Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CLM-33094 Optionally run the fluentd forwarder sidecar as non root user #45

Merged
merged 1 commit into from
Jan 3, 2025
Merged

CLM-33094 Optionally run the fluentd forwarder sidecar as non root user #45

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 42 additions & 8 deletions chart/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -577,8 +577,8 @@ Some example commands are shown below.
--set hpa.enabled=true
--set iq_server.resources.requests.cpu="500m"
--set iq_server.resources.limits.cpu="1000m"
--set fluentd.resources.requests.cpu="200m"
--set fluentd.resources.limits.cpu="500m"
--set fluentd.sidecar_forwarder.resources.requests.cpu="200m"
--set fluentd.sidecar_forwarder.resources.requests.cpu="500m"
...
sonatype/nexus-iq-server-ha --version <version>
```
Expand Down Expand Up @@ -614,6 +614,27 @@ An example command is shown below.
--set ingress-nginx.enabled=true
sonatype/nexus-iq-server-ha --version <version>
```
### Useful Example For Local Testing

An example command with a persistence host path set useful for testing is shown below.

#### External Database, HostPath, and ingress-nginx
```
helm upgrade --namespace iq-ha iq-cluster \
--set-file iq_server.license="license.lic"
--set iq_server.database.hostname=myhost
--set iq_server.database.port=5432
--set iq_server.database.name=iq
--set iq_server.database.username=postgres
--set iq_server.database.password=admin123
--set iq_server.persistence.hostPath.path="/mnt/iq-server"
--set iq_server.persistence.hostPath.type="DirectoryOrCreate"
--set iq_server.persistence.accessModes[0]="ReadWriteOnce"
--set iq_server.serviceType=NodePort
--set ingress.enabled=true
--set ingress-nginx.enabled=true
sonatype/nexus-iq-server-ha --version <version>
```

## Upgrading

Expand All @@ -624,6 +645,16 @@ To upgrade Sonatype IQ Server and ensure a successful data migration, the follow
3. **Update the helm chart.** Typically, this will also update the Sonatype IQ Server version.
4. **Run your helm chart upgrade command.** The deleted pods will be re-created with the updates.

### To 186.0.0
In this version all the fluentd sidecar options have been moved under the `fluentd.sidecar_forwarder` prefix to avoid confusion.

- Moved iq_server.fluentd.forwarder.enabled to fluentd.sidecar_forwarder.enabled
- Moved fluentd.securityContext to fluentd.sidecar_forwarder.securityContext
- Moved fluentd.resources.requests.cpu to fluentd.sidecar_forwarder.resources.requests.cpu
- Moved fluentd.resources.requests.memory to fluentd.sidecar_forwarder.resources.requests.memory
- Moved fluentd.resources.limits.cpu to fluentd.sidecar_forwarder.resources.limits.cpu
- Moved fluentd.resources.limits.memory to fluentd.sidecar_forwarder.resources.limits.memory

