This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking-kubernetes.git
The following commit(s) were added to refs/heads/master by this push:
new 7d3837e default rbac for oap (#111)
7d3837e is described below
commit 7d3837e48bcd4c4c59edb5dd580f53c8a98ae1fd
Author: innerpeacez <in...@gmail.com>
AuthorDate: Thu Mar 9 19:27:57 2023 +0800
default rbac for oap (#111)
---
chart/skywalking/README.md | 271 ++++++++++-----------
chart/skywalking/templates/_helpers.tpl | 6 +-
chart/skywalking/templates/oap-clusterrole.yaml | 4 +-
.../templates/oap-clusterrolebinding.yaml | 2 +-
chart/skywalking/templates/oap-role.yaml | 2 +-
chart/skywalking/templates/oap-rolebinding.yaml | 2 +-
chart/skywalking/templates/oap-serviceaccount.yaml | 2 +
chart/skywalking/values.yaml | 7 +-
test/e2e/e2e.yaml | 1 -
9 files changed, 150 insertions(+), 147 deletions(-)
diff --git a/chart/skywalking/README.md b/chart/skywalking/README.md
index 2f4b245..757ccf8 100644
--- a/chart/skywalking/README.md
+++ b/chart/skywalking/README.md
@@ -38,137 +38,137 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the Skywalking chart and their default values.
-| Parameter | Description | Default |
-|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
-| `nameOverride` | Override name | `nil` |
-| `serviceAccounts.oap` | Name of the OAP service account to use or create | `nil` |
-| `imagePullSecrets` | Image pull secrets | `[]` |
-| `oap.name` | OAP deployment name | `oap` |
-| `oap.dynamicConfig.enabled` | Enable oap dynamic configuration through k8s configmap | `false` |
-| `oap.dynamicConfig.period` | Sync period in seconds | `60` |
-| `oap.dynamicConfig.config` | Oap dynamic configuration [documentation](https://github.com/apache/skywalking/blob/master/docs/en/setup/backend/dynamic-config.md) | `{}` |
-| `oap.image.repository` | OAP container image name | `skywalking.docker.scarf.sh/apache/skywalking-oap-server` |
-| `oap.image.tag` | OAP container image tag | `6.1.0` |
-| `oap.image.pullPolicy` | OAP container image pull policy | `IfNotPresent` |
-| `oap.ports.grpc` | OAP grpc port for tracing or metric | `11800` |
-| `oap.ports.rest` | OAP http port for Web UI | `12800` |
-| `oap.replicas` | OAP k8s deployment replicas | `2` |
-| `oap.service.type` | OAP svc type | `ClusterIP` |
-| `oap.javaOpts` | Parameters to be added to `JAVA_OPTS`environment variable for OAP | `-Xms2g -Xmx2g` |
-| `oap.antiAffinity` | OAP anti-affinity policy | `soft` |
-| `oap.nodeAffinity` | OAP node affinity policy | `{}` |
-| `oap.nodeSelector` | OAP labels for master pod assignment | `{}` |
-| `oap.tolerations` | OAP tolerations | `[]` |
-| `oap.resources` | OAP node resources requests & limits | `{} - cpu limit must be an integer` |
-| `oap.startupProbe` | Configuration fields for the [startupProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | `tcpSocket.port: 12800` <br> `failureThreshold: 9` <br> `periodSeconds: 10`
-| `oap.livenessProbe` | Configuration fields for the [livenessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | `tcpSocket.port: 12800` <br> `initialDelaySeconds: 5` <br> `periodSeconds: 10`
-| `oap.readinessProbe` | Configuration fields for the [readinessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | `tcpSocket.port: 12800` <br> `initialDelaySeconds: 5` <br> `periodSeconds: 10`
-| `oap.envoy.als.enabled` | Open envoy als | `false` |
-| `oap.env` | OAP environment variables | `[]` |
-| `oap.securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
-| `ui.name` | Web UI deployment name | `ui` |
-| `ui.replicas` | Web UI k8s deployment replicas | `1` |
-| `ui.image.repository` | Web UI container image name | `skywalking.docker.scarf.sh/apache/skywalking-ui` |
-| `ui.image.tag` | Web UI container image tag | `6.1.0` |
-| `ui.image.pullPolicy` | Web UI container image pull policy | `IfNotPresent` |
-| `ui.nodeAffinity` | Web UI node affinity policy | `{}` |
-| `ui.nodeSelector` | Web UI labels for pod assignment | `{}` |
-| `ui.tolerations` | Web UI tolerations | `[]` |
-| `ui.ingress.enabled` | Create Ingress for Web UI | `false` |
-| `ui.ingress.annotations` | Associate annotations to the Ingress | `{}` |
-| `ui.ingress.path` | Associate path with the Ingress | `/` |
-| `ui.ingress.hosts` | Associate hosts with the Ingress | `[]` |
-| `ui.ingress.tls` | Associate TLS with the Ingress | `[]` |
-| `ui.service.type` | Web UI svc type | `ClusterIP` |
-| `ui.service.externalPort` | external port for the service | `80` |
-| `ui.service.internalPort` | internal port for the service | `8080` |
-| `ui.service.externalIPs` | external IP addresses | `nil` |
-| `ui.service.loadBalancerIP` | Load Balancer IP address | `nil` |
-| `ui.service.annotations` | Kubernetes service annotations | `{}` |
-| `ui.service.loadBalancerSourceRanges` | Limit load balancer source IPs to list of CIDRs (where available)) | `[]` |
-| `ui.securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
-| `oapInit.nodeAffinity` | OAP init job node affinity policy | `{}` |
-| `oapInit.nodeSelector` | OAP init job labels for master pod assignment | `{}` |
