fluentd
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
15
## @param global.imageRegistry Global Docker image registry
16
## @param global.imagePullSecrets Global Docker registry secret names as an array
17
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
18
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
19
##
20
global:
21
imageRegistry: ""
22
## E.g.
23
## imagePullSecrets:
24
## - myRegistryKeySecretName
25
##
26
imagePullSecrets: []
27
defaultStorageClass: ""
28
storageClass: ""
29
## Security parameters
30
##
31
security:
32
## @param global.security.allowInsecureImages Allows skipping image verification
33
allowInsecureImages: false
34
## Compatibility adaptations for Kubernetes platforms
35
##
36
compatibility:
37
## Compatibility adaptations for Openshift
38
##
39
openshift:
40
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
41
##
42
adaptSecurityContext: auto
43
org: ""
44
## @section Common parameters
45
46
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
47
##
48
kubeVersion: ""
49
## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
50
##
51
nameOverride: ""
52
## @param fullnameOverride String to fully override common.names.fullname template
53
##
54
fullnameOverride: ""
55
## @param commonAnnotations Annotations to add to all deployed objects
56
##
57
commonAnnotations: {}
58
## @param commonLabels Labels to add to all deployed objects
59
##
60
commonLabels: {}
61
## @param clusterDomain Cluster Domain
62
##
63
clusterDomain: cluster.local
64
## @param extraDeploy Array of extra objects to deploy with the release
65
##
66
extraDeploy: []
67
## Enable diagnostic mode in the deployment
68
##
69
diagnosticMode:
70
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
71
##
72
enabled: false
73
## @param diagnosticMode.command Command to override all containers in the deployment
74
##
75
command:
76
- sleep
77
## @param diagnosticMode.args Args to override all containers in the deployment
78
##
79
args:
80
- infinity
81
## @section Fluentd parameters
82
83
## Iamguarded Fluentd image version
84
## ref: https://hub.docker.com/r/iamguarded/fluentd/tags/
85
## @param image.registry [default: REGISTRY_NAME] Fluentd image registry
86
## @param image.repository [default: REPOSITORY_NAME/fluentd] Fluentd image repository
87
## @skip image.tag Fluentd image tag (immutable tags are recommended)
88
## @param image.pullPolicy Fluentd image pull policy
89
## @param image.pullSecrets Fluentd image pull secrets
90
## @param image.debug Enable image debug mode
91
##
92
image:
93
registry: cgr.dev
94
repository: chainguard-private/fluentd-iamguarded
95
tag: 1.19.2
96
digest: ""
97
## Specify a imagePullPolicy
98
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
99
##
100
pullPolicy: IfNotPresent
101
## Optionally specify an array of imagePullSecrets.
102
## Secrets must be manually created in the namespace.
103
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
104
##
105
## pullSecrets:
106
## - myRegistryKeySecretName
107
pullSecrets: []
108
## Enable debug mode
109
##
110
debug: false
111
## /var/log readonly
112
## @param varlog.readonly Set /var/log volume mount readOnly
113
##
114
varlog:
115
readonly: true
116
## Forwarder parameters
117
##
118
forwarder:
119
## @param forwarder.enabled Enable forwarder daemonset
120
##
121
enabled: true
122
## @param forwarder.daemonUser Forwarder daemon user and group (set to root by default because it reads from host paths)
123
##
124
daemonUser: root
125
## @param forwarder.daemonGroup Fluentd forwarder daemon system group
126
##
127
daemonGroup: root
128
## @param forwarder.automountServiceAccountToken Mount Service Account token in pod
129
##
130
automountServiceAccountToken: true
131
## @param forwarder.hostAliases Add deployment host aliases
132
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
133
##
134
hostAliases: []
135
## K8s Security Context for forwarder pods
136
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
137
## @param forwarder.podSecurityContext.enabled Enable security context for forwarder pods
138
## @param forwarder.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
139
## @param forwarder.podSecurityContext.sysctls Set kernel settings using the sysctl interface
140
## @param forwarder.podSecurityContext.supplementalGroups Set filesystem extra groups
141
## @param forwarder.podSecurityContext.fsGroup Group ID for forwarder's containers filesystem
142
##
143
podSecurityContext:
144
enabled: true
145
fsGroupChangePolicy: Always
146
sysctls: []
147
supplementalGroups: []
148
fsGroup: 0
149
## K8s Security Context for forwarder container
150
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
151
## @param forwarder.containerSecurityContext.enabled Enable security context for the forwarder container
152
## @param forwarder.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
153
## @param forwarder.containerSecurityContext.runAsUser User ID for forwarder's containers
154
## @param forwarder.containerSecurityContext.runAsGroup Group ID for forwarder's containers
155
## @param forwarder.containerSecurityContext.privileged Run as privileged
156
## @param forwarder.containerSecurityContext.allowPrivilegeEscalation Allow Privilege Escalation
157
## @param forwarder.containerSecurityContext.readOnlyRootFilesystem Require the use of a read only root file system
158
## @param forwarder.containerSecurityContext.capabilities.drop [array] Drop capabilities for the securityContext
159
## @param forwarder.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
160
##
161
containerSecurityContext:
162
enabled: true
163
seLinuxOptions: {}
164
runAsUser: 0
165
runAsGroup: 0
166
privileged: false
167
allowPrivilegeEscalation: false
168
readOnlyRootFilesystem: true
169
capabilities:
170
drop:
171
- ALL
172
seccompProfile:
173
type: "RuntimeDefault"
174
## @param forwarder.hostNetwork Enable use of host network
175
##
176
hostNetwork: false
177
## @param forwarder.dnsPolicy Pod-specific DNS policy
178
##
179
dnsPolicy: ""
