For Local Testing + +An example command with a persistence host path set useful for testing is shown below. + +#### External Database, HostPath, and ingress-nginx +``` +helm upgrade --namespace iq-ha iq-cluster \ + --set-file iq_server.license="license.lic" + --set iq_server.database.hostname=myhost + --set iq_server.database.port=5432 + --set iq_server.database.name=iq + --set iq_server.database.username=postgres + --set iq_server.database.password=admin123 + --set iq_server.persistence.hostPath.path="/mnt/iq-server" + --set iq_server.persistence.hostPath.type="DirectoryOrCreate" + --set iq_server.persistence.accessModes[0]="ReadWriteOnce" + --set iq_server.serviceType=NodePort + --set ingress.enabled=true + --set ingress-nginx.enabled=true + sonatype/nexus-iq-server-ha --version +``` ## Upgrading @@ -624,6 +645,16 @@ To upgrade Sonatype IQ Server and ensure a successful data migration, the follow 3. **Update the helm chart.** Typically, this will also update the Sonatype IQ Server version. 4. **Run your helm chart upgrade command.** The deleted pods will be re-created with the updates. +### To 186.0.0 +In this version all the fluentd sidecar options have been moved under the `fluentd.sidecar_forwarder` prefix to avoid confusion. + +- Moved iq_server.fluentd.forwarder.enabled to fluentd.sidecar_forwarder.enabled +- Moved fluentd.securityContext to fluentd.sidecar_forwarder.securityContext +- Moved fluentd.resources.requests.cpu to fluentd.sidecar_forwarder.resources.requests.cpu +- Moved fluentd.resources.requests.memory to fluentd.sidecar_forwarder.resources.requests.memory +- Moved fluentd.resources.limits.cpu to fluentd.sidecar_forwarder.resources.limits.cpu +- Moved fluentd.resources.limits.memory to fluentd.sidecar_forwarder.resources.limits.memory + ## Chart Configuration Options | Parameter | Description | Default | |--------------------------------------------------------------------|------------------------------------------------------------------------------------------------------|----------------------------| @@ -675,7 +706,6 @@ To upgrade Sonatype IQ Server and ensure a successful data migration, the follow | `iq_server.livenessProbe.periodSeconds` | Period seconds for liveness probe | `20` | | `iq_server.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe | `3` | | `iq_server.livenessProbe.failureThreshold` | Failure threshold for liveness probe | `3` | -| `iq_server.fluentd.forwarder.enabled` | Enable Fluentd forwarder | `true` | | `iq_server.config` | A YAML block which will be used as a configuration block for IQ Server | See `values.yaml` | | `iq_server.useGitSsh` | Use SSH to execute git operations for SCM integrations | `false` | | `iq_server.sshPrivateKey` | SSH private key file to store on the nodes for ssh git operations | `nil` | @@ -722,13 +752,17 @@ To upgrade Sonatype IQ Server and ensure a successful data migration, the follow | `existingApplicationLoadBalancer.applicationTargetGroupARN` | Target group ARN for target synchronization with application endpoints | `nil` | | `existingApplicationLoadBalancer.adminTargetGroupARN` | Target group ARN for target synchronization with admin endpoints | `nil` | | `aggregateLogFileRetention.deleteCron` | Cron schedule expression for when to delete old aggregate log files if needed | `0 1 * * *` | -| `aggregateLogFileRetention.maxLastModifiedDays` | Maximum last modified time of an aggregate log file in days (0 disables deletion) | 50 | +| `aggregateLogFileRetention.maxLastModifiedDays` | Maximum last modified time of an aggregate log file in days (0 disables deletion) | `50` | | `fluentd.enabled` | Enable Fluentd | `true` | -| `fluentd.resources.requests.cpu` | Fluentd sidecar cpu request | `nil` | -| `fluentd.resources.limits.cpu` | Fluentd sidecar cpu limit | `nil` | -| `fluentd.resources.requests.memory` | Fluentd