From 11f18a3eae49fd95282779219c72968a2bb6ffed Mon Sep 17 00:00:00 2001 From: Wajih Yassine <54372074+wajihyassine@users.noreply.github.com> Date: Thu, 26 Sep 2024 10:18:51 -0700 Subject: [PATCH] charts/timesketch Lock tag by release version, simplify ingress for non GKE setups, remove roll and config override, allow multiple instances to run, README updates (#168) * Make ingress more generalized, remove roll and config override * Update README.md with readme-generator-for-helm Signed-off-by: wajihyassine * Allow multiple instances of opensearch * Update README.md with readme-generator-for-helm Signed-off-by: wajihyassine * Lock version by release * Update README.md with readme-generator-for-helm Signed-off-by: wajihyassine * Update README with chart upgrade instructions and documentation cleanup --------- Signed-off-by: wajihyassine Co-authored-by: wajihyassine --- charts/timesketch/Chart.lock | 2 +- charts/timesketch/Chart.yaml | 4 +- charts/timesketch/README.md | 439 +++++++++--------- charts/timesketch/templates/_helpers.tpl | 33 +- .../timesketch/templates/_initContainer.tpl | 6 +- charts/timesketch/templates/configmap.yaml | 12 - charts/timesketch/templates/ingress.yaml | 23 +- .../timesketch/templates/serviceaccount.yaml | 1 + .../timesketch/templates/web-deployment.yaml | 9 +- .../templates/worker-deployment.yaml | 10 +- charts/timesketch/values-production.yaml | 280 ----------- charts/timesketch/values.yaml | 24 +- 12 files changed, 264 insertions(+), 579 deletions(-) delete mode 100644 charts/timesketch/templates/configmap.yaml delete mode 100644 charts/timesketch/values-production.yaml diff --git a/charts/timesketch/Chart.lock b/charts/timesketch/Chart.lock index bb957142..15f74e78 100644 --- a/charts/timesketch/Chart.lock +++ b/charts/timesketch/Chart.lock @@ -9,4 +9,4 @@ dependencies: repository: https://opensearch-project.github.io/helm-charts/ version: 2.20.0 digest: sha256:3fbaef8755ed79056d10a0c93cf5d278a47bb5f55b9a98802922edef4faa0610 -generated: "2024-05-16T13:22:27.139681-07:00" +generated: "2024-09-23T13:14:31.525789-07:00" diff --git a/charts/timesketch/Chart.yaml b/charts/timesketch/Chart.yaml index 8f0ad215..295f7ce9 100644 --- a/charts/timesketch/Chart.yaml +++ b/charts/timesketch/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: timesketch -version: 1.0.7 +version: 1.0.8 description: A Helm chart for Timesketch Kubernetes deployments. keywords: - timesketch @@ -29,7 +29,7 @@ sources: - https://github.com/google/timesketch - https://github.com/google/osdfir-infrastructure icon: https://raw.githubusercontent.com/google/timesketch/master/timesketch/frontend-ng/dist/timesketch-color.png -appVersion: "latest" +appVersion: "20240828" annotations: category: Security licenses: Apache-2.0 diff --git a/charts/timesketch/README.md b/charts/timesketch/README.md index e223f4ef..2277821c 100644 --- a/charts/timesketch/README.md +++ b/charts/timesketch/README.md @@ -17,57 +17,189 @@ helm install my-release osdfir-charts/timesketch > **Note**: By default, Timesketch is not externally accessible and can be reached via `kubectl port-forward` within the cluster. -For a quick start with a local Kubernetes cluster on your desktop, check out the -[getting started with Minikube guide](https://github.com/google/osdfir-infrastructure/blob/main/docs/getting-started.md). - ## Introduction This chart bootstraps a [Timesketch](https://github.com/google/timesketch/blob/master/docker/release/build/Dockerfile-latest) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. +For a quick start with a local Kubernetes cluster on your desktop, check out the +[getting started with Minikube guide](https://github.com/google/osdfir-infrastructure/blob/main/docs/getting-started.md). + ## Prerequisites -- Kubernetes 1.19+ -- Helm 3.2.0+ +- Kubernetes 1.23+ +- Helm 3.8.0+ - PV provisioner support in the underlying infrastructure +- Shared storage for clusters larger then one machine. ## Installing the Chart -The first step is to add the repo and then update to pick up any new changes. +The first step is to add and update the repo: ```console helm repo add osdfir-charts https://google.github.io/osdfir-infrastructure/ helm repo update ``` -To install the chart, specify any release name of your choice. For example, using `my-release` as the release name, run: +Then to install the chart, specify any release name of your choice. For example, +using `my-release` as the release name, run: ```console helm install my-release osdfir-charts/timesketch ``` -The command deploys Timesketch on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured -during installation or see [Installating for Production](#installing-for-production) -for a recommended production installation. +The command deploys Timesketch on the Kubernetes cluster in the default configuration. +The [Parameters](#parameters) section lists the parameters that can be configured +during installation. -> **Tip**: You can override the default Timesketch configuration by pulling the Helm -chart locally and adding a `configs/` directory at the root of the Helm chart with user-provided configs. +> **Tip**: See the [Managing and updating Timesketch configs](#managing-and-updating-timesketch-configs) +section for more details on managing the Timesketch configs. -## Installing for Production +## Configuration and installation details -Pull the chart locally then cd into `/timesketch` and review the `values-production.yaml` file for a list of values that will be used for production. +### Use a different Timesketch version -```console -helm pull osdfir-charts/timesketch --untar -``` +The Timesketch Helm chart utilizes the latest container release tags by default. +OSDFIR Infrastructure actively monitors for new versions of the main containers +and releases updated charts accordingly. -Install the chart with the base values in `values.yaml` and the production values in `values-production.yaml`, then using a release name such as `my-release`, run: +To modify the application version used in Timesketch, specify a different version +of the image using the `image.tag` parameter and/or a different repository using +the `image.repository` parameter. For example, to use the most recent development +version instead, set `image.tag` to `latest`. -```console -helm install my-release ../timesketch -f values.yaml -f values-production.yaml -``` +### Upgrading the Helm chart + +Helm chart updates can be retrieved by running `helm repo update`. + +To explore available charts and versions, use `helm search repo osdfir-charts/`. +Install a specific chart version with `helm install my-release osdfir-charts/timesketch --version `. + +A major Helm chart version change (like v1.0.0 -> v2.0.0) indicates that there +is an incompatible breaking change needing manual actions. + +### Managing and updating Timesketch configs + +This section outlines how to deploy and manage Timesketch configuration files +within OSDFIR infrastructure. + +There are two primary methods: + +#### Using Default Configurations + +If you don't provide your own Timesketch config files during deployment, +the Timesketch deployment will automatically retrieve the latest default configs +from the Timesketch Github repository. This method requires no further action from you. + +> **NOTE:** When using the default method, you cannot update the Timesketch config files directly. + +#### Managing Timesketch configs externally + +For more advanced configuration management, you can manage Timesketch config +files independently of the Helm chart: + +1. Prepare your Config Files: + + Organize all the Timesketch configuration files in a directory with your + desired customizations. + +2. Create a ConfigMap: + + ```console + kubectl create configmap timesketch-configs --from-file=./timesketch-configs/ + ``` + + Replace `./timesketch-configs/` with the actual path to your configuration files. + +3. Install or Upgrade the Helm Chart: + + ```console + helm install my-release osdfir-charts/timesketch --set config.existingConfigMap="timesketch-configs" + ``` + + This command instructs the Helm chart to use the `timesketch-configs` ConfigMap for + Timesketch's config files. + +To update the config changes using this method: + +1. Update the ConfigMap: + + ```console + kubectl create configmap timesketch-configs --from-file=./my-configs/ --dry-run -o yaml | kubectl replace -f - + ``` + +2. Restart the Timesketch deployment to apply the new configs + + ```console + kubectl rollout restart deployment -l app.kubernetes.io/name=timesketch + ``` + +### Upgrading the Timesketch Database Schema + +From time to time, a Timesketch release requires a manual database upgrade if +the schema has changed. +The [Timesketch release page](https://github.com/google/timesketch/releases) +will indicate if a database upgrade is required. + +Follow these steps to upgrade the database on your Kubernetes deployment: + +1. **Upgrade Timesketch (if not already done):** + - Upgrade your Timesketch deployment to the desired release version: + + ```bash + helm upgrade my-release osdfir-charts/timesketch --set image.tag= --set image.pullPolicy=Always + ``` + +2. **Connect to Timesketch Pod:** + - Once the upgraded pods are ready, shell into the Timesketch pod: + + ```bash + kubectl exec -it my-release-timesketch- -- /bin/bash + ``` + + - Find your pod name using `kubectl get pods`. + +3. **Perform Database Upgrade:** + - Follow the detailed steps in the [Timesketch documentation to upgrade your database](https://timesketch.org/guides/admin/upgrade/#upgrade-the-database-schema). + +4. **Restart Timesketch (Recommended):** + - After a successful database upgrade, it is recommended to restart your + Timesketch deployment for the changes to take full effect: + + ```bash + kubectl rollout restart deployment my-release-timesketch-web + ``` + +### Metrics and monitoring + +The chart starts a metrics exporter for prometheus. The metrics endpoint (port 8080) +is exposed in the service. Metrics can be scraped from within the cluster by either +a Prometheus server running in your cluster or a cloud-based Prometheus service. +Currently, the available metrics is limited to system metrics. + +### Resource requests and limits + +OSDFIR Infrastructure charts allow setting resource requests and limits for all +containers inside the chart deployment. These are inside the `resources` value +(check parameter table). Setting requests is essential for production workloads +and these should be adapted to your specific use case. + +To maximize deployment success across different environments, resources are +minimally defined by default. + +### Persistence + +By default, the chart mounts a Persistent Volume at the `/mnt/timesketchvolume` path. +The volume is created using dynamic volume provisioning. -### Enabling GKE Ingress and OIDC Authentication +Configuration files can be found at the `/etc/timesketch` path of the container +while logs can be found at `/var/log/timesketch`. + +For clusters running more than one nodes or machines, the Persistent Volume will +need to have the ability to be mounted by multiple machines, such as NFS, GCP +Filestore, AWS EFS, and other shared file storage equivalents. + +## Enabling GKE Ingress and OIDC Authentication Follow these steps to externally expose Timesketch and enable Google Cloud OIDC to control user access to Timesketch. @@ -115,6 +247,7 @@ OAuth client. helm upgrade my-release ../timesketch \ -f values-production.yaml \ --set ingress.enabled=true \ + --set ingress.className="gce" \ --set ingress.host= \ --set ingress.gcp.staticIPName= \ --set ingress.gcp.managedCertificates=true \ @@ -165,21 +298,20 @@ kubectl delete pvc -l release=my-release | ------------------------ | ------------------------------------------------------------- | --------------------------------------------------------- | | `image.repository` | Timesketch image repository | `us-docker.pkg.dev/osdfir-registry/timesketch/timesketch` | | `image.pullPolicy` | Timesketch image pull policy | `IfNotPresent` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `latest` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `20240828` | | `image.imagePullSecrets` | Specify secrets if pulling from a private repository | `[]` | ### Timesketch Configuration Parameters -| Name | Description | Value | -| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| `config.override` | Overrides the default Timesketch configs to instead use a user specified directory if present on the root directory of the Helm chart | `configs/*` | -| `config.existingConfigMap` | Use