180
## @param forwarder.terminationGracePeriodSeconds Duration in seconds the pod needs to terminate gracefully
181
## https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
182
##
183
terminationGracePeriodSeconds: 30
184
## @param forwarder.extraGems List of extra gems to be installed. Can be used to install additional fluentd plugins.
185
##
186
extraGems: []
187
## @param forwarder.configFile Name of the config file that will be used by Fluentd at launch under the `/opt/iamguarded/fluentd/conf` directory
188
##
189
configFile: fluentd.conf
190
## @param forwarder.configMap Name of the config map that contains the Fluentd configuration files
191
## If not specified, one will be created by default
192
##
193
configMap: ""
194
## @param forwarder.configMapFiles [object] Files to be added to be config map. Ignored if `forwarder.configMap` is set
195
##
196
configMapFiles:
197
fluentd.conf: |
198
# Ignore fluentd own events
199
<match fluent.**>
200
@type null
201
</match>
202
203
@include fluentd-inputs.conf
204
@include fluentd-output.conf
205
{{- if .Values.metrics.enabled }}
206
@include metrics.conf
207
{{- end }}
208
fluentd-inputs.conf: |
209
# HTTP input for the liveness and readiness probes
210
<source>
211
@type http
212
port 9880
213
</source>
214
# Get the logs from the containers running in the node
215
<source>
216
@type tail
217
path /var/log/containers/*.log
218
# exclude Fluentd logs
219
exclude_path /var/log/containers/*fluentd*.log
220
pos_file /opt/iamguarded/fluentd/logs/buffers/fluentd-docker.pos
221
tag kubernetes.*
222
read_from_head true
223
<parse>
224
@type json
225
time_key time
226
time_format %Y-%m-%dT%H:%M:%S.%NZ
227
</parse>
228
</source>
229
# enrich with kubernetes metadata
230
{{- if or .Values.forwarder.serviceAccount.create .Values.forwarder.serviceAccount.name }}
231
<filter kubernetes.**>
232
@type kubernetes_metadata
233
</filter>
234
{{- end }}
235
fluentd-output.conf: |
236
# Throw the healthcheck to the standard output instead of forwarding it
237
<match fluentd.healthcheck>
238
@type stdout
239
</match>
240
{{- if .Values.aggregator.enabled }}
241
# Forward all logs to the aggregators
242
<match **>
243
@type forward
244
{{- if .Values.tls.enabled }}
245
transport tls
246
tls_cert_path /opt/iamguarded/fluentd/certs/out_forward/ca.crt
247
tls_client_cert_path /opt/iamguarded/fluentd/certs/out_forward/tls.crt
248
tls_client_private_key_path /opt/iamguarded/fluentd/certs/out_forward/tls.key
249
{{- end }}
250
251
{{- $fullName := (include "common.names.fullname" .) }}
252
{{- $global := . }}
253
{{- $domain := default "cluster.local" .Values.clusterDomain }}
254
{{- $port := .Values.aggregator.port | int }}
255
{{- range $i, $e := until (.Values.aggregator.replicaCount | int) }}
256
<server>
257
{{ printf "host %s-%d.%s-headless.%s.svc.%s" $fullName $i $fullName $global.Release.Namespace $domain }}
258
{{ printf "port %d" $port }}
259
{{- if ne $i 0 }}
260
standby
261
{{- end }}
262
</server>
263
{{- end }}
264
<buffer>
265
@type file
266
path /opt/iamguarded/fluentd/logs/buffers/logs.buffer
267
flush_thread_count 2
268
flush_interval 5s
269
</buffer>
270
</match>
271
{{- else }}
272
# Send the logs to the standard output
273
<match **>
274
@type stdout
275
</match>
276
{{- end }}
277
metrics.conf: |
278
# Prometheus Exporter Plugin
279
# input plugin that exports metrics
280
<source>
281
@type prometheus
282
port {{ .Values.metrics.service.port }}
283
</source>
284
# input plugin that collects metrics from MonitorAgent
285
<source>
286
@type prometheus_monitor
287
<labels>
288
host ${hostname}
289
</labels>
290
</source>
291
# input plugin that collects metrics for output plugin
292
<source>
293
@type prometheus_output_monitor
294
<labels>
295
host ${hostname}
296
</labels>
297
</source>
298
# input plugin that collects metrics for in_tail plugin
299
<source>
300
@type prometheus_tail_monitor
301
<labels>
302
host ${hostname}
303
</labels>
304
</source>
305
## @param forwarder.extraArgs Extra arguments for the Fluentd command line
306
## ref: https://docs.fluentd.org/deployment/command-line-option
307
##
308
extraArgs: ""
309
## @param forwarder.extraEnvVars Extra environment variables to pass to the container
310
## extraEnvVars:
311
## - name: MY_ENV_VAR
312
## value: my_value
313
##
314
extraEnvVars: []
315
## @param forwarder.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Fluentd Forwarder nodes
316
##
317
extraEnvVarsCM: ""
318
## @param forwarder.extraEnvVarsSecret Name of existing Secret containing extra env vars for Fluentd Forwarder nodes
319
##
320
extraEnvVarsSecret: ""
321
## @param forwarder.containerPorts [array] Ports the forwarder containers will listen on
322
##
323
containerPorts:
324
## - name: syslog-tcp
325
## containerPort: 5140
326
## protocol: TCP
327
## - name: syslog-udp
328
## containerPort: 5140
329
## protocol: UDP
330
## - name: tcp
331
## containerPort: 24224
332
## protocol: TCP
333
- name: http
334
containerPort: 9880
335
protocol: TCP
336
## Service parameters
337
##
338
service:
339
## @param forwarder.service.type Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) for the forwarders
340
##
341
type: ClusterIP
342
## @param forwarder.service.ports [object] Array containing the forwarder service ports
343
##
344
ports:
345
## syslog-udp:
346
## port: 5140
347
## targetPort: syslog-udp
348
## protocol: UDP
349
## nodePort: 31514
350
## syslog-tcp:
351
## port: 5140
352
## targetPort: syslog-tcp
353
## protocol: TCP
354
## nodePort: 31514
355
## tcp:
356
## port: 24224
357
## targetPort: tcp
358
## protocol: TCP
359
http:
360
port: 9880
361
targetPort: http
362
protocol: TCP
363
## @param forwarder.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` (optional, cloud specific)
364
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
365
##
366
loadBalancerIP: ""
367