-| `oapInit.tolerations` | OAP init job tolerations | `[]` |
-| `elasticsearch.enabled` | Spin up a new elasticsearch cluster for SkyWalking | `true` |
-| `elasticsearch.clusterName` | This will be used as the Elasticsearch [cluster.name](https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster.name.html) and should be unique per cluster in the namespace | `elasticsearch` |
-| `elasticsearch.nodeGroup` | This is the name that will be used for each group of nodes in the cluster. The name will be `clusterName-nodeGroup-X` | `master` |
-| `elasticsearch.masterService` | Optional. The service name used to connect to the masters. You only need to set this if your master `nodeGroup` is set to something other than `master`. See [Clustering and Node Discovery](#clustering-and-node-discovery) for more information. | `` |
-| `elasticsearch.roles` | A hash map with the [specific roles](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) for the node group | `master: true`<br>`data: true`<br>`ingest: true` |
-| `elasticsearch.replicas` | Kubernetes replica count for the statefulset (i.e. how many pods) | `3` |
-| `elasticsearch.minimumMasterNodes` | The value for [discovery.zen.minimum_master_nodes](https://www.elastic.co/guide/en/elasticsearch/reference/6.7/discovery-settings.html#minimum_master_nodes). Should be set to `(master_eligible_nodes / 2) + 1`. Ignored in Elasticsearch versions >= 7. | `2` |
-| `elasticsearch.esMajorVersion` | Used to set major version specific configuration. If you are using a custom image and not running the default Elasticsearch version you will need to set this to the version you are running (e.g. `esMajorVersion: 6`) | `""` |
-| `elasticsearch.esConfig` | Allows you to add any config files in `/usr/share/elasticsearch/config/` such as `elasticsearch.yml` and `log4j2.properties`. See [values.yaml](./values.yaml) for an example of the formatting. | `{}` |
-| `elasticsearch.extraEnvs` | Extra [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config) which will be appended to the `env:` definition for the container | `[]` |
-| `elasticsearch.extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function | `""` |
-| `elasticsearch.extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function | `""` |
-| `elasticsearch.extraInitContainers` | Templatable string of additional init containers to be passed to the `tpl` function | `""` |
-| `elasticsearch.secretMounts` | Allows you easily mount a secret as a file inside the statefulset. Useful for mounting certificates and other secrets. See [values.yaml](./values.yaml) for an example | `[]` |
-| `elasticsearch.image` | The Elasticsearch docker image | `docker.elastic.co/elasticsearch/elasticsearch` |
-| `elasticsearch.imageTag` | The Elasticsearch docker image tag | `7.5.1` |
-| `elasticsearch.imagePullPolicy` | The Kubernetes [imagePullPolicy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) value | `IfNotPresent` |
-| `elasticsearch.podAnnotations` | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Elasticsearch pods | `{}` |
-| `elasticsearch.labels` | Configurable [label](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) applied to all Elasticsearch pods | `{}` |
-| `elasticsearch.esJavaOpts` | [Java options](https://www.elastic.co/guide/en/elasticsearch/reference/current/jvm-options.html) for Elasticsearch. This is where you should configure the [jvm heap size](https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html) | `-Xmx1g -Xms1g` |
-| `elasticsearch.resources` | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the statefulset | `requests.cpu: 100m`<br>`requests.memory: 2Gi`<br>`limits.cpu: 1000m`<br>`limits.memory: 2Gi` |
-| `elasticsearch.initResources` | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the initContainer in the statefulset | {} |
-| `elasticsearch.sidecarResources` | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the sidecar containers in the statefulset | {} |
-| `elasticsearch.networkHost` | Value for the [network.host Elasticsearch setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/network.host.html) | `0.0.0.0` |
-| `elasticsearch.volumeClaimTemplate` | Configuration for the [volumeClaimTemplate for statefulsets](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-storage). You will want to adjust the storage (default `30Gi`) and the `storageClassName` if you are using a different storage class | `accessModes: [ "ReadWriteOnce" ]`<br>`resources.requests.storage: 30Gi` |
-| `elasticsearch.persistence.annotations` | Additional persistence annotations for the `volumeClaimTemplate` | `{}` |
-| `elasticsearch.persistence.enabled` | Enables a persistent volume for Elasticsearch data. Can be disabled for nodes that only have [roles](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) which don't require persistent data. | `true` |
-| `elasticsearch.priorityClassName` | The [name of the PriorityClass](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). No default is supplied as the PriorityClass must be created first. | `""` |