sidecar memory request | `nil` | -| `fluentd.resources.limits.memory` | Fluentd sidecar memory limit | `nil` | | `fluentd.config` | Fluentd configuration | See `values.yaml` | +| `fluentd.sidecar_forwarder.enabled` | Enable Fluentd sidecar forwarder | `true` | +| `fluentd.sidecar_forwarder.resources.requests.cpu` | Fluentd sidecar forwarder cpu request | `nil` | +| `fluentd.sidecar_forwarder.resources.limits.cpu` | Fluentd sidecar forwarder cpu limit | `nil` | +| `fluentd.sidecar_forwarder.resources.requests.memory` | Fluentd sidecar forwarder memory request | `nil` | +| `fluentd.sidecar_forwarder.resources.limits.memory` | Fluentd sidecar forwarder memory limit | `nil` | +| `fluentd.sidecar_forwarder.daemonUser` | Fluentd sidecar forwarder daemon user (set to root by default because it reads from host paths) | `root` | +| `fluentd.sidecar_forwarder.daemonGroup` | Fluentd sidecar forwarder daemon group (set to root by default because it reads from host paths) | `root` | +| `fluentd.sidecar_forwarder.securityContext` | Fluentd sidecar forwarder security context (See `values.yaml` for non root example) | `nil` | | `hpa.enabled` | Enable Horizontal Pod Autoscaler | `false` | | `hpa.minReplicas` | Minimum number of replicas | `2` | | `hpa.maxReplicas` | Maximum number of replicas | `4` | diff --git a/chart/templates/fluentd-config.yaml b/chart/templates/fluentd-config.yaml index 53497c2..4289168 100644 --- a/chart/templates/fluentd-config.yaml +++ b/chart/templates/fluentd-config.yaml @@ -1,5 +1,5 @@ {{- if .Values.fluentd.enabled }} -{{- if .Values.iq_server.fluentd.forwarder.enabled }} +{{- if .Values.fluentd.sidecar_forwarder.enabled }} apiVersion: v1 kind: ConfigMap metadata: diff --git a/chart/templates/iq-server-deployment.yaml b/chart/templates/iq-server-deployment.yaml index 90a8a97..bf52152 100644 --- a/chart/templates/iq-server-deployment.yaml +++ b/chart/templates/iq-server-deployment.yaml @@ -41,9 +41,11 @@ spec: items: - key: config path: config.yml - {{- if and (.Values.fluentd.enabled) (.Values.iq_server.fluentd.forwarder.enabled) }} + {{- if and (.Values.fluentd.enabled) (.Values.fluentd.sidecar_forwarder.enabled) }} - name: {{ .Release.Name }}-iq-server-pod-logs emptyDir: {} + - name: {{ .Release.Name }}-fluentd-empty-dir + emptyDir: {} - name: {{ .Release.Name }}-fluentd-pod-config-volume configMap: name: {{ .Release.Name }}-fluentd-sidecar-forwarder-configmap @@ -85,6 +87,8 @@ spec: - mountPath: "/opt/sonatype/nexus-iq-server/.ssh" name: {{ .Release.Name }}-iq-server-pod-volume subPath: .ssh + - mountPath: "/etc/nexus-iq-server" + name: {{ .Release.Name }}-iq-server-pod-config-volume {{- if or (.Values.secret.arn) (.Values.secret.license.arn) (.Values.secret.rds.arn) (.Values.secret.sshPrivateKey.arn) (.Values.secret.sshKnownHosts.arn) }} - mountPath: "/iq-secrets" name: {{ .Release.Name }}-iq-server-secrets-volume @@ -95,9 +99,7 @@ spec: name: {{ .Release.Name }}-iq-server-pod-license-volume readOnly: true {{- end }} - - mountPath: "/etc/nexus-iq-server" - name: {{ .Release.Name }}-iq-server-pod-config-volume - {{- if and (.Values.fluentd.enabled) (.Values.iq_server.fluentd.forwarder.enabled) }} + {{- if and (.Values.fluentd.enabled) (.Values.fluentd.sidecar_forwarder.enabled) }} - mountPath: "/var/log/nexus-iq-server" name: {{ .Release.Name }}-iq-server-pod-logs {{- end }} @@ -204,37 +206,47 @@ spec: curl -If {{ .type }}://localhost:{{ .port }}/{{- if include "nexus-iq-server-ha.trimSpaceAndForwardSlashes" $.Values.iq_server.config.server.adminContextPath }}{{ include "nexus-iq-server-ha.trimSpaceAndForwardSlashes" $.Values.iq_server.config.server.adminContextPath }}/{{- end }}healthcheck/threadDeadlock {{- end }} {{- end }} - {{- if and (.Values.fluentd.enabled) (.Values.iq_server.fluentd.forwarder.enabled) }} + {{- if and (.Values.fluentd.enabled) (.Values.fluentd.sidecar_forwarder.enabled) }} - name: {{ .Release.Name }}-fluentd-container - {{- with .Values.fluentd.