## @param forwarder.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer
368
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
369
##
370
## loadBalancerSourceRanges:
371
## - 10.10.10.0/24
372
##
373
loadBalancerSourceRanges: []
374
## @param forwarder.service.externalTrafficPolicy Fluentd Forwarder service external traffic policy
375
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
376
##
377
externalTrafficPolicy: Cluster
378
## @param forwarder.service.clusterIP Static clusterIP or None for headless services
379
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
380
## e.g:
381
## clusterIP: None
382
##
383
clusterIP: ""
384
## @param forwarder.service.annotations Provide any additional annotations which may be required
385
##
386
annotations: {}
387
## @param forwarder.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
388
## If "ClientIP", consecutive client requests will be directed to the same Pod
389
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
390
##
391
sessionAffinity: None
392
## @param forwarder.service.sessionAffinityConfig Additional settings for the sessionAffinity
393
## sessionAffinityConfig:
394
## clientIP:
395
## timeoutSeconds: 300
396
##
397
sessionAffinityConfig: {}
398
## @param forwarder.service.ipFamilyPolicy Sets the IP family policy for the Service to be able to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services).
399
##
400
ipFamilyPolicy: ""
401
## @param forwarder.service.ipFamilies A list of IP families for the Service that should be supported, in the order in which they should be applied. Can be "IPv4" and/or "IPv6".
402
##
403
ipFamilies: []
404
## Network Policies
405
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
406
##
407
networkPolicy:
408
## @param forwarder.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
409
##
410
enabled: true
411
## @param forwarder.networkPolicy.allowExternal Don't require server label for connections
412
## The Policy model to apply. When set to false, only pods with the correct
413
## server label will have network access to the ports server is listening
414
## on. When true, server will accept connections from any source
415
## (with the correct destination port).
416
##
417
allowExternal: true
418
## @param forwarder.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
419
##
420
allowExternalEgress: true
421
## @param forwarder.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
422
##
423
kubeAPIServerPorts: [443, 6443, 8443]
424
## @param forwarder.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
425
## e.g:
426
## extraIngress:
427
## - ports:
428
## - port: 1234
429
## from:
430
## - podSelector:
431
## - matchLabels:
432
## - role: frontend
433
## - podSelector:
434
## - matchExpressions:
435
## - key: role
436
## operator: In
437
## values:
438
## - frontend
439
extraIngress: []
440
## @param forwarder.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
441
## e.g:
442
## extraEgress:
443
## - ports:
444
## - port: 1234
445
## to:
446
## - podSelector:
447
## - matchLabels:
448
## - role: frontend
449
## - podSelector:
450
## - matchExpressions:
451
## - key: role
452
## operator: In
453
## values:
454
## - frontend
455
##
456
extraEgress: []
457
## @param forwarder.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
458
## @param forwarder.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
459
##
460
ingressNSMatchLabels: {}
461
ingressNSPodMatchLabels: {}
462
## Configure extra options for startup probe
463
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
464
## @param forwarder.startupProbe.enabled Enable startupProbe
465
## @param forwarder.startupProbe.httpGet.path Request path for startupProbe
466
## @param forwarder.startupProbe.httpGet.port Port for startupProbe
467
## @param forwarder.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
468
## @param forwarder.startupProbe.periodSeconds Period seconds for startupProbe
469
## @param forwarder.startupProbe.timeoutSeconds Timeout seconds for startupProbe
470
## @param forwarder.startupProbe.failureThreshold Failure threshold for startupProbe
471
## @param forwarder.startupProbe.successThreshold Success threshold for startupProbe
472
##
473
startupProbe:
474
enabled: false
475
httpGet:
476
path: /fluentd.healthcheck?json=%7B%22ping%22%3A+%22pong%22%7D
477
port: http
478
initialDelaySeconds: 60
479
periodSeconds: 10
480
timeoutSeconds: 5
481
failureThreshold: 6
482
successThreshold: 1
483
## Configure extra options for liveness probe
484
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
485
## @param forwarder.livenessProbe.enabled Enable livenessProbe
486
## @param forwarder.livenessProbe.tcpSocket.port Port for livenessProbe
487
## @param forwarder.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
488
## @param forwarder.livenessProbe.periodSeconds Period seconds for livenessProbe
489
## @param forwarder.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
490
## @param forwarder.livenessProbe.failureThreshold Failure threshold for livenessProbe
491
## @param forwarder.livenessProbe.successThreshold Success threshold for livenessProbe
492
##
493
livenessProbe:
494
enabled: true
495
tcpSocket:
496
port: http
497
initialDelaySeconds: 60
498
periodSeconds: 10
499
timeoutSeconds: 5
500
failureThreshold: 6
501
successThreshold: 1
502
## Configure extra options for readiness probe
503
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
504
## @param forwarder.readinessProbe.enabled Enable readinessProbe
505
## @param forwarder.readinessProbe.httpGet.path Request path for readinessProbe
506
## @param forwarder.readinessProbe.httpGet.port Port for readinessProbe
507
## @param forwarder.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
508
## @param forwarder.readinessProbe.periodSeconds Period seconds for readinessProbe
509
## @param forwarder.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
510