-| `elasticsearch.antiAffinityTopologyKey` | The [anti-affinity topology key](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). By default this will prevent multiple Elasticsearch nodes from running on the same Kubernetes node | `kubernetes.io/hostname` |
-| `elasticsearch.antiAffinity` | Setting this to hard enforces the [anti-affinity rules](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). If it is set to soft it will be done "best effort". Other values will be ignored. | `hard` |
-| `elasticsearch.nodeAffinity` | Value for the [node affinity settings](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature) | `{}` |
-| `elasticsearch.podManagementPolicy` | By default Kubernetes [deploys statefulsets serially](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies). This deploys them in parallel so that they can discover eachother | `Parallel` |
-| `elasticsearch.protocol` | The protocol that will be used for the readinessProbe. Change this to `https` if you have `xpack.security.http.ssl.enabled` set | `http` |
-| `elasticsearch.httpPort` | The http port that Kubernetes will use for the healthchecks and the service. If you change this you will also need to set [http.port](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html#_settings) in `extraEnvs` | `9200` |
-| `elasticsearch.transportPort` | The transport port that Kubernetes will use for the service. If you change this you will also need to set [transport port configuration](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html#_transport_settings) in `extraEnvs` | `9300` |
-| `elasticsearch.service.labels` | Labels to be added to non-headless service | `{}` |
-| `elasticsearch.service.labelsHeadless` | Labels to be added to headless service | `{}` |
-| `elasticsearch.service.type` | Type of elasticsearch service. [Service Types](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | `ClusterIP` |
-| `elasticsearch.service.nodePort` | Custom [nodePort](https://kubernetes.io/docs/concepts/services-networking/service/#nodeport) port that can be set if you are using `service.type: nodePort`. | `` |
-| `elasticsearch.service.annotations` | Annotations that Kubernetes will use for the service. This will configure load balancer if `service.type` is `LoadBalancer` [Annotations](https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws) | `{}` |
-| `elasticsearch.service.httpPortName` | The name of the http port within the service | `http` |
-| `elasticsearch.service.transportPortName` | The name of the transport port within the service | `transport` |
-| `elasticsearch.updateStrategy` | The [updateStrategy](https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets) for the statefulset. By default Kubernetes will wait for the cluster to be green after upgrading each pod. Setting this to `OnDelete` will allow you to manually delete each pod during upgrades | `RollingUpdate` |
-| `elasticsearch.maxUnavailable` | The [maxUnavailable](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget) value for the pod disruption budget. By default this will prevent Kubernetes from having more than 1 unhealthy pod in the node group | `1` |
-| `elasticsearch.fsGroup (DEPRECATED)` | The Group ID (GID) for [securityContext.fsGroup](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) so that the Elasticsearch user can read from the persistent volume | `` |
-| `elasticsearch.podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
-| `elasticsearch.securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the container | `capabilities.drop:[ALL]`<br>`runAsNonRoot: true`<br>`runAsUser: 1000` |
-| `elasticsearch.terminationGracePeriod` | The [terminationGracePeriod](https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods) in seconds used when trying to stop the pod | `120` |
-| `elasticsearch.sysctlInitContainer.enabled` | Allows you to disable the sysctlInitContainer if you are setting vm.max_map_count with another method | `true` |
-| `elasticsearch.sysctlVmMaxMapCount` | Sets the [sysctl vm.max_map_count](https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html#vm-max-map-count) needed for Elasticsearch | `262144` |
-| `elasticsearch.readinessProbe` | Configuration fields for the [readinessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |
-| `elasticsearch.clusterHealthCheckParams` | The [Elasticsearch cluster health status params](https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster-health.html#request-params) that will be used by readinessProbe command | `wait_for_status=green&timeout=1s` |
-| `elasticsearch.imagePullSecrets` | Configuration for [imagePullSecrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) so that you can use a private registry for your image | `[]` |
-| `elasticsearch.nodeSelector` | Configurable [nodeSelector](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) so that you can target specific nodes for your Elasticsearch cluster | `{}` |
-| `elasticsearch.tolerations` | Configurable [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` |