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} image: {{ .Values.fluentd.image.repository }}:{{ .Values.fluentd.image.tag }} imagePullPolicy: {{ .Values.fluentd.image.pullPolicy }} resources: requests: - {{- if .Values.fluentd.resources.requests.cpu }} - cpu: {{ .Values.fluentd.resources.requests.cpu }} + {{- if .Values.fluentd.sidecar_forwarder.resources.requests.cpu }} + cpu: {{ .Values.fluentd.sidecar_forwarder.resources.requests.cpu }} {{- end }} - {{- if .Values.fluentd.resources.requests.memory }} - memory: {{ .Values.fluentd.resources.requests.memory }} + {{- if .Values.fluentd.sidecar_forwarder.resources.requests.memory }} + memory: {{ .Values.fluentd.sidecar_forwarder.resources.requests.memory }} {{- end }} limits: - {{- if .Values.fluentd.resources.limits.cpu }} - cpu: {{ .Values.fluentd.resources.limits.cpu }} + {{- if .Values.fluentd.sidecar_forwarder.resources.limits.cpu }} + cpu: {{ .Values.fluentd.sidecar_forwarder.resources.limits.cpu }} {{- end }} - {{- if .Values.fluentd.resources.limits.memory }} - memory: {{ .Values.fluentd.resources.limits.memory }} + {{- if .Values.fluentd.sidecar_forwarder.resources.limits.memory }} + memory: {{ .Values.fluentd.sidecar_forwarder.resources.limits.memory }} {{- end }} volumeMounts: - - mountPath: "/opt/bitnami/fluentd/conf" - name: {{ .Release.Name }}-fluentd-pod-config-volume - - mountPath: "/var/log/nexus-iq-server" - name: {{ .Release.Name }}-iq-server-pod-logs + - name: {{ .Release.Name }}-fluentd-pod-config-volume + mountPath: "/opt/bitnami/fluentd/conf" + - name: {{ .Release.Name }}-iq-server-pod-logs + mountPath: "/var/log/nexus-iq-server" + - name: {{ .Release.Name }}-fluentd-empty-dir + mountPath: /opt/bitnami/fluentd/logs/buffers env: - name: FLUENTD_CONF value: fluentd.yaml + {{- if .Values.fluentd.sidecar_forwarder.daemonUser }} + - name: FLUENTD_DAEMON_USER + value: {{ .Values.fluentd.sidecar_forwarder.daemonUser }} + {{- end }} + {{- if .Values.fluentd.sidecar_forwarder.daemonGroup }} + - name: FLUENTD_DAEMON_GROUP + value: {{ .Values.fluentd.sidecar_forwarder.daemonGroup }} + {{- end }} + {{- with .Values.fluentd.sidecar_forwarder.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} {{- end }} initContainers: - name: {{ .Release.Name }}-set-iq-persistence-ownership diff --git a/chart/tests/fluentd-config_test.yaml b/chart/tests/fluentd-config_test.yaml index 75e6481..57911f8 100644 --- a/chart/tests/fluentd-config_test.yaml +++ b/chart/tests/fluentd-config_test.yaml @@ -283,12 +283,10 @@ tests: enabled: true forwarder: enabled: true + sidecar_forwarder: + enabled: true aggregator: enabled: true - iq_server: - fluentd: - forwarder: - enabled: true asserts: - hasDocuments: count: 3 @@ -311,12 +309,10 @@ tests: enabled: true forwarder: enabled: true + sidecar_forwarder: + enabled: false aggregator: enabled: false - iq_server: - fluentd: - forwarder: - enabled: false asserts: - hasDocuments: count: 1 diff --git a/chart/tests/iq-server-deployment_test.yaml b/chart/tests/iq-server-deployment_test.yaml index 642bea3..1e220a9 100644 --- a/chart/tests/iq-server-deployment_test.yaml +++ b/chart/tests/iq-server-deployment_test.yaml @@ -126,6 +126,8 @@ tests: name: RELEASE-NAME-fluentd-pod-config-volume - mountPath: /var/log/nexus-iq-server name: RELEASE-NAME-iq-server-pod-logs + - mountPath: /opt/bitnami/fluentd/logs/buffers + name: RELEASE-NAME-fluentd-empty-dir initContainers: - command: - /bin/sh @@ -149,8 +151,10 @@ tests: path: config.yml name: RELEASE-NAME-iq-server-config-configmap name: RELEASE-NAME-iq-server-pod-config-volume - - emptyDir: { } + - emptyDir: {} name: RELEASE-NAME-iq-server-pod-logs + - emptyDir: {} + name: RELEASE-NAME-fluentd-empty-dir - configMap: items: - key: fluentd @@ -254,17 +258,22 @@ tests: image: busybox2 tag: "1.29" fluentd: - resources: - requests: - cpu: 2 - memory: "500M" - limits: - cpu: 4 - memory: "1Gi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] + sidecar_forwarder: + resources: + requests: + cpu: 2 + memory: "500M" + limits: + cpu: 4 + memory: "1Gi" + daemonUser: fluentd + daemonGroup: fluentd + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] asserts: - hasDocuments: count: 1 @@ -381,20 +390,26 @@ tests: - mountPath: "/opt/sonatype/nexus-iq-server/.ssh" name: RELEASE-NAME-iq-server-pod-volume subPath: .ssh + - mountPath: /etc/nexus-iq-server + name: RELEASE-NAME-iq-server-pod-config-volume - mountPath: /license name: RELEASE-NAME-iq-server-pod-license-volume readOnly: true - - mountPath: /etc/nexus-iq-server - name: RELEASE-NAME-iq-server-pod-config-volume - mountPath: /var/log/nexus-iq-server name: RELEASE-NAME-iq-server-pod-logs - env: - name: FLUENTD_CONF value: fluentd.yaml + - name: FLUENTD_DAEMON_USER + value: fluentd + - name: FLUENTD_DAEMON_GROUP + value: fluentd image: bitnami/fluentd:1.18.0-debian-12-r0 imagePullPolicy: IfNotPresent name: RELEASE-NAME-fluentd-container securityContext: + runAsUser: 1001 + runAsGroup: 1001 allowPrivilegeEscalation: false capabilities: drop: [ "ALL" ] @@ -410,6 +425,8 @@ tests: name: RELEASE-NAME-fluentd-pod-config-volume - mountPath: /var/log/nexus-iq-server name: RELEASE-NAME-iq-server-pod-logs + - mountPath: /opt/bitnami/fluentd/logs/buffers + name: RELEASE-NAME-fluentd-empty-dir initContainers: - command: - /bin/sh @@ -440,8 +457,10 @@ tests: path: config.yml name: RELEASE-NAME-iq-server-config-configmap name: RELEASE-NAME-iq-server-pod-config-volume - - emptyDir: { } + - emptyDir: {} name: RELEASE-NAME-iq-server-pod-logs + - emptyDir: {} + name: RELEASE-NAME-fluentd-empty-dir - configMap: items: - key: fluentd @@ -468,7 +487,7 @@ tests: secretName: "someLicenseSecret" documentIndex: 0 - equal: - path: spec.template.spec.containers[0].volumeMounts[2].mountPath + path: spec.template.spec.containers[0].volumeMounts[3].mountPath value: "/license" documentIndex: 0 - equal: diff --git a/chart/values.yaml b/chart/values.yaml index e423f8b..e428126 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -99,7 +99,6 @@ iq_server: # The service account to use to run the pods/job serviceAccountName: "default" - # How the service is exposed serviceType: "ClusterIP" # Annotations for the application service @@ -131,12 +130,6 @@ iq_server: timeoutSeconds: 3 failureThreshold: 3 - # fluentd sidecar forwarder - # Enabled to forward logs to the fluentd daemonset aggregator - fluentd: - forwarder: - enabled: true - # The full text of the config.yml file that will be passed to each Nexus IQ Server # Note that log formats must correspond to what the fluentd sidecar configuration is set to recognize config: @@ -364,13 +357,6 @@ aggregateLogFileRetention: # fluentd configuration fluentd: enabled: true - resources: - requests: - cpu: #150m - memory: #200M - limits: - cpu: #300m - memory: #400M config: # Configuration for sidecar forwarder # Note that source parsing formats must correspond to the Nexus IQ Server log formats @@ -635,6 +621,24 @@ fluentd: enabled: false configFile: "fluentd.yaml" configMap: "{{ .Release.Name }}-fluentd-daemonset-forwarder-configmap" + sidecar_forwarder: + # Enabled to forward logs to the fluentd daemonset aggregator + enabled: true + resources: + requests: + cpu: #150m + memory: #200M + limits: + cpu: #300m + memory: #400M + # Optional IQ server sidecar fluentd forwarder configuration to allow running as non root + # See: https://artifacthub.io/packages/helm/bitnami/fluentd/#running-as-non-root + # daemonUser: fluentd + # daemonGroup: fluentd + # securityContext: + # runAsUser: 1001 + # runAsGroup: 1001 + # runAsNonRoot: true # Configuration for daemonset aggregator aggregator: enabled: true