## @param forwarder.readinessProbe.failureThreshold Failure threshold for readinessProbe
511
## @param forwarder.readinessProbe.successThreshold Success threshold for readinessProbe
512
##
513
readinessProbe:
514
enabled: true
515
httpGet:
516
path: /fluentd.healthcheck?json=%7B%22ping%22%3A+%22pong%22%7D
517
port: http
518
initialDelaySeconds: 5
519
periodSeconds: 10
520
timeoutSeconds: 5
521
failureThreshold: 6
522
successThreshold: 1
523
## @param forwarder.customStartupProbe Custom liveness probe for the Fluend Forwarder
524
##
525
customStartupProbe: {}
526
## @param forwarder.customLivenessProbe Custom liveness probe for the Fluend Forwarder
527
##
528
customLivenessProbe: {}
529
## @param forwarder.customReadinessProbe Custom rediness probe for the Fluend Forwarder
530
##
531
customReadinessProbe: {}
532
## @param forwarder.updateStrategy.type Set up update strategy.
533
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy
534
## Example:
535
## updateStrategy:
536
## type: RollingUpdate
537
## rollingUpdate:
538
## maxSurge: 25%
539
## maxUnavailable: 25%
540
##
541
updateStrategy:
542
type: RollingUpdate
543
## Forwarder containers' resource requests and limits
544
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
545
## We usually recommend not to specify default resources and to leave this as a conscious
546
## choice for the user. This also increases chances charts run on environments with little
547
## resources, such as Minikube. If you do want to specify resources, uncomment the following
548
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
549
## @param forwarder.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if forwarder.resources is set (forwarder.resources is recommended for production).
550
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
551
##
552
resourcesPreset: "nano"
553
## @param forwarder.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
554
## Example:
555
## resources:
556
## requests:
557
## cpu: 2
558
## memory: 512Mi
559
## limits:
560
## cpu: 3
561
## memory: 1024Mi
562
##
563
resources: {}
564
## @param forwarder.priorityClassName Set Priority Class Name to allow priority control over other pods
565
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
566
##
567
priorityClassName: ""
568
## @param forwarder.schedulerName Name of the k8s scheduler (other than default)
569
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
570
##
571
schedulerName: ""
572
## @param forwarder.topologySpreadConstraints Topology Spread Constraints for pod assignment
573
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
574
## The value is evaluated as a template
575
##
576
topologySpreadConstraints: []
577
## @param forwarder.podAffinityPreset Forwarder Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
578
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
579
##
580
podAffinityPreset: ""
581
## @param forwarder.podAntiAffinityPreset Forwarder Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
582
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
583
##
584
podAntiAffinityPreset: ""
585
## Node affinity preset
586
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
587
##
588
nodeAffinityPreset:
589
## @param forwarder.nodeAffinityPreset.type Forwarder Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
590
##
591
type: ""
592
## @param forwarder.nodeAffinityPreset.key Forwarder Node label key to match Ignored if `affinity` is set.
593
## E.g.
594
## key: "kubernetes.io/e2e-az-name"
595
##
596
key: ""
597
## @param forwarder.nodeAffinityPreset.values Forwarder Node label values to match. Ignored if `affinity` is set.
598
## E.g.
599
## values:
600
## - e2e-az1
601
## - e2e-az2
602
##
603
values: []
604
## @param forwarder.affinity Forwarder Affinity for pod assignment
605
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
606
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
607
##
608
affinity: {}
609
## @param forwarder.nodeSelector Forwarder Node labels for pod assignment
610
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
611
##
612
nodeSelector: {}
613
## @param forwarder.tolerations Forwarder Tolerations for pod assignment
614
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
615
##
616
tolerations: []
617
## @param forwarder.podAnnotations Pod annotations
618
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
619
##
620
podAnnotations: {}
621
## @param forwarder.podLabels Extra labels to add to Pod
622
##
623
podLabels: {}
624
## Pods Service Account
625
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
626
##
627
serviceAccount:
628
## @param forwarder.serviceAccount.create Specify whether a ServiceAccount should be created.
629
##
630
create: true
631
## @param forwarder.serviceAccount.name The name of the ServiceAccount to create
632
## If not set and create is true, a name is generated using the common.names.fullname template
633
name: ""
634
## @param forwarder.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
635
##
636
annotations: {}
637
## @param forwarder.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
638
##
639
automountServiceAccountToken: false
640
## Role Based Access
641
## ref: https://kubernetes.io/docs/admin/authorization/rbac/
642
## @param forwarder.rbac.create Specify whether RBAC resources should be created and used, allowing the get, watch and list of pods/namespaces
643
## @param forwarder.rbac.pspEnabled Whether to create a PodSecurityPolicy and bound it with RBAC. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later
644
##
645
rbac:
646
create: true
647
pspEnabled: false
648
## Persist data to a persistent volume
649
##
650
persistence:
651
## @param forwarder.persistence.enabled Enable persistence volume for the forwarder
652
##
653
enabled: false
654
## @param forwarder.persistence.hostPath.path Directory from the host node's filesystem to mount as hostPath volume for persistence.