-| `elasticsearch.ingress` | Configurable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) to expose the Elasticsearch service. See [`values.yaml`](./values.yaml) for an example | `enabled: false` |
-| `elasticsearch.schedulerName` | Name of the [alternate scheduler](https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/#specify-schedulers-for-pods) | `nil` |
-| `elasticsearch.masterTerminationFix` | A workaround needed for Elasticsearch < 7.2 to prevent master status being lost during restarts [#63](https://github.com/elastic/helm-charts/issues/63) | `false` |
-| `elasticsearch.lifecycle` | Allows you to add lifecycle configuration. See [values.yaml](./values.yaml) for an example of the formatting. | `{}` |
-| `elasticsearch.keystore` | Allows you map Kubernetes secrets into the keystore. See the [config example](/elasticsearch/examples/config/values.yaml) and [how to use the keystore](#how-to-use-the-keystore) | `[]` |
-| `elasticsearch.rbac` | Configuration for creating a role, role binding and service account as part of this helm chart with `create: true`. Also can be used to reference an external service account with `serviceAccountName: "externalServiceAccountName"`. | `create: false`<br>`serviceAccountName: ""` |
-| `elasticsearch.podSecurityPolicy` | Configuration for create a pod security policy with minimal permissions to run this Helm chart with `create: true`. Also can be used to reference an external pod security policy with `name: "externalPodSecurityPolicy"` | `create: false`<br>`name: ""` |
-| `satellite.name` | Satellite deployment name | `satellite` |
-| `satellite.replicas` | Satellite k8s deployment replicas | `1` |
-| `satellite.enabled` | Is enable Satellite | `false` |
-| `satellite.image.repository` | Satellite container image name | `skywalking.docker.scarf.sh/apache/skywalking-satellite` |
-| `satellite.image.tag` | Satellite container image tag | `v0.4.0` |
-| `satellite.image.pullPolicy` | Satellite container image pull policy | `IfNotPresent` |
-| `satellite.antiAffinity` | Satellite anti-affinity policy | `soft` |
-| `satellite.nodeAffinity` | Satellite node affinity policy | `{}` |
-| `satellite.nodeSelector` | Satellite labels for pod assignment | `{}` |
-| `satellite.tolerations` | Satellite tolerations | `[]` |
-| `satellite.service.type` | Satellite svc type | `ClusterIP` |
-| `satellite.ports.grpc` | Satellite grpc port for tracing, metrics, logs, events | `11800` |
-| `satellite.ports.prometheus` | Satellite http port for Prometheus monitoring | `1234` |
-| `satellite.resources` | Satellite node resources requests & limits | `{} - cpu limit must be an integer` |
-| `satellite.podAnnotations` | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Satellite pods | `{}` |
-| `satellite.env` | Satellite environment variables | `[]` |
-| `satellite.securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
+| Parameter | Description | Default |
+|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|
+| `nameOverride` | Override name | `nil` |
+| `serviceAccounts.oap.create` | Create of the OAP service account | `true` |
+| `serviceAccounts.oap.name` | Name of the OAP service account to use custom service account when `serviceAccounts.oap.create` is set to false | `` |
+| `imagePullSecrets` | Image pull secrets | `[]` |
+| `oap.name` | OAP deployment name | `oap` |
+| `oap.dynamicConfig.enabled` | Enable oap dynamic configuration through k8s configmap | `false` |
+| `oap.dynamicConfig.period` | Sync period in seconds | `60` |
+| `oap.dynamicConfig.config` | Oap dynamic configuration [documentation](https://github.com/apache/skywalking/blob/master/docs/en/setup/backend/dynamic-config.md) | `{}` |
+| `oap.image.repository` | OAP container image name | `skywalking.docker.scarf.sh/apache/skywalking-oap-server` |
+| `oap.image.tag` | OAP container image tag | `6.1.0` |
+| `oap.image.pullPolicy` | OAP container image pull policy | `IfNotPresent` |
+| `oap.ports.grpc` | OAP grpc port for tracing or metric | `11800` |
+| `oap.ports.rest` | OAP http port for Web UI | `12800` |
+| `oap.replicas` | OAP k8s deployment replicas | `2` |
+| `oap.service.type` | OAP svc type | `ClusterIP` |
+| `oap.javaOpts` | Parameters to be added to `JAVA_OPTS`environment variable for OAP | `-Xms2g -Xmx2g` |
+| `oap.antiAffinity` | OAP anti-affinity policy | `soft` |
+| `oap.nodeAffinity` | OAP node affinity policy | `{}` |
+| `oap.nodeSelector` | OAP labels for master pod assignment | `{}` |
+| `oap.tolerations` | OAP tolerations | `[]` |
+| `oap.resources` | OAP node resources requests & limits | `{} - cpu limit must be an integer` |
+| `oap.startupProbe` | Configuration fields for the [startupProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | `tcpSocket.port: 12800` <br> `failureThreshold: 9` <br> `periodSeconds: 10`
+| `oap.livenessProbe` | Configuration fields for the [livenessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | `tcpSocket.port: 12800` <br> `initialDelaySeconds: 5` <br> `periodSeconds: 10`