an existing ConfigMap as the default Timesketch config. | `""` | -| `config.createUser` | Creates a default Timesketch user that can be used to login to Timesketch after deployment | `true` | -| `config.oidc.enabled` | Enables Timesketch OIDC authentication (currently only supports Google OIDC) | `false` | -| `config.oidc.existingSecret` | Existing secret with the client ID, secret and cookie secret | `""` | -| `config.oidc.authenticatedEmailsFile.enabled` | Enables email authentication | `true` | -| `config.oidc.authenticatedEmailsFile.existingSecret` | Existing secret with a list of emails | `""` | -| `config.oidc.authenticatedEmailsFile.content` | Allowed emails list (one email per line) | `""` | +| Name | Description | Value | +| ---------------------------------------------------- | ------------------------------------------------------------------------------------------ | ------- | +| `config.existingConfigMap` | Use an existing ConfigMap as the default Timesketch config. | `""` | +| `config.createUser` | Creates a default Timesketch user that can be used to login to Timesketch after deployment | `true` | +| `config.oidc.enabled` | Enables Timesketch OIDC authentication (currently only supports Google OIDC) | `false` | +| `config.oidc.existingSecret` | Existing secret with the client ID, secret and cookie secret | `""` | +| `config.oidc.authenticatedEmailsFile.enabled` | Enables email authentication | `true` | +| `config.oidc.authenticatedEmailsFile.existingSecret` | Existing secret with a list of emails | `""` | +| `config.oidc.authenticatedEmailsFile.content` | Allowed emails list (one email per line) | `""` | ### Timesketch Frontend Configuration @@ -224,49 +356,50 @@ kubectl delete pvc -l release=my-release ### Common Parameters -| Name | Description | Value | -| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use | `timesketch` | -| `service.type` | Timesketch service type | `ClusterIP` | -| `service.port` | Timesketch service port | `5000` | -| `metrics.enabled` | Enables metrics scraping | `true` | -| `metrics.port` | Port to scrape metrics from | `8080` | -| `persistence.name` | Timesketch persistent volume name | `timesketchvolume` | -| `persistence.size` | Timesketch persistent volume size | `2Gi` | -| `persistence.storageClass` | PVC Storage Class for Timesketch volume | `""` | -| `persistence.accessModes` | PVC Access Mode for Timesketch volume | `["ReadWriteOnce"]` | -| `ingress.enabled` | Enable the Timesketch loadbalancer for external access | `false` | -| `ingress.host` | Domain name Timesketch will be hosted under | `""` | -| `ingress.className` | IngressClass that will be be used to implement the Ingress | `gce` | -| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `ingress.certManager` | Add the corresponding annotations for cert-manager integration | `false` | -| `ingress.gcp.managedCertificates` | Enables GCP managed certificates for your domain | `false` | -| `ingress.gcp.staticIPName` | Name of the static IP address you reserved in GCP. Required when using "gce" in ingress.className | `""` | -| `ingress.gcp.staticIPV6Name` | Name of the static IPV6 address you reserved in GCP. This can be optionally provided to deploy a loadbalancer with an IPV6 address | `""` | +| Name | Description | Value | +| --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use | `""` | +| `service.type` | Timesketch service type | `ClusterIP` | +| `service.port` | Timesketch service port | `5000` | +| `metrics.enabled` | Enables metrics scraping | `true` | +| `metrics.port` | Port to scrape metrics from | `8080` | +| `persistence.name` | Timesketch persistent volume name | `timesketchvolume` | +| `persistence.size` | Timesketch persistent volume size | `2Gi` | +| `persistence.storageClass` | PVC Storage Class for Timesketch volume | `""` | +| `persistence.accessModes` | PVC Access Mode for Timesketch volume | `["ReadWriteOnce"]` | +| `ingress.enabled` | Enable the Timesketch loadbalancer for external access | `false` | +| `ingress.host` | Domain name Timesketch will be hosted under | `""` | +| `ingress.className` | IngressClass that will be be used to implement the Ingress | `""` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.certManager` | Add the corresponding annotations for cert-manager integration | `false` | +| `ingress.gcp.managedCertificates` | Enables GCP managed certificates for your domain | `false` | +| `ingress.gcp.staticIPName` | Name of the static IP address you reserved in GCP. | `""` | +| `ingress.gcp.staticIPV6Name` | Name of the static IPV6 address you reserved. This can be optionally provided to deploy a loadbalancer with an IPV6 address in GCP. | `""` | ### Third Party Configuration ### Opensearch Configuration Parameters -| Name | Description | Value | -| -------------------------------------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | -| `opensearch.enabled` | Enables the Opensearch deployment | `true` | -| `opensearch.config.opensearch.yml` | Opensearch configuration file. Can be appended for additional configuration options | `{"opensearch.yml":"plugins:\n security:\n allow_unsafe_democertificates: false\n"}` | -| `opensearch.extraEnvs[0].name` | Environment variable to disable Opensearch Demo config | `DISABLE_INSTALL_DEMO_CONFIG` | -| `opensearch.extraEnvs[0].value` | Disables Opensearch Demo config | `true` | -| `opensearch.extraEnvs[1].name` | Environment variable to disable Opensearch Security plugin given that | `DISABLE_SECURITY_PLUGIN` | -| `opensearch.extraEnvs[1].value` | Disables Opensearch Security plugin | `true` | -| `opensearch.replicas` | Number of Opensearch instances to deploy | `1` | -| `opensearch.sysctlInit.enabled` | Sets optimal sysctl's through privileged initContainer | `true` | -| `opensearch.opensearchJavaOpts` | Sets the size of the Opensearch Java heap | `-Xmx512M -Xms512M` | -| `opensearch.httpPort` | Opensearch service port | `9200` | -| `opensearch.persistence.size` | Opensearch Persistent Volume size. A persistent volume would be created for each Opensearch replica running | `2Gi` | -| `opensearch.resources.requests.cpu` | The requested cpu for the Opensearch container | `250m` | -| `opensearch.resources.requests.memory` | The requested memory for the Opensearch container | `512Mi` | -| `opensearch.nodeSelector` | Node labels for Opensearch pods assignment | `{}` | +| Name | Description | Value | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | +| `opensearch.enabled` | Enables the Opensearch deployment | `true` | +| `opensearch.nodeGroup` | Specifies the node group for this OpenSearch instance. Avoid using "master" as the node group name, as this will prevent the service from resolving correctly. | `""` | +| `opensearch.config.opensearch.yml` | Opensearch configuration file. Can be appended for additional configuration options | `{"opensearch.yml":"plugins:\n security:\n allow_unsafe_democertificates: false\n"}` | +| `opensearch.extraEnvs[0].name` | Environment variable to disable Opensearch Demo config | `DISABLE_INSTALL_DEMO_CONFIG` | +| `opensearch.extraEnvs[0].value` | Disables Opensearch Demo config | `true` | +| `opensearch.extraEnvs[1].name` | Environment variable to disable Opensearch Security plugin given that | `DISABLE_SECURITY_PLUGIN` | +| `opensearch.extraEnvs[1].value` | Disables Opensearch Security plugin | `true` | +| `opensearch.replicas` | Number of Opensearch instances to deploy | `1` | +| `opensearch.sysctlInit.enabled` | Sets optimal sysctl's through privileged initContainer | `true` | +| `opensearch.opensearchJavaOpts` | Sets the size of the Opensearch Java heap | `-Xmx512M -Xms512M` | +| `opensearch.httpPort` | Opensearch service port | `9200` | +| `opensearch.persistence.size` | Opensearch Persistent Volume size. A persistent volume would be created for each Opensearch replica running | `2Gi` | +| `opensearch.resources.requests.cpu` | The requested cpu for the Opensearch container | `250m` | +| `opensearch.resources.requests.memory` | The requested memory for the Opensearch container | `512Mi` | +| `opensearch.nodeSelector` | Node labels for Opensearch pods assignment | `{}` | ### Redis Configuration Parameters @@ -318,8 +451,8 @@ helm install my-release osdfir-charts/timesketch --set opensearch.replicas=3 The above command installs Timesketch with 3 Opensearch Replicas. -Alternatively, the `values.yaml` and `values-production.yaml` file can be -directly updated if the Helm chart was pulled locally. For example, +Alternatively, the `values.yaml` file can be directly updated if the Helm chart +was pulled locally. For example, ```console helm pull osdfir-charts/timesketch --untar @@ -332,165 +465,11 @@ chart with the updated values. helm install my-release ../timesketch ``` -## Persistence - -The Timesketch deployment stores data at the `/mnt/timesketchvolume` path of the -container and stores configuration files at the `/etc/timesketch` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is -known to work in GCP and Minikube. See the Parameters section to configure the -PVC or to disable persistence. - -## Upgrading - -If you need to upgrade an existing release to update a value, such as persistent -volume size or upgrading to a new release, you can run [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/). -For example, to set a new release and upgrade storage capacity, run: - -```console -helm upgrade my-release ../timesketch \ - --set image.tag=latest \ - --set persistence.size=10T -``` - -The above command upgrades an existing release named `my-release` updating the -image tag to `latest` and increasing persistent volume size of an existing volume -to 10 Terabytes. Note that existing data will not be deleted and instead triggers an expansion -of the volume that backs the underlying PersistentVolume. See [here](https://kubernetes.io/docs/concepts/storage/persistent-volumes/). - -### Managing and updating Timesketch configs - -This section outlines how to deploy and manage Timesketch configuration files within OSDFIR infrastructure. There are three primary methods: - -1. **Using Default Configurations** - - If you don't provide your own Timesketch config files during deployment, - the Timesketch deployment will automatically retrieve the latest default configs - from the Timesketch Github repository. This method requires no further action from you. - - > **NOTE:** When using the default method, you cannot update the Timesketch config files directly. - -2. **Embedding Timesketch configs in the Helm Chart** - - To customize Timesketch with your own config files and include them directly in the Helm chart deployment, follow these steps: - - 1. Download and Extract the Helm chart: - - ```console - helm pull osdfir-charts/timesketch --untar - cd timesketch/ - ``` - - 2. Download the default Timesketch configs: - - ```console - ./tools/download-timesketch-configs.sh - ``` - - This script downloads the default Timesketch configuration files to the `config/` directory within the extracted Helm chart directory. - - 3. Modify config files then deploy the Helm chart: - - ```console - helm install my-release ../timesketch - ``` - - > **NOTE**: The Helm chart checks the path specified in `config.override` for existing config files. By default this path is set to `configs/` within the Helm chart directory. - - To update configs changes using this method: - - 1. Modify Configuration Files - - Make the necessary changes to your configuration files in the `config/` directory. - - 2. Upgrade the Helm Release: - - ```console - helm upgrade my-release ../timesketch - ``` - - This will automatically apply the updated config changes and restart the Timesketch deployment so the changes can be picked up. - - -3. **Managing Timesketch configs externally** - - For more advanced configuration management, you can manage Timesketch config - files independently of the Helm chart: - - 1. Prepare your Config Files: - - Organize all the Timesketch configuration files in a directory with your - desired customizations. - - 2. Create a ConfigMap: - - ```console - kubectl create configmap timesketch-configs --from-file=./my-configs/ - ``` - - Replace `./my-configs/` with the actual path to your configuration files. - - 3. Install or Upgrade the Helm Chart: - - ```console - helm install my-release osdfir-charts/timesketch --set config.existingConfigMap="timesketch-configs" - ``` - - This command instructs the Helm chart to use the `timesketch-configs` ConfigMap for - Timesketch's config files. - - To update the config changes using this method: - - 1. Update the ConfigMap: - - ```console - kubectl create configmap timesketch-configs --from-file=./my-configs/ --dry-run -o yaml | kubectl replace -f - - ``` - - 2. Restart the Timesketch deployment to apply the new configs - - ```console - kubectl rollout restart deployment -l app.kubernetes.io/name=timesketch - ``` - -### Upgrade Timesketch Database Schema - -From time to time, a Timesketch release requires a manual database upgrade if -the schema has changed. -The [Timesketch release page](https://github.com/google/timesketch/releases) -will indicate if a database upgrade is required. - -Follow these steps to upgrade the database on your Kubernetes deployment: - -1. **Upgrade Timesketch (if not already done):** - - Upgrade your Timesketch deployment to the desired release version: - - ```bash - helm upgrade my-release osdfir-charts/timesketch --set image.tag= --set image.pullPolicy=Always - ``` - -2. **Connect to Timesketch Pod:** - - Once the upgraded pods are ready, shell into the Timesketch pod: - - ```bash - kubectl exec -it my-release-timesketch- -- /bin/bash - ``` - - - Find your pod name using `kubectl get pods`. - -3. **Perform Database Upgrade:** - - Follow the detailed steps in the [Timesketch documentation to upgrade your database](https://timesketch.org/guides/admin/upgrade/#upgrade-the-database-schema). - -4. **Restart Timesketch (Recommended):** - - After a successful database upgrade, it is recommended to restart your - Timesketch deployment for the changes to take full effect: - - ```bash - kubectl rollout restart deployment my-release-timesketch-web - ``` - ## Troubleshooting +Find more information about how to deal with common errors in OSDFIR Infrastructure +Helm charts in this [troubleshooting guide](https://github.com/google/osdfir-infrastructure/blob/main/docs/troubleshooting.md). + There is a known issue causing PostgreSQL authentication to fail. This occurs when you `delete` the deployed Helm chart and then redeploy the Chart without removing the existing PVCs. When redeploying, please ensure to delete the underlying @@ -499,7 +478,7 @@ for more details. ## License -Copyright © 2023 OSDFIR Infrastructure +Copyright © 2024 OSDFIR Infrastructure Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/timesketch/templates/_helpers.tpl b/charts/timesketch/templates/_helpers.tpl index cdc454d4..34e946ee 100644 --- a/charts/timesketch/templates/_helpers.tpl +++ b/charts/timesketch/templates/_helpers.tpl @@ -28,11 +28,10 @@ Return the proper persistence volume claim name */}} {{- define "timesketch.pvc.name" -}} {{- $pvcName := .Values.persistence.name -}} -{{- if .Values.global -}} - {{- if .Values.global.existingPVC -}} - {{- $pvcName = .Values.global.existingPVC -}} - {{- end -}} -{{- printf "%s-%s" $pvcName "claim" }} +{{- if and .Values.global .Values.global.existingPVC -}} +{{- .Values.global.existingPVC -}} +{{- else -}} +{{- printf "%s-%s-claim" .Release.Name $pvcName }} {{- end -}} {{- end -}} @@ -93,10 +92,10 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "timesketch.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "timesketch.fullname" .) .Values.serviceAccount.name }} +{{- if .Values.serviceAccount.name }} +{{- .Values.serviceAccount.name }} {{- else }} -{{- default "default" .Values.serviceAccount.name }} +{{- printf "%s-%s" .Release.Name "timesketch" }} {{- end }} {{- end }} @@ -132,12 +131,20 @@ Postgresql subcharts connection url {{- end -}} {{- end -}} +{{/* +Override Opensearch Subchart "opensearch.uname" helper function to allow for +multiple instances using the Release Name. +*/}} +{{- define "opensearch.uname" -}} +{{- printf "%s-%s" .Release.Name .Values.masterService -}} +{{- end -}} + {{/* Opensearch subcharts host name */}} {{- define "timesketch.opensearch.host" -}} {{- if .Values.opensearch.enabled -}} -{{- printf "%s" .Values.opensearch.masterService -}} +{{- printf "%s-%s" .Release.Name .Values.opensearch.masterService -}} {{- else -}} {{ fail "Attempting to use Opensearch, but the subchart is not enabled. This will lead to misconfiguration" }} {{- end -}} @@ -172,11 +179,3 @@ Timesketch service port {{- printf "%s-access-list" (include "timesketch.fullname" .) -}} {{- end -}} {{- end -}} - -{{- define "timesketch.configmap" -}} -{{- if .Values.config.existingConfigMap -}} -{{- .Values.config.existingConfigMap -}} -{{- else -}} -{{- include "timesketch.fullname" . }}-configmap -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/timesketch/templates/_initContainer.tpl b/charts/timesketch/templates/_initContainer.tpl index 27fff9f5..6597404b 100644 --- a/charts/timesketch/templates/_initContainer.tpl +++ b/charts/timesketch/templates/_initContainer.tpl @@ -59,11 +59,13 @@ Worker pod upon startup. name: init-timesketch - mountPath: /etc/timesketch name: timesketch-configs + {{- if .Values.config.existingConfigMap }} - mountPath: /tmp/timesketch name: uploaded-configs - {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }} + {{- end }} + {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }} - name: authenticated-emails mountPath: /init/authenticated-emails readOnly: true - {{- end }} + {{- end }} {{- end }} diff --git a/charts/timesketch/templates/configmap.yaml b/charts/timesketch/templates/configmap.yaml deleted file mode 100644 index a8339b1a..00000000 --- a/charts/timesketch/templates/configmap.