655
## The host directory you chose is mounted into /opt/iamguarded/fluentd/logs/buffers in your Pod
656
## Example use case: mount host directory /tmp/buffer (if the directory doesn't exist, it creates it) into forwarder pod.
657
## persistence:
658
## enabled: true
659
## hostPath:
660
## path: /tmp/buffer
661
##
662
hostPath:
663
path: /opt/iamguarded/fluentd/logs/buffers
664
## @param forwarder.command Override default container command (useful when using custom images)
665
##
666
command: []
667
## @param forwarder.args Override default container args (useful when using custom images)
668
##
669
args: []
670
## @param forwarder.lifecycleHooks Additional lifecycles to add to the pods
671
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
672
## e.g:
673
## postStart:
674
## exec:
675
## command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
676
## preStop:
677
## exec:
678
## command: ["/bin/sh","-c","nginx -s quit; while killall -0 nginx; do sleep 1; done"]
679
##
680
lifecycleHooks: {}
681
## install-extra-gems and tmp-dir-permissions containers resource requests and limits
682
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
683
## We usually recommend not to specify default resources and to leave this as a conscious
684
## choice for the user. This also increases chances charts run on environments with little
685
## resources, such as Minikube. If you do want to specify resources, uncomment the following
686
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
687
## @param forwarder.initResourcePresets Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if aggregator.resources is set (aggregator.resources is recommended for production).
688
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
689
##
690
initResourcePresets: "nano"
691
## @param forwarder.initResources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
692
## Example:
693
## initResources:
694
## requests:
695
## cpu: 2
696
## memory: 512Mi
697
## limits:
698
## cpu: 3
699
## memory: 1024Mi
700
##
701
initResources: {}
702
## @param forwarder.initContainers Additional init containers to add to the pods
703
## For example:
704
## initContainers:
705
## - name: your-image-name
706
## image: your-image
707
## imagePullPolicy: Always
708
##
709
initContainers: []
710
## @param forwarder.sidecars Add sidecars to forwarder pods
711
##
712
## For example:
713
## sidecars:
714
## - name: your-image-name
715
## image: your-image
716
## imagePullPolicy: Always
717
## ports:
718
## - name: portname
719
## containerPort: 1234
720
##
721
sidecars: []
722
## @param forwarder.extraVolumes Extra volumes
723
## Example Use Case: mount systemd journal volume
724
## - name: systemd
725
## hostPath:
726
## path: /run/log/journal/
727
##
728
extraVolumes: []
729
## @param forwarder.extraVolumeMounts Mount extra volume(s)
730
## - name: systemd
731
## mountPath: /run/log/journal/
732
##
733
extraVolumeMounts: []
734
## @param forwarder.initScripts Dictionary of init scripts. Evaluated as a template.
735
## Specify dictionary of scripts to be run at first boot
736
## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
737
## For example:
738
## initScripts:
739
## my_init_script.sh: |
740
## #!/bin/sh
741
## echo "Do something."
742
##
743
initScripts: {}
744
## @param forwarder.initScriptsCM ConfigMap with the init scripts. Evaluated as a template.
745
## Note: This will override initScripts
746
##
747
initScriptsCM: ""
748
## @param forwarder.initScriptsSecret Secret containing `/docker-entrypoint-initdb.d` scripts to be executed at initialization time that contain sensitive data. Evaluated as a template.
749
##
750
initScriptsSecret: ""
751
##
752
## Aggregator parameters
753
##
754
aggregator:
755
## @param aggregator.enabled Enable Fluentd aggregator statefulset
756
##
757
enabled: true
758
## @param aggregator.replicaCount Number of aggregator pods to deploy in the Stateful Set
759
##
760
replicaCount: 1
761
## K8s Security Context for Aggregator pods
762
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
763
## @param aggregator.podSecurityContext.enabled Enable security context for aggregator pods
764
## @param aggregator.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
765
## @param aggregator.podSecurityContext.sysctls Set kernel settings using the sysctl interface
766
## @param aggregator.podSecurityContext.supplementalGroups Set filesystem extra groups
767
## @param aggregator.podSecurityContext.fsGroup Group ID for aggregator's containers filesystem
768
##
769
podSecurityContext:
770
enabled: true
771
fsGroupChangePolicy: Always
772
sysctls: []
773
supplementalGroups: []
774
fsGroup: 1001
775
## @param aggregator.automountServiceAccountToken Mount Service Account token in pod
776
##
777
automountServiceAccountToken: false
778
## @param aggregator.hostAliases Add deployment host aliases
779
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
780
##
781
hostAliases: []
782
## K8s Security Context for Aggregator containers
783
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
784
## @param aggregator.containerSecurityContext.enabled Enable security context for the aggregator container
785
## @param aggregator.containerSecurityContext.privileged Run as privileged
786
## @param aggregator.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
787
## @param aggregator.containerSecurityContext.runAsUser User ID for aggregator's containers
788
## @param aggregator.containerSecurityContext.runAsGroup Group ID for aggregator's containers
789
## @param aggregator.containerSecurityContext.allowPrivilegeEscalation Allow Privilege Escalation
790
## @param aggregator.containerSecurityContext.readOnlyRootFilesystem Require the use of a read only root file system
791
## @param aggregator.containerSecurityContext.capabilities.drop [array] Drop capabilities for the securityContext
792
## @param aggregator.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
793
##
794
containerSecurityContext:
795
enabled: true
796
privileged: false
797
seLinuxOptions: {}
798
runAsUser: 1001
799
runAsGroup: 1001
800
allowPrivilegeEscalation: false
801
readOnlyRootFilesystem: true
802
capabilities:
803
drop:
804
- ALL
805
seccompProfile:
806
type: "RuntimeDefault"