+| `oap.readinessProbe` | Configuration fields for the [readinessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | `tcpSocket.port: 12800` <br> `initialDelaySeconds: 5` <br> `periodSeconds: 10`
+| `oap.env` | OAP environment variables | `[]` |
+| `oap.securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
+| `ui.name` | Web UI deployment name | `ui` |
+| `ui.replicas` | Web UI k8s deployment replicas | `1` |
+| `ui.image.repository` | Web UI container image name | `skywalking.docker.scarf.sh/apache/skywalking-ui` |
+| `ui.image.tag` | Web UI container image tag | `6.1.0` |
+| `ui.image.pullPolicy` | Web UI container image pull policy | `IfNotPresent` |
+| `ui.nodeAffinity` | Web UI node affinity policy | `{}` |
+| `ui.nodeSelector` | Web UI labels for pod assignment | `{}` |
+| `ui.tolerations` | Web UI tolerations | `[]` |
+| `ui.ingress.enabled` | Create Ingress for Web UI | `false` |
+| `ui.ingress.annotations` | Associate annotations to the Ingress | `{}` |
+| `ui.ingress.path` | Associate path with the Ingress | `/` |
+| `ui.ingress.hosts` | Associate hosts with the Ingress | `[]` |
+| `ui.ingress.tls` | Associate TLS with the Ingress | `[]` |
+| `ui.service.type` | Web UI svc type | `ClusterIP` |
+| `ui.service.externalPort` | external port for the service | `80` |
+| `ui.service.internalPort` | internal port for the service | `8080` |
+| `ui.service.externalIPs` | external IP addresses | `nil` |
+| `ui.service.loadBalancerIP` | Load Balancer IP address | `nil` |
+| `ui.service.annotations` | Kubernetes service annotations | `{}` |
+| `ui.service.loadBalancerSourceRanges` | Limit load balancer source IPs to list of CIDRs (where available)) | `[]` |
+| `ui.securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
+| `oapInit.nodeAffinity` | OAP init job node affinity policy | `{}` |
+| `oapInit.nodeSelector` | OAP init job labels for master pod assignment | `{}` |
+| `oapInit.tolerations` | OAP init job tolerations | `[]` |
+| `elasticsearch.enabled` | Spin up a new elasticsearch cluster for SkyWalking | `true` |
+| `elasticsearch.clusterName` | This will be used as the Elasticsearch [cluster.name](https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster.name.html) and should be unique per cluster in the namespace | `elasticsearch` |
+| `elasticsearch.nodeGroup` | This is the name that will be used for each group of nodes in the cluster. The name will be `clusterName-nodeGroup-X` | `master` |
+| `elasticsearch.masterService` | Optional. The service name used to connect to the masters. You only need to set this if your master `nodeGroup` is set to something other than `master`. See [Clustering and Node Discovery](#clustering-and-node-discovery) for more information. | `` |
+| `elasticsearch.roles` | A hash map with the [specific roles](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) for the node group | `master: true`<br>`data: true`<br>`ingest: true` |
+| `elasticsearch.replicas` | Kubernetes replica count for the statefulset (i.e. how many pods) | `3` |
+| `elasticsearch.minimumMasterNodes` | The value for [discovery.zen.minimum_master_nodes](https://www.elastic.co/guide/en/elasticsearch/reference/6.7/discovery-settings.html#minimum_master_nodes). Should be set to `(master_eligible_nodes / 2) + 1`. Ignored in Elasticsearch versions >= 7. | `2` |
+| `elasticsearch.esMajorVersion` | Used to set major version specific configuration. If you are using a custom image and not running the default Elasticsearch version you will need to set this to the version you are running (e.g. `esMajorVersion: 6`) | `""` |
+| `elasticsearch.esConfig` | Allows you to add any config files in `/usr/share/elasticsearch/config/` such as `elasticsearch.yml` and `log4j2.properties`. See [values.yaml](./values.yaml) for an example of the formatting. | `{}` |
+| `elasticsearch.extraEnvs` | Extra [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config) which will be appended to the `env:` definition for the container | `[]` |
+| `elasticsearch.extraVolumes` | Templatable string of additional volumes to be passed to the `tpl` function | `""` |
+| `elasticsearch.extraVolumeMounts` | Templatable string of additional volumeMounts to be passed to the `tpl` function | `""` |
+| `elasticsearch.extraInitContainers` | Templatable string of additional init containers to be passed to the `tpl` function | `""` |
+| `elasticsearch.secretMounts` | Allows you easily mount a secret as a file inside the statefulset. Useful for mounting certificates and other secrets. See [values.yaml](./values.yaml) for an example | `[]` |
+| `elasticsearch.image` | The Elasticsearch docker image | `docker.elastic.co/elasticsearch/elasticsearch` |
+| `elasticsearch.imageTag` | The Elasticsearch docker image tag | `7.5.1` |
+| `elasticsearch.imagePullPolicy` | The Kubernetes [imagePullPolicy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) value | `IfNotPresent` |
+| `elasticsearch.podAnnotations` | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Elasticsearch pods | `{}` |
+| `elasticsearch.labels` | Configurable [label](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) applied to all Elasticsearch pods | `{}` |