## Chart Configuration Options
| Parameter | Description | Default |
|--------------------------------------------------------------------|------------------------------------------------------------------------------------------------------|----------------------------|
Expand Down Expand Up @@ -675,7 +706,6 @@ To upgrade Sonatype IQ Server and ensure a successful data migration, the follow
| `iq_server.livenessProbe.periodSeconds` | Period seconds for liveness probe | `20` |
| `iq_server.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe | `3` |
| `iq_server.livenessProbe.failureThreshold` | Failure threshold for liveness probe | `3` |
| `iq_server.fluentd.forwarder.enabled` | Enable Fluentd forwarder | `true` |
| `iq_server.config` | A YAML block which will be used as a configuration block for IQ Server | See `values.yaml` |
| `iq_server.useGitSsh` | Use SSH to execute git operations for SCM integrations | `false` |
| `iq_server.sshPrivateKey` | SSH private key file to store on the nodes for ssh git operations | `nil` |
Expand Down Expand Up @@ -722,13 +752,17 @@ To upgrade Sonatype IQ Server and ensure a successful data migration, the follow
| `existingApplicationLoadBalancer.applicationTargetGroupARN` | Target group ARN for target synchronization with application endpoints | `nil` |
| `existingApplicationLoadBalancer.adminTargetGroupARN` | Target group ARN for target synchronization with admin endpoints | `nil` |
| `aggregateLogFileRetention.deleteCron` | Cron schedule expression for when to delete old aggregate log files if needed | `0 1 * * *` |
| `aggregateLogFileRetention.maxLastModifiedDays` | Maximum last modified time of an aggregate log file in days (0 disables deletion) | 50 |
| `aggregateLogFileRetention.maxLastModifiedDays` | Maximum last modified time of an aggregate log file in days (0 disables deletion) | `50` |
| `fluentd.enabled` | Enable Fluentd | `true` |
| `fluentd.resources.requests.cpu` | Fluentd sidecar cpu request | `nil` |
| `fluentd.resources.limits.cpu` | Fluentd sidecar cpu limit | `nil` |
| `fluentd.resources.requests.memory` | Fluentd sidecar memory request | `nil` |
| `fluentd.resources.limits.memory` | Fluentd sidecar memory limit | `nil` |
| `fluentd.config` | Fluentd configuration | See `values.yaml` |
| `fluentd.sidecar_forwarder.enabled` | Enable Fluentd sidecar forwarder | `true` |
| `fluentd.sidecar_forwarder.resources.requests.cpu` | Fluentd sidecar forwarder cpu request | `nil` |
| `fluentd.sidecar_forwarder.resources.limits.cpu` | Fluentd sidecar forwarder cpu limit | `nil` |
| `fluentd.sidecar_forwarder.resources.requests.memory` | Fluentd sidecar forwarder memory request | `nil` |
| `fluentd.sidecar_forwarder.resources.limits.memory` | Fluentd sidecar forwarder memory limit | `nil` |
| `fluentd.sidecar_forwarder.daemonUser` | Fluentd sidecar forwarder daemon user (set to root by default because it reads from host paths) | `root` |
| `fluentd.sidecar_forwarder.daemonGroup` | Fluentd sidecar forwarder daemon group (set to root by default because it reads from host paths) | `root` |
| `fluentd.sidecar_forwarder.securityContext` | Fluentd sidecar forwarder security context (See `values.yaml` for non root example) | `nil` |
| `hpa.enabled` | Enable Horizontal Pod Autoscaler | `false` |
| `hpa.minReplicas` | Minimum number of replicas | `2` |
| `hpa.maxReplicas` | Maximum number of replicas | `4` |
Expand Down
2 changes: 1 addition & 1 deletion chart/templates/fluentd-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- if .Values.fluentd.enabled }}
{{- if .Values.iq_server.fluentd.forwarder.enabled }}
{{- if .Values.fluentd.sidecar_forwarder.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
Expand Down
54 changes: 33 additions & 21 deletions chart/templates/iq-server-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,11 @@ spec:
items:
- key: config
path: config.yml
{{- if and (.Values.fluentd.enabled) (.Values.iq_server.fluentd.forwarder.enabled) }}
{{- if and (.Values.fluentd.enabled) (.Values.fluentd.sidecar_forwarder.enabled) }}
- name: {{ .Release.Name }}-iq-server-pod-logs
emptyDir: {}
- name: {{ .Release.Name }}-fluentd-empty-dir
emptyDir: {}
- name: {{ .Release.Name }}-fluentd-pod-config-volume
configMap:
name: {{ .Release.Name }}-fluentd-sidecar-forwarder-configmap
Expand Down Expand Up @@ -85,6 +87,8 @@ spec:
- mountPath: "/opt/sonatype/nexus-iq-server/.ssh"
name: {{ .Release.Name }}-iq-server-pod-volume
subPath: .ssh
- mountPath: "/etc/nexus-iq-server"
name: {{ .Release.Name }}-iq-server-pod-config-volume
{{- if or (.Values.secret.arn) (.Values.secret.license.arn) (.Values.secret.rds.arn) (.Values.secret.sshPrivateKey.arn) (.Values.secret.sshKnownHosts.arn) }}
- mountPath: "/iq-secrets"
name: {{ .Release.Name }}-iq-server-secrets-volume
Expand All @@ -95,9 +99,7 @@ spec:
name: {{ .Release.Name }}-iq-server-pod-license-volume
readOnly: true
{{- end }}
- mountPath: "/etc/nexus-iq-server"
name: {{ .Release.Name }}-iq-server-pod-config-volume
{{- if and (.Values.fluentd.enabled) (.Values.iq_server.fluentd.forwarder.enabled) }}
{{- if and (.Values.fluentd.enabled) (.Values.fluentd.sidecar_forwarder.enabled) }}
- mountPath: "/var/log/nexus-iq-server"
name: {{ .Release.Name }}-iq-server-pod-logs
{{- end }}
Expand Down Expand Up @@ -204,37 +206,47 @@ spec:
curl -If {{ .type }}://localhost:{{ .port }}/{{- if include "nexus-iq-server-ha.trimSpaceAndForwardSlashes" $.Values.iq_server.config.server.adminContextPath }}{{ include "nexus-iq-server-ha.trimSpaceAndForwardSlashes" $.Values.iq_server.config.server.adminContextPath }}/{{- end }}healthcheck/threadDeadlock
{{- end }}
{{- end }}
{{- if and (.Values.fluentd.enabled) (.Values.iq_server.fluentd.forwarder.enabled) }}
{{- if and (.Values.fluentd.enabled) (.Values.fluentd.sidecar_forwarder.enabled) }}
- name: {{ .Release.Name }}-fluentd-container
{{- with .Values.fluentd.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: {{ .Values.fluentd.image.repository }}:{{ .Values.fluentd.image.tag }}
imagePullPolicy: {{ .Values.fluentd.image.pullPolicy }}
resources:
requests:
{{- if .Values.fluentd.resources.requests.cpu }}
cpu: {{ .Values.fluentd.resources.requests.cpu }}
{{- if .Values.fluentd.sidecar_forwarder.resources.requests.cpu }}
cpu: {{ .Values.fluentd.sidecar_forwarder.resources.requests.cpu }}
{{- end }}
{{- if .Values.fluentd.resources.requests.memory }}
memory: {{ .Values.fluentd.resources.requests.memory }}
{{- if .Values.fluentd.sidecar_forwarder.resources.requests.memory }}
memory: {{ .Values.fluentd.sidecar_forwarder.resources.requests.memory }}
{{- end }}
limits:
{{- if .Values.fluentd.resources.limits.cpu }}
cpu: {{ .Values.fluentd.resources.limits.cpu }}
{{- if .Values.fluentd.sidecar_forwarder.resources.limits.cpu }}
cpu: {{ .Values.fluentd.sidecar_forwarder.resources.limits.cpu }}
{{- end }}
{{- if .Values.fluentd.resources.limits.memory }}
memory: {{ .Values.fluentd.resources.limits.memory }}
{{- if .Values.fluentd.sidecar_forwarder.resources.limits.memory }}
memory: {{ .Values.fluentd.sidecar_forwarder.resources.limits.memory }}
{{- end }}
volumeMounts:
- mountPath: "/opt/bitnami/fluentd/conf"
name: {{ .Release.Name }}-fluentd-pod-config-volume
- mountPath: "/var/log/nexus-iq-server"
name: {{ .Release.Name }}-iq-server-pod-logs
- name: {{ .Release.Name }}-fluentd-pod-config-volume
mountPath: "/opt/bitnami/fluentd/conf"
- name: {{ .Release.Name }}-iq-server-pod-logs
mountPath: "/var/log/nexus-iq-server"
- name: {{ .Release.Name }}-fluentd-empty-dir
mountPath: /opt/bitnami/fluentd/logs/buffers
env:
- name: FLUENTD_CONF
value: fluentd.yaml
{{- if .Values.fluentd.sidecar_forwarder.daemonUser }}
- name: FLUENTD_DAEMON_USER