807
## @param aggregator.terminationGracePeriodSeconds Duration in seconds the pod needs to terminate gracefully
808
## https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
809
##
810
terminationGracePeriodSeconds: 30
811
## @param aggregator.extraGems List of extra gems to be installed. Can be used to install additional fluentd plugins.
812
##
813
extraGems: []
814
## @param aggregator.configFile Name of the config file that will be used by Fluentd at launch under the `/opt/iamguarded/fluentd/conf` directory
815
##
816
configFile: fluentd.conf
817
## @param aggregator.configMap Name of the config map that contains the Fluentd configuration files
818
##
819
configMap: ""
820
## @param aggregator.configMapFiles [object] Files to be added to be config map. Ignored if `aggregator.configMap` is set
821
##
822
configMapFiles:
823
fluentd.conf: |
824
# Ignore fluentd own events
825
<match fluent.**>
826
@type null
827
</match>
828
829
@include fluentd-inputs.conf
830
@include fluentd-output.conf
831
{{- if .Values.metrics.enabled }}
832
@include metrics.conf
833
{{- end }}
834
fluentd-inputs.conf: |
835
# TCP input to receive logs from
836
{{- if .Values.aggregator.port }}
837
<source>
838
@type forward
839
bind 0.0.0.0
840
port {{ .Values.aggregator.port }}
841
{{- if .Values.tls.enabled }}
842
<transport tls>
843
ca_path /opt/iamguarded/fluentd/certs/in_forward/ca.crt
844
cert_path /opt/iamguarded/fluentd/certs/in_forward/tls.crt
845
private_key_path /opt/iamguarded/fluentd/certs/in_forward/tls.key
846
client_cert_auth true
847
</transport>
848
{{- end }}
849
</source>
850
{{- end }}
851
852
# HTTP input for the liveness and readiness probes
853
<source>
854
@type http
855
bind 0.0.0.0
856
port 9880
857
</source>
858
fluentd-output.conf: |
859
# Throw the healthcheck to the standard output
860
<match fluentd.healthcheck>
861
@type stdout
862
</match>
863
864
# Send the logs to the standard output
865
<match **>
866
@type stdout
867
</match>
868
metrics.conf: |
869
# Prometheus Exporter Plugin
870
# input plugin that exports metrics
871
<source>
872
@type prometheus
873
port {{ .Values.metrics.service.port }}
874
</source>
875
876
# input plugin that collects metrics from MonitorAgent
877
<source>
878
@type prometheus_monitor
879
<labels>
880
host ${hostname}
881
</labels>
882
</source>
883
884
# input plugin that collects metrics for output plugin
885
<source>
886
@type prometheus_output_monitor
887
<labels>
888
host ${hostname}
889
</labels>
890
</source>
891
## @param aggregator.port Port the Aggregator container will listen for logs. Leave it blank to ignore.
892
## You can specify other ports in the aggregator.containerPorts parameter
893
##
894
port: 24224
895
## @param aggregator.extraArgs Extra arguments for the Fluentd command line
896
## ref: https://docs.fluentd.org/deployment/command-line-option
897
##
898
extraArgs: ""
899
## @param aggregator.extraEnvVars Extra environment variables to pass to the container
900
## extraEnvVars:
901
## - name: MY_ENV_VAR
902
## value: my_value
903
##
904
extraEnvVars: []
905
## @param aggregator.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Fluentd Aggregator nodes
906
##
907
extraEnvVarsCM: ""
908
## @param aggregator.extraEnvVarsSecret Name of existing Secret containing extra env vars for Fluentd Aggregator nodes
909
##
910
extraEnvVarsSecret: ""
911
## @param aggregator.containerPorts [array] Ports the aggregator containers will listen on
912
##
913
containerPorts:
914
# - name: my-port
915
# containerPort: 24222
916
# protocol: TCP
917
- name: http
918
containerPort: 9880
919
protocol: TCP
920
## Service parameters
921
##
922
service:
923
## @param aggregator.service.type Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) for the aggregators
924
##
925
type: ClusterIP
926
## @param aggregator.service.ports [object] Array containing the aggregator service ports
927
##
928
ports:
929
http:
930
port: 9880
931
targetPort: http
932
protocol: TCP
933
tcp:
934
port: 24224
935
targetPort: tcp
936
protocol: TCP
937
## @param aggregator.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` (optional, cloud specific)
938
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
939
##
940
loadBalancerIP: ""
941
## @param aggregator.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer
942
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
943
##
944
## loadBalancerSourceRanges:
945
## - 10.10.10.0/24
946
loadBalancerSourceRanges: []
947
## @param aggregator.service.clusterIP Static clusterIP or None for headless services
948
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
949
## e.g:
950
## clusterIP: None
951
##
952
clusterIP: ""
953
## @param aggregator.service.annotations Provide any additional annotations which may be required
954
##
955
annotations: {}
956
## @param aggregator.service.externalTrafficPolicy Fluentd Aggregator service external traffic policy
957
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
958
##
959
externalTrafficPolicy: Cluster
960
## @param aggregator.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
961
## If "ClientIP", consecutive client requests will be directed to the same Pod
962
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
963
##
964
sessionAffinity: None
965
## @param aggregator.service.sessionAffinityConfig Additional settings for the sessionAffinity
966
## sessionAffinityConfig:
967
## clientIP:
968
## timeoutSeconds: 300
969
##
970
sessionAffinityConfig: {}
971
## @param aggregator.service.annotationsHeadless Provide any additional annotations which may be required on headless service
972
##
973
annotationsHeadless: {}
974
## Headless service properties
975
##
976
headless:
977
## @param aggregator.service.headless.annotations Annotations for the headless service.
978
##
979
annotations: {}
980
## @param aggregator.service.ipFamilyPolicy Sets the IP family policy for the Service to be able to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services).