+| `elasticsearch.esJavaOpts` | [Java options](https://www.elastic.co/guide/en/elasticsearch/reference/current/jvm-options.html) for Elasticsearch. This is where you should configure the [jvm heap size](https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html) | `-Xmx1g -Xms1g` |
+| `elasticsearch.resources` | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the statefulset | `requests.cpu: 100m`<br>`requests.memory: 2Gi`<br>`limits.cpu: 1000m`<br>`limits.memory: 2Gi` |
+| `elasticsearch.initResources` | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the initContainer in the statefulset | {} |
+| `elasticsearch.sidecarResources` | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the sidecar containers in the statefulset | {} |
+| `elasticsearch.networkHost` | Value for the [network.host Elasticsearch setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/network.host.html) | `0.0.0.0` |
+| `elasticsearch.volumeClaimTemplate` | Configuration for the [volumeClaimTemplate for statefulsets](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-storage). You will want to adjust the storage (default `30Gi`) and the `storageClassName` if you are using a different storage class | `accessModes: [ "ReadWriteOnce" ]`<br>`resources.requests.storage: 30Gi` |
+| `elasticsearch.persistence.annotations` | Additional persistence annotations for the `volumeClaimTemplate` | `{}` |
+| `elasticsearch.persistence.enabled` | Enables a persistent volume for Elasticsearch data. Can be disabled for nodes that only have [roles](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) which don't require persistent data. | `true` |
+| `elasticsearch.priorityClassName` | The [name of the PriorityClass](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). No default is supplied as the PriorityClass must be created first. | `""` |
+| `elasticsearch.antiAffinityTopologyKey` | The [anti-affinity topology key](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). By default this will prevent multiple Elasticsearch nodes from running on the same Kubernetes node | `kubernetes.io/hostname` |
+| `elasticsearch.antiAffinity` | Setting this to hard enforces the [anti-affinity rules](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). If it is set to soft it will be done "best effort". Other values will be ignored. | `hard` |
+| `elasticsearch.nodeAffinity` | Value for the [node affinity settings](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature) | `{}` |
+| `elasticsearch.podManagementPolicy` | By default Kubernetes [deploys statefulsets serially](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies). This deploys them in parallel so that they can discover eachother | `Parallel` |
+| `elasticsearch.protocol` | The protocol that will be used for the readinessProbe. Change this to `https` if you have `xpack.security.http.ssl.enabled` set | `http` |
+| `elasticsearch.httpPort` | The http port that Kubernetes will use for the healthchecks and the service. If you change this you will also need to set [http.port](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html#_settings) in `extraEnvs` | `9200` |
+| `elasticsearch.transportPort` | The transport port that Kubernetes will use for the service. If you change this you will also need to set [transport port configuration](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html#_transport_settings) in `extraEnvs` | `9300` |
+| `elasticsearch.service.labels` | Labels to be added to non-headless service | `{}` |
+| `elasticsearch.service.labelsHeadless` | Labels to be added to headless service | `{}` |
+| `elasticsearch.service.type` | Type of elasticsearch service. [Service Types](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | `ClusterIP` |
+| `elasticsearch.service.nodePort` | Custom [nodePort](https://kubernetes.io/docs/concepts/services-networking/service/#nodeport) port that can be set if you are using `service.type: nodePort`. | `` |
+| `elasticsearch.service.annotations` | Annotations that Kubernetes will use for the service. This will configure load balancer if `service.type` is `LoadBalancer` [Annotations](https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws) | `{}` |
+| `elasticsearch.service.httpPortName` | The name of the http port within the service | `http` |
+| `elasticsearch.service.transportPortName` | The name of the transport port within the service | `transport` |
+| `elasticsearch.updateStrategy` | The [updateStrategy](https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets) for the statefulset. By default Kubernetes will wait for the cluster to be green after upgrading each pod. Setting this to `OnDelete` will allow you to manually delete each pod during upgrades | `RollingUpdate` |
+| `elasticsearch.maxUnavailable` | The [maxUnavailable](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget) value for the pod disruption budget. By default this will prevent Kubernetes from having more than 1 unhealthy pod in the node group | `1` |