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- $userconfigs := .Files.Glob .Values.config.override }} -{{- if $userconfigs }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "timesketch.fullname" . }}-configmap - namespace: {{ .Release.Namespace | quote }} - labels: - {{- include "timesketch.labels" . | nindent 4 }} -data: -{{ ($userconfigs).AsConfig | indent 2 }} -{{- end }} \ No newline at end of file diff --git a/charts/timesketch/templates/ingress.yaml b/charts/timesketch/templates/ingress.yaml index 260c31d7..1088ecdd 100644 --- a/charts/timesketch/templates/ingress.yaml +++ b/charts/timesketch/templates/ingress.yaml @@ -8,19 +8,19 @@ metadata: {{- include "timesketch.labels" . | nindent 4 }} annotations: kubernetes.io/ingressClassName: {{ .Values.ingress.className }} - {{- if .Values.ingress.gcp.managedCertificates }} - networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl - {{- end }} {{- if .Values.ingress.certManager }} kubernetes.io/tls-acme: "true" cert-manager.io/issuer: {{ include "timesketch.fullname" . }}-letsencrypt-production {{- end }} + # GKE specific annotations {{- if (eq .Values.ingress.className "gce") }} {{- if .Values.ingress.gcp.staticIPName }} kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPName }} networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config - {{- else }} - {{- fail "A valied .Values.ingress.gcp.staticIPName entry is required when using the GCE Ingress" }} + {{- end }} + {{- if .Values.ingress.gcp.managedCertificates }} + networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl + networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config {{- end }} {{- end }} spec: @@ -31,7 +31,7 @@ spec: secretName: {{ include "timesketch.fullname" . }}-tls {{- end }} rules: - - host: {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }} + - host: {{ .Values.ingress.host }} http: paths: - path: / @@ -58,19 +58,18 @@ metadata: {{- include "timesketch.labels" . | nindent 4 }} annotations: kubernetes.io/ingressClassName: {{ .Values.ingress.className }} - {{- if .Values.ingress.gcp.managedCertificates }} - networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl - {{- end }} {{- if .Values.ingress.certManager }} kubernetes.io/tls-acme: "true" cert-manager.io/issuer: {{ include "timesketch.fullname" . }}-letsencrypt-production {{- end }} + # GKE specific annotations {{- if (eq .Values.ingress.className "gce") }} {{- if .Values.ingress.gcp.staticIPV6Name }} kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPV6Name }} + {{- end }} + {{- if .Values.ingress.gcp.managedCertificates }} + networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config - {{- else }} - {{- fail "A valied .Values.ingress.gcp.staticIPV6Name entry is required when using the GCE Ingress" }} {{- end }} {{- end }} spec: @@ -81,7 +80,7 @@ spec: secretName: {{ include "timesketch.fullname" . }}-tls {{- end }} rules: - - host: {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }} + - host: {{ .Values.ingress.host }} http: paths: - path: / diff --git a/charts/timesketch/templates/serviceaccount.yaml b/charts/timesketch/templates/serviceaccount.yaml index 64a09475..2adcb074 100644 --- a/charts/timesketch/templates/serviceaccount.yaml +++ b/charts/timesketch/templates/serviceaccount.yaml @@ -9,4 +9,5 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: false {{- end }} diff --git a/charts/timesketch/templates/web-deployment.yaml b/charts/timesketch/templates/web-deployment.yaml index 73a4a4c9..dc9af9f2 100644 --- a/charts/timesketch/templates/web-deployment.yaml +++ b/charts/timesketch/templates/web-deployment.yaml @@ -15,8 +15,8 @@ spec: template: metadata: annotations: - # Have Deployment restart after each upgrade - roll: {{ randAlphaNum 5 | quote }} + # Restart pod if values.yaml parameters that affect the config were changed + checksum/config: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }} {{- if .Values.metrics.enabled }} prometheus.io/port: {{ .Values.metrics.port | quote }} prometheus.io/scrape: "true" @@ -83,10 +83,11 @@ spec: defaultMode: 0744 - name: timesketch-configs emptyDir: {} + {{- if .Values.config.existingConfigMap }} - name: uploaded-configs configMap: - name: {{ include "timesketch.configmap" . }} - optional: true + name: {{ .Values.config.existingConfigMap }} + {{- end }} {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }} - name: authenticated-emails secret: diff --git a/charts/timesketch/templates/worker-deployment.yaml b/charts/timesketch/templates/worker-deployment.yaml index ad7b568a..0d325b30 100644 --- a/charts/timesketch/templates/worker-deployment.yaml +++ b/charts/timesketch/templates/worker-deployment.yaml @@ -15,8 +15,8 @@ spec: template: metadata: annotations: - # Have Deployment restart after each upgrade - roll: {{ randAlphaNum 5 | quote }} + # Restart pod if values.yaml parameters that affect the config were changed + checksum/config: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }} {{- if .Values.metrics.enabled }} prometheus.io/port: {{ .Values.metrics.port | quote }} prometheus.io/scrape: "true" @@ -72,10 +72,11 @@ spec: defaultMode: 0744 - name: timesketch-configs emptyDir: {} + {{- if .Values.config.existingConfigMap }} - name: uploaded-configs configMap: - name: {{ include "timesketch.configmap" . }} - optional: true + name: {{ .Values.config.existingConfigMap }} + {{- end }} {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }} - name: authenticated-emails secret: @@ -96,4 +97,3 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - diff --git a/charts/timesketch/values-production.yaml b/charts/timesketch/values-production.yaml deleted file mode 100644 index a041a8ce..00000000 --- a/charts/timesketch/values-production.yaml +++ /dev/null @@ -1,280 +0,0 @@ -## Timesketch Helm Production Values -## Please use these values to override the default Timesketch values with recommended resources and replica counts for production installations -## -## @section Timesketch Frontend Configuration -## -frontend: - ## @param frontend.podSecurityContext Holds pod-level security attributes and common frontend container settings - ## Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext - ## ref https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core - ## e.g. - ## fsgroup: 2000 - ## - podSecurityContext: {} - ## @param frontend.securityContext Holds security configuration that will be applied to the frontend container - ## Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence - ## ref https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#securitycontext-v1-core - ## e.g. - ## capabilities - ## drop: - ## - ALL - ## readOnlyRootFilesystem: true - ## runAsNonRoot: true - ## runAsUser: 1000 - ## - securityContext: {} - ## Frontend resource requests and limits - ## @param frontend.resources.requests.cpu Requested cpu for the frontend container - ## @param frontend.resources.requests.memory Requested memory for the frontend container - ## @param frontend.resources.limits.cpu Resource cpu limits for the frontend container - ## @param frontend.resources.limits.memory Resource memory limits for the frontend container - ## - resources: - requests: - cpu: 2000m - memory: 4000Mi - limits: - cpu: 8000m - memory: 16000Mi - ## @param frontend.nodeSelector Node labels for Timesketch frontend pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param frontend.tolerations Tolerations for Timesketch frontend pods assignment - ## ref https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - ## - tolerations: [] - ## @param frontend.affinity Affinity for Timesketch frontend pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## - affinity: {} -## @section Timesketch Worker Configuration -## -worker: - ## @param worker.podSecurityContext Holds pod-level security attributes and common worker container settings - ## Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext - ## ref https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core - ## e.g. - ## fsgroup: 2000 - ## - podSecurityContext: {} - ## @param worker.securityContext Holds security configuration that will be applied to the worker container - ## Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence - ## ref https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#securitycontext-v1-core - ## e.g. - ## capabilities - ## drop: - ## - ALL - ## readOnlyRootFilesystem: true - ## runAsNonRoot: true - ## runAsUser: 1000 - ## - securityContext: {} - ## Worker resource requests and limits - ## @param worker.resources.requests.cpu Requested cpu for the worker container - ## @param worker.resources.requests.memory Requested memory for the worker container - ## @param worker.resources.limits.cpu Resource cpu limits for the worker container - ## @param worker.resources.limits.memory Resource memory limits for the worker container - ## - resources: - requests: - cpu: 2000m - memory: 4000Mi - limits: - cpu: 8000m - memory: 16000Mi - ## @param worker.nodeSelector Node labels for Timesketch worker pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param worker.tolerations Tolerations for Timesketch worker pods assignment - ## ref https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - ## - tolerations: [] - ## @param worker.affinity Affinity for Timesketch worker pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## - affinity: {} -## Persistence Storage Parameters -## -persistence: - ## @param persistence.name Timesketch persistent volume name - ## - name: timesketchvolume - ## @param persistence.size Timesketch persistent volume size - ## - size: 1T - ## @param persistence.storageClass PVC Storage Class for Timesketch volume - ## If default, storageClassName: , which enables GCP Filestore - ## when using the Filestore CSI Driver - ## ref https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/filestore-csi-driver#access - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## ref https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/#using-dynamic-provisioning - ## - storageClass: standard-rwx - ## @param persistence.accessModes PVC Access Mode for Timesketch volume - ## Access mode may need to be updated based on the StorageClass - ## ref https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes - ## - accessModes: - - ReadWriteMany -## @section Third Party Configuration -## This section contains all the main configuration for third party dependencies -## Timesketch requires to run -## -## @section Opensearch Configuration Parameters -## IMPORTANT: The Opensearch Security Plugin / TLS has not yet been configured by default -## ref on steps required https://opensearch.org/docs/1.1/security-plugin/configuration/index/ -## To see a full list of available values, run helm show values charts/opensearch* -## -opensearch: - ## @param opensearch.enabled Enables the Opensearch deployment - ## - enabled: true - ## @param opensearch.replicas Number of Opensearch instances to deploy - ## - replicas: 3 - ## @param opensearch.sysctlInit.enabled Sets optimal sysctl's through privileged initContainer - ## - sysctlInit: - enabled: true - ## @param opensearch.opensearchJavaOpts Sets the size of the Opensearch Java heap - ## It is recommended to use at least half the system's available ram - ## - opensearchJavaOpts: "-Xms64g -Xmx64g" - ## @param opensearch.httpPort Opensearch service port - ## - httpPort: 9200 - ## Opensearch persistence configuration - ## - persistence: - ## @param opensearch.persistence.size Opensearch Persistent Volume size. A persistent volume would be created for each Opensearch replica running - ## - size: 1Ti - ## Opensearch resource requests - ## @param opensearch.resources.requests.cpu Requested cpu for the Opensearch containers - ## @param opensearch.resources.requests.memory Requested memory for the Opensearch containers - ## - resources: - requests: - cpu: 8000m - memory: 32Gi - ## @param opensearch.nodeSelector Node labels for Opensearch pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} -## @section Redis Configuration Parameters -## IMPORTANT: Redis is deployed with Auth enabled by default -## To see a full list of available values, run helm show values charts/redis* -## -redis: - ## @param redis.enabled Enables the Redis deployment - ## - enabled: true - ## @param redis.sentinel.enabled Enables Redis Sentinel on Redis pods - ## IMPORTANT: This has not been tested for Timesketch so would leave this disabled - ## - sentinel: - enabled: false - ## Master Redis Service configuration - ## - master: - ## @param redis.master.count Number of Redis master instances to deploy (experimental, requires additional configuration) - ## - count: 1 - ## Redis master persistence configuration - ## - persistence: - ## @param redis.master.persistence.size Redis master Persistent Volume size - ## - size: 500Gi - ## Redis master resource requests and limits - ## @param redis.master.resources.requests.cpu Requested cpu for the Redis master containers - ## @param redis.master.resources.requests.memory Requested memory for the Redis master containers - ## @param redis.master.resources.limits.cpu Resource cpu limits for the Redis master containers - ## @param redis.master.resources.limits.memory Resource memory limits for the Redis master containers - ## - resources: - requests: - cpu: 4000m - memory: 8Gi - limits: - cpu: 8000m - memory: 16Gi - ## Redis replicas configuration parameters - ## - replica: - ## @param redis.replica.replicaCount Number of Redis replicas to deploy - ## - replicaCount: 3 - ## Redis replicas persistence configuration - ## - persistence: - ## @param redis.replica.persistence.size Redis replica Persistent Volume size - ## - size: 500Gi - ## Redis Replica resource requests and limits - ## @param redis.replica.resources.requests.cpu Requested cpu for the Redis replica containers - ## @param redis.replica.resources.requests.memory Requested memory for the Redis replica containers - ## @param redis.replica.resources.limits.cpu Resource cpu limits for the Redis replica containers - ## @param redis.replica.resources.limits.memory Resource memory limits for the Redis replica containers - ## - resources: - requests: - cpu: 4000m - memory: 8Gi - limits: - cpu: 8000m - memory: 16Gi -## @section Postgresql Configuration Parameters -## IMPORTANT: Postgresql is deployed with Auth enabled by default -## To see a full list of available values, run helm show values charts/postgresql* -## -postgresql: - ## @param postgresql.enabled Enables the Postgresql deployment - ## - enabled: true - ## PostgreSQL Primary configuration parameters - ## - primary: - ## PostgreSQL Primary persistence configuration - ## - persistence: - ## @param postgresql.primary.persistence.size PostgreSQL Persistent Volume size - ## - size: 500Gi - ## PostgreSQL Primary resource requests and limits - ## @param postgresql.primary.resources.requests.cpu Requested cpu for the PostgreSQL Primary containers - ## @param postgresql.primary.resources.requests.memory Requested memory for the PostgreSQL Primary containers - ## @param postgresql.primary.resources.limits Resource limits for the PostgreSQL Primary containers - ## - resources: - requests: - cpu: 250m - memory: 256Mi - limits: {} - ## PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) - ## - readReplicas: - ## @param postgresql.readReplicas.replicaCount Number of PostgreSQL read only replicas - ## - replicaCount: 1 - ## PostgreSQL Persistent Storage configuration - ## - persistence: - ## @param postgresql.readReplicas.persistence.size PostgreSQL Persistent Volume size - ## - size: 500Gi - ## PostgreSQL read only resource requests and limits - ## @param postgresql.readReplicas.resources.requests.cpu Requested cpu for the PostgreSQL read only containers - ## @param postgresql.readReplicas.resources.requests.memory Requested memory for the PostgreSQL read only containers - ## @param postgresql.readReplicas.resources.limits Resource limits for the PostgreSQL read only containers - ## - resources: - requests: - cpu: 250m - memory: 256Mi - limits: {} \ No newline at end of file diff --git a/charts/timesketch/values.yaml b/charts/timesketch/values.yaml index ba8f5a8d..05d46aeb 100644 --- a/charts/timesketch/values.yaml +++ b/charts/timesketch/values.yaml @@ -52,7 +52,7 @@ image: pullPolicy: IfNotPresent ## @param image.tag Overrides the image tag whose default is the chart appVersion ## - tag: latest + tag: "20240828" ## @param image.imagePullSecrets Specify secrets if pulling from a private repository ## ref https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## e.g. @@ -64,12 +64,6 @@ image: ## ref: https://github.com/google/timesketch/blob/master/data/timesketch.conf ## config: - ## @param config.override Overrides the default Timesketch configs to instead use a user specified directory if present on the root directory of the Helm chart - ## to retrieve the config files from. Please ensure the appropriate configs are in the directory else Timesketch - ## may not run properly. To see which config files are required, review the tools/download-timesketch-configs.sh - ## script packaged along with this Helm chart. - ## - override: configs/* ## @param config.existingConfigMap Use an existing ConfigMap as the default Timesketch config. ## Please ensure that the ConfigMap has been created prior to deployment ## (e.g. kubectl create configmap timesketch-configs --from-file=timesketch-configs/) @@ -279,7 +273,7 @@ serviceAccount: ## @param serviceAccount.name The name of the service account to use ## If not set and create is true, a name is generated using the fullname template ## - name: "timesketch" + name: "" ## Service Parameters ## service: @@ -330,15 +324,14 @@ ingress: ## enabled: false ## @param ingress.host Domain name Timesketch will be hosted under - ## Please ensure this value is set when enabling Ingress. If using "gce" for - ## ingress.className, please ensure you have a DNS record set for the IP address - ## registered under ingress.gcp.staticIPName + ## Please ensure you have a DNS record set for the IP address registered under + ## ingress.gcp.staticIPName ## host: "" ## @param ingress.className IngressClass that will be be used to implement the Ingress ## ref https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ ## - className: "gce" + className: "" ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm ## selfSigned: false @@ -352,11 +345,11 @@ ingress: ## ref https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs ## managedCertificates: false - ## @param ingress.gcp.staticIPName Name of the static IP address you reserved in GCP. Required when using "gce" in ingress.className + ## @param ingress.gcp.staticIPName Name of the static IP address you reserved in GCP. ## ref https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address ## staticIPName: "" - ## @param ingress.gcp.staticIPV6Name Name of the static IPV6 address you reserved in GCP. This can be optionally provided to deploy a loadbalancer with an IPV6 address + ## @param ingress.gcp.staticIPV6Name Name of the static IPV6 address you reserved. This can be optionally provided to deploy a loadbalancer with an IPV6 address in GCP. ## ref https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address ## staticIPV6Name: "" @@ -373,6 +366,9 @@ opensearch: ## @param opensearch.enabled Enables the Opensearch deployment ## enabled: true + ## @param opensearch.nodeGroup Specifies the node group for this OpenSearch instance. Avoid using "master" as the node group name, as this will prevent the service from resolving correctly. + ## + nodeGroup: "" ## @param opensearch.config.opensearch.yml Opensearch configuration file. Can be appended for additional configuration options ## Values must be YAML literal style scalar / YAML multiline string ## : |