981
##
982
ipFamilyPolicy: ""
983
## @param aggregator.service.ipFamilies A list of IP families for the Service that should be supported, in the order in which they should be applied. Can be "IPv4" and/or "IPv6".
984
##
985
ipFamilies: []
986
## Network Policies
987
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
988
##
989
networkPolicy:
990
## @param aggregator.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
991
##
992
enabled: true
993
## @param aggregator.networkPolicy.allowExternal Don't require server label for connections
994
## The Policy model to apply. When set to false, only pods with the correct
995
## server label will have network access to the ports server is listening
996
## on. When true, server will accept connections from any source
997
## (with the correct destination port).
998
##
999
allowExternal: true
1000
## @param aggregator.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1001
##
1002
allowExternalEgress: true
1003
## @param aggregator.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1004
## e.g:
1005
## extraIngress:
1006
## - ports:
1007
## - port: 1234
1008
## from:
1009
## - podSelector:
1010
## - matchLabels:
1011
## - role: frontend
1012
## - podSelector:
1013
## - matchExpressions:
1014
## - key: role
1015
## operator: In
1016
## values:
1017
## - frontend
1018
extraIngress: []
1019
## @param aggregator.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1020
## e.g:
1021
## extraEgress:
1022
## - ports:
1023
## - port: 1234
1024
## to:
1025
## - podSelector:
1026
## - matchLabels:
1027
## - role: frontend
1028
## - podSelector:
1029
## - matchExpressions:
1030
## - key: role
1031
## operator: In
1032
## values:
1033
## - frontend
1034
##
1035
extraEgress: []
1036
## @param aggregator.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1037
## @param aggregator.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1038
##
1039
ingressNSMatchLabels: {}
1040
ingressNSPodMatchLabels: {}
1041
## Configure the ingress resource that allows you to access the
1042
## Fluentd aggregator. Set up the URL
1043
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
1044
##
1045
ingress:
1046
## @param aggregator.ingress.enabled Set to true to enable ingress record generation
1047
##
1048
enabled: false
1049
## DEPRECATED: Use ingress.annotations instead of ingress.certManager
1050
## certManager: false
1051
##
1052
1053
## @param aggregator.ingress.pathType Ingress Path type. How the path matching is interpreted
1054
##
1055
pathType: ImplementationSpecific
1056
## @param aggregator.ingress.apiVersion Override API Version (automatically detected if not set)
1057
##
1058
apiVersion: ""
1059
## @param aggregator.ingress.hostname Default host for the ingress resource
1060
##
1061
hostname: fluentd.local
1062
## @param aggregator.ingress.path Default path for the ingress resource
1063
## You may need to set this to '/*' in order to use this with ALB ingress controllers.
1064
##
1065
path: /
1066
## @param aggregator.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
1067
## For a full list of possible ingress annotations, please see
1068
## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
1069
## Use this parameter to set the required annotations for cert-manager, see
1070
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
1071
##
1072
## e.g:
1073
## annotations:
1074
## kubernetes.io/ingress.class: nginx
1075
## cert-manager.io/cluster-issuer: cluster-issuer-name
1076
##
1077
annotations: {}
1078
## @param aggregator.ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter
1079
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.aggregator.ingress.hostname | trunc 63 | trimSuffix "-" }}
1080
## You can use the ingress.secrets parameter to create this TLS secret or rely on cert-manager to create it
1081
##
1082
tls: false
1083
## @param aggregator.ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
1084
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
1085
## extraHosts:
1086
## - name: fluentd.local
1087
## path: /
1088
##
1089
extraHosts: []
1090
## @param aggregator.ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
1091
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
1092
## extraPaths:
1093
## - path: /*
1094
## backend:
1095
## serviceName: ssl-redirect
1096
## servicePort: use-annotation
1097
##
1098
extraPaths: []
1099
## @param aggregator.ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
1100
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
1101
## extraTls:
1102
## - hosts:
1103
## - fluentd.local
1104
## secretName: fluentd.local-tls
1105
##
1106
extraTls: []
1107
## @param aggregator.ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
1108
## key and certificate should start with -----BEGIN CERTIFICATE----- or
1109
## -----BEGIN RSA PRIVATE KEY-----
1110
##
1111
## name should line up with a tlsSecret set further up
1112
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
1113
##
1114
## It is also possible to create and manage the certificates outside of this helm chart
1115
## Please see README.md for more information
1116
## e.g:
1117
## - name: fluentd.local-tls
1118
## key:
1119
## certificate:
1120
##
1121
secrets: []
1122
## @param aggregator.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
1123
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
1124
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
1125
##
1126
ingressClassName: ""
1127
## @param aggregator.ingress.extraRules Additional rules to be covered with this ingress record
1128
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
1129
## e.g:
1130
## extraRules:
1131
## - host: example.local
1132
## http:
1133
## path: /
1134
## backend:
1135
## service:
1136
## name: example-svc
1137
## port:
1138
## name: http
1139
##
1140
extraRules: []
1141
## Configure extra options for startup probe
1142