+| `elasticsearch.fsGroup (DEPRECATED)` | The Group ID (GID) for [securityContext.fsGroup](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) so that the Elasticsearch user can read from the persistent volume | `` |
+| `elasticsearch.podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
+| `elasticsearch.securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the container | `capabilities.drop:[ALL]`<br>`runAsNonRoot: true`<br>`runAsUser: 1000` |
+| `elasticsearch.terminationGracePeriod` | The [terminationGracePeriod](https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods) in seconds used when trying to stop the pod | `120` |
+| `elasticsearch.sysctlInitContainer.enabled` | Allows you to disable the sysctlInitContainer if you are setting vm.max_map_count with another method | `true` |
+| `elasticsearch.sysctlVmMaxMapCount` | Sets the [sysctl vm.max_map_count](https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html#vm-max-map-count) needed for Elasticsearch | `262144` |
+| `elasticsearch.readinessProbe` | Configuration fields for the [readinessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |
+| `elasticsearch.clusterHealthCheckParams` | The [Elasticsearch cluster health status params](https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster-health.html#request-params) that will be used by readinessProbe command | `wait_for_status=green&timeout=1s` |
+| `elasticsearch.imagePullSecrets` | Configuration for [imagePullSecrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) so that you can use a private registry for your image | `[]` |
+| `elasticsearch.nodeSelector` | Configurable [nodeSelector](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) so that you can target specific nodes for your Elasticsearch cluster | `{}` |
+| `elasticsearch.tolerations` | Configurable [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` |
+| `elasticsearch.ingress` | Configurable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) to expose the Elasticsearch service. See [`values.yaml`](./values.yaml) for an example | `enabled: false` |
+| `elasticsearch.schedulerName` | Name of the [alternate scheduler](https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/#specify-schedulers-for-pods) | `nil` |
+| `elasticsearch.masterTerminationFix` | A workaround needed for Elasticsearch < 7.2 to prevent master status being lost during restarts [#63](https://github.com/elastic/helm-charts/issues/63) | `false` |
+| `elasticsearch.lifecycle` | Allows you to add lifecycle configuration. See [values.yaml](./values.yaml) for an example of the formatting. | `{}` |
+| `elasticsearch.keystore` | Allows you map Kubernetes secrets into the keystore. See the [config example](/elasticsearch/examples/config/values.yaml) and [how to use the keystore](#how-to-use-the-keystore) | `[]` |
+| `elasticsearch.rbac` | Configuration for creating a role, role binding and service account as part of this helm chart with `create: true`. Also can be used to reference an external service account with `serviceAccountName: "externalServiceAccountName"`. | `create: false`<br>`serviceAccountName: ""` |
+| `elasticsearch.podSecurityPolicy` | Configuration for create a pod security policy with minimal permissions to run this Helm chart with `create: true`. Also can be used to reference an external pod security policy with `name: "externalPodSecurityPolicy"` | `create: false`<br>`name: ""` |
+| `satellite.name` | Satellite deployment name | `satellite` |
+| `satellite.replicas` | Satellite k8s deployment replicas | `1` |
+| `satellite.enabled` | Is enable Satellite | `false` |
+| `satellite.image.repository` | Satellite container image name | `skywalking.docker.scarf.sh/apache/skywalking-satellite` |
+| `satellite.image.tag` | Satellite container image tag | `v0.4.0` |
+| `satellite.image.pullPolicy` | Satellite container image pull policy | `IfNotPresent` |
+| `satellite.antiAffinity` | Satellite anti-affinity policy | `soft` |
+| `satellite.nodeAffinity` | Satellite node affinity policy | `{}` |
+| `satellite.nodeSelector` | Satellite labels for pod assignment | `{}` |
+| `satellite.tolerations` | Satellite tolerations | `[]` |
+| `satellite.service.type` | Satellite svc type | `ClusterIP` |
+| `satellite.ports.grpc` | Satellite grpc port for tracing, metrics, logs, events | `11800` |
+| `satellite.ports.prometheus` | Satellite http port for Prometheus monitoring | `1234` |
+| `satellite.resources` | Satellite node resources requests & limits | `{} - cpu limit must be an integer` |
+| `satellite.podAnnotations` | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Satellite pods | `{}` |
+| `satellite.env` | Satellite environment variables | `[]` |
+| `satellite.securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
@@ -225,13 +225,12 @@ ui:
Envoy ALS(access log service) provides fully logs about RPC routed, including HTTP and TCP.
-If you want to open envoy ALS, you can do this by modifying values.yaml.
+If you want to open envoy ALS, you can do this by modifying values.yaml. default open.