value: {{ .Values.fluentd.sidecar_forwarder.daemonUser }}
{{- end }}
{{- if .Values.fluentd.sidecar_forwarder.daemonGroup }}
- name: FLUENTD_DAEMON_GROUP
value: {{ .Values.fluentd.sidecar_forwarder.daemonGroup }}
{{- end }}
{{- with .Values.fluentd.sidecar_forwarder.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
initContainers:
- name: {{ .Release.Name }}-set-iq-persistence-ownership
Expand Down
12 changes: 4 additions & 8 deletions chart/tests/fluentd-config_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,12 +283,10 @@ tests:
enabled: true
forwarder:
enabled: true
sidecar_forwarder:
enabled: true
aggregator:
enabled: true
iq_server:
fluentd:
forwarder:
enabled: true
asserts:
- hasDocuments:
count: 3
Expand All @@ -311,12 +309,10 @@ tests:
enabled: true
forwarder:
enabled: true
sidecar_forwarder:
enabled: false
aggregator:
enabled: false
iq_server:
fluentd:
forwarder:
enabled: false
asserts:
- hasDocuments:
count: 1
Expand Down
51 changes: 35 additions & 16 deletions chart/tests/iq-server-deployment_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,8 @@ tests:
name: RELEASE-NAME-fluentd-pod-config-volume
- mountPath: /var/log/nexus-iq-server
name: RELEASE-NAME-iq-server-pod-logs
- mountPath: /opt/bitnami/fluentd/logs/buffers
name: RELEASE-NAME-fluentd-empty-dir
initContainers:
- command:
- /bin/sh
Expand All @@ -149,8 +151,10 @@ tests:
path: config.yml
name: RELEASE-NAME-iq-server-config-configmap
name: RELEASE-NAME-iq-server-pod-config-volume
- emptyDir: { }
- emptyDir: {}
name: RELEASE-NAME-iq-server-pod-logs
- emptyDir: {}
name: RELEASE-NAME-fluentd-empty-dir
- configMap:
items:
- key: fluentd
Expand Down Expand Up @@ -254,17 +258,22 @@ tests:
image: busybox2
tag: "1.29"
fluentd:
resources:
requests:
cpu: 2
memory: "500M"
limits:
cpu: 4
memory: "1Gi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
sidecar_forwarder:
resources:
requests:
cpu: 2
memory: "500M"
limits:
cpu: 4
memory: "1Gi"
daemonUser: fluentd
daemonGroup: fluentd
securityContext:
runAsUser: 1001
runAsGroup: 1001
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
asserts:
- hasDocuments:
count: 1
Expand Down Expand Up @@ -381,20 +390,26 @@ tests:
- mountPath: "/opt/sonatype/nexus-iq-server/.ssh"
name: RELEASE-NAME-iq-server-pod-volume
subPath: .ssh
- mountPath: /etc/nexus-iq-server
name: RELEASE-NAME-iq-server-pod-config-volume
- mountPath: /license
name: RELEASE-NAME-iq-server-pod-license-volume
readOnly: true
- mountPath: /etc/nexus-iq-server
name: RELEASE-NAME-iq-server-pod-config-volume
- mountPath: /var/log/nexus-iq-server
name: RELEASE-NAME-iq-server-pod-logs
- env:
- name: FLUENTD_CONF
value: fluentd.yaml
- name: FLUENTD_DAEMON_USER
value: fluentd
- name: FLUENTD_DAEMON_GROUP
value: fluentd
image: bitnami/fluentd:1.18.0-debian-12-r0
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-fluentd-container
securityContext:
runAsUser: 1001
runAsGroup: 1001
allowPrivilegeEscalation: false
capabilities:
drop: [ "ALL" ]
Expand All @@ -410,6 +425,8 @@ tests:
name: RELEASE-NAME-fluentd-pod-config-volume
- mountPath: /var/log/nexus-iq-server
name: RELEASE-NAME-iq-server-pod-logs
- mountPath: /opt/bitnami/fluentd/logs/buffers
name: RELEASE-NAME-fluentd-empty-dir
initContainers:
- command:
- /bin/sh
Expand Down Expand Up @@ -440,8 +457,10 @@ tests:
path: config.yml
name: RELEASE-NAME-iq-server-config-configmap
name: RELEASE-NAME-iq-server-pod-config-volume
- emptyDir: { }
- emptyDir: {}
name: RELEASE-NAME-iq-server-pod-logs
- emptyDir: {}
name: RELEASE-NAME-fluentd-empty-dir
- configMap:
items:
- key: fluentd
Expand All @@ -468,7 +487,7 @@ tests:
secretName: "someLicenseSecret"
documentIndex: 0
- equal:
path: spec.template.spec.containers[0].volumeMounts[2].mountPath
path: spec.template.spec.containers[0].volumeMounts[3].mountPath
value: "/license"
documentIndex: 0
- equal:
Expand Down
Loading
Loading