```yaml
-oap:
- envoy:
- als:
- enabled: true
+serviceAccounts:
+ oap:
+ create: true
```
When envoy als ,will give ServiceAccount clusterrole permission.
diff --git a/chart/skywalking/templates/_helpers.tpl b/chart/skywalking/templates/_helpers.tpl
index a7b6ad9..7461915 100644
--- a/chart/skywalking/templates/_helpers.tpl
+++ b/chart/skywalking/templates/_helpers.tpl
@@ -75,7 +75,11 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
Create the name of the service account to use for the oap cluster
*/}}
{{- define "skywalking.serviceAccountName.oap" -}}
-{{ default (include "skywalking.oap.fullname" .) .Values.serviceAccounts.oap }}
+{{- if .Values.serviceAccounts.oap.create -}}
+ {{ default (include "skywalking.oap.fullname" .) .Values.serviceAccounts.oap.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccounts.oap.name }}
+{{- end -}}
{{- end -}}
{{/*
diff --git a/chart/skywalking/templates/oap-clusterrole.yaml b/chart/skywalking/templates/oap-clusterrole.yaml
index d847f25..f38ef68 100644
--- a/chart/skywalking/templates/oap-clusterrole.yaml
+++ b/chart/skywalking/templates/oap-clusterrole.yaml
@@ -13,7 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- if .Values.oap.envoy.als.enabled }}
+{{- if .Values.serviceAccounts.oap.create }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -30,4 +30,4 @@ rules:
- apiGroups: ["extensions"]
resources: ["deployments", "replicasets"]
verbs: ["get", "watch", "list"]
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/skywalking/templates/oap-clusterrolebinding.yaml b/chart/skywalking/templates/oap-clusterrolebinding.yaml
index 3c4b1f4..c8d80c8 100644
--- a/chart/skywalking/templates/oap-clusterrolebinding.yaml
+++ b/chart/skywalking/templates/oap-clusterrolebinding.yaml
@@ -13,7 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- if .Values.oap.envoy.als.enabled }}
+{{- if .Values.serviceAccounts.oap.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
diff --git a/chart/skywalking/templates/oap-role.yaml b/chart/skywalking/templates/oap-role.yaml
index f51c2f9..1628a16 100644
--- a/chart/skywalking/templates/oap-role.yaml
+++ b/chart/skywalking/templates/oap-role.yaml
@@ -13,7 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- if not .Values.oap.envoy.als.enabled }}
+{{- if .Values.serviceAccounts.oap.create }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
diff --git a/chart/skywalking/templates/oap-rolebinding.yaml b/chart/skywalking/templates/oap-rolebinding.yaml
index 186dee3..c0d1606 100644
--- a/chart/skywalking/templates/oap-rolebinding.yaml
+++ b/chart/skywalking/templates/oap-rolebinding.yaml
@@ -13,7 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- if not .Values.oap.envoy.als.enabled }}
+{{- if .Values.serviceAccounts.oap.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
diff --git a/chart/skywalking/templates/oap-serviceaccount.yaml b/chart/skywalking/templates/oap-serviceaccount.yaml
index fd6c2c2..fd2034c 100644
--- a/chart/skywalking/templates/oap-serviceaccount.yaml
+++ b/chart/skywalking/templates/oap-serviceaccount.yaml
@@ -13,6 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+{{- if .Values.serviceAccounts.oap.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -23,3 +24,4 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "skywalking.serviceAccountName.oap" . }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/skywalking/values.yaml b/chart/skywalking/values.yaml
index f8e6485..eaa54d3 100644
--- a/chart/skywalking/values.yaml
+++ b/chart/skywalking/values.yaml
@@ -19,6 +19,9 @@
serviceAccounts:
oap:
+ # By default, create SkyWalking's ServiceAccount. If set to false, you also need to change `serviceAccounts.oap.name` value to a custom ServiceAccount name.
+ create: true
+ name: ""
imagePullSecrets: []
@@ -76,10 +79,6 @@ oap:
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000
- envoy:
- als:
- enabled: false
- # more envoy ALS ,please refer to https://github.com/apache/skywalking/blob/master/docs/en/setup/envoy/als_setting.md#observe-service-mesh-through-als
env:
# more env, please refer to https://hub.docker.com/r/apache/skywalking-oap-server
# or https://github.com/apache/skywalking-docker/blob/master/6/6.4/oap/README.md#sw_telemetry
diff --git a/test/e2e/e2e.yaml b/test/e2e/e2e.yaml
index c7d2ded..91fb678 100644
--- a/test/e2e/e2e.yaml
+++ b/test/e2e/e2e.yaml
@@ -50,7 +50,6 @@ setup:
--set oap.env.SW_ENVOY_METRIC_ALS_HTTP_ANALYSIS=k8s-mesh \
--set oap.env.SW_ENVOY_METRIC_ALS_TCP_ANALYSIS=k8s-mesh \
--set oap.env.K8S_SERVICE_NAME_RULE='e2e::${service.metadata.name}' \
- --set oap.envoy.als.enabled=true \
--set oap.replicas=1 \
--set ui.image.repository=$UI_REPO \
--set ui.image.tag=$UI_TAG \