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1143
## @param aggregator.startupProbe.enabled Enable startupProbe
1144
## @param aggregator.startupProbe.httpGet.path Request path for startupProbe
1145
## @param aggregator.startupProbe.httpGet.port Port for startupProbe
1146
## @param aggregator.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1147
## @param aggregator.startupProbe.periodSeconds Period seconds for startupProbe
1148
## @param aggregator.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1149
## @param aggregator.startupProbe.failureThreshold Failure threshold for startupProbe
1150
## @param aggregator.startupProbe.successThreshold Success threshold for startupProbe
1151
##
1152
startupProbe:
1153
enabled: true
1154
httpGet:
1155
path: /fluentd.healthcheck?json=%7B%22ping%22%3A+%22pong%22%7D
1156
port: http
1157
initialDelaySeconds: 60
1158
periodSeconds: 10
1159
timeoutSeconds: 5
1160
failureThreshold: 6
1161
successThreshold: 1
1162
## Configure extra options for liveness probe
1163
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1164
## @param aggregator.livenessProbe.enabled Enable livenessProbe
1165
## @param aggregator.livenessProbe.tcpSocket.port Port for livenessProbe
1166
## @param aggregator.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1167
## @param aggregator.livenessProbe.periodSeconds Period seconds for livenessProbe
1168
## @param aggregator.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1169
## @param aggregator.livenessProbe.failureThreshold Failure threshold for livenessProbe
1170
## @param aggregator.livenessProbe.successThreshold Success threshold for livenessProbe
1171
##
1172
livenessProbe:
1173
enabled: true
1174
tcpSocket:
1175
port: http
1176
initialDelaySeconds: 60
1177
periodSeconds: 10
1178
timeoutSeconds: 5
1179
failureThreshold: 6
1180
successThreshold: 1
1181
## Configure extra options for readiness probe
1182
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1183
## @param aggregator.readinessProbe.enabled Enable readinessProbe
1184
## @param aggregator.readinessProbe.httpGet.path Request path for readinessProbe
1185
## @param aggregator.readinessProbe.httpGet.port Port for readinessProbe
1186
## @param aggregator.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1187
## @param aggregator.readinessProbe.periodSeconds Period seconds for readinessProbe
1188
## @param aggregator.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1189
## @param aggregator.readinessProbe.failureThreshold Failure threshold for readinessProbe
1190
## @param aggregator.readinessProbe.successThreshold Success threshold for readinessProbe
1191
##
1192
readinessProbe:
1193
enabled: true
1194
httpGet:
1195
path: /fluentd.healthcheck?json=%7B%22ping%22%3A+%22pong%22%7D
1196
port: http
1197
initialDelaySeconds: 5
1198
periodSeconds: 10
1199
timeoutSeconds: 5
1200
failureThreshold: 6
1201
successThreshold: 1
1202
## @param aggregator.customStartupProbe Custom liveness probe for the Fluentd Aggregator
1203
##
1204
customStartupProbe: {}
1205
## @param aggregator.customLivenessProbe Custom liveness probe for the Fluentd Aggregator
1206
##
1207
customLivenessProbe: {}
1208
## @param aggregator.customReadinessProbe Custom rediness probe for the Fluentd Aggregator
1209
##
1210
customReadinessProbe: {}
1211
## @param aggregator.updateStrategy.type Set up update strategy.
1212
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
1213
## Example:
1214
## updateStrategy:
1215
## type: RollingUpdate
1216
## rollingUpdate:
1217
## maxSurge: 25%
1218
## maxUnavailable: 25%
1219
##
1220
updateStrategy:
1221
type: RollingUpdate
1222
## Aggregator containers' resource requests and limits
1223
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1224
## We usually recommend not to specify default resources and to leave this as a conscious
1225
## choice for the user. This also increases chances charts run on environments with little
1226
## resources, such as Minikube. If you do want to specify resources, uncomment the following
1227
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
1228
## @param aggregator.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if aggregator.resources is set (aggregator.resources is recommended for production).
1229
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
1230
##
1231
resourcesPreset: "nano"
1232
## @param aggregator.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1233
## Example:
1234
## resources:
1235
## requests:
1236
## cpu: 2
1237
## memory: 512Mi
1238
## limits:
1239
## cpu: 3
1240
## memory: 1024Mi
1241
##
1242
resources: {}
1243
## @param aggregator.priorityClassName Fluentd Aggregator pods' priorityClassName
1244
##
1245
priorityClassName: ""
1246
## @param aggregator.schedulerName Name of the k8s scheduler (other than default)
1247
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1248
##
1249
schedulerName: ""
1250
## @param aggregator.topologySpreadConstraints Topology Spread Constraints for pod assignment
1251
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
1252
## The value is evaluated as a template
1253
##
1254
topologySpreadConstraints: []
1255
## @param aggregator.podManagementPolicy podManagementPolicy to manage scaling operation of Fluentd Aggregator pods
1256
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
1257
##
1258
podManagementPolicy: ""
1259
## @param aggregator.podAffinityPreset Aggregator Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1260
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1261
##
1262
podAffinityPreset: ""
1263
## @param aggregator.podAntiAffinityPreset Aggregator Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1264
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1265
##
1266
podAntiAffinityPreset: soft
1267
## Node affinity preset
1268
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1269
##
1270
nodeAffinityPreset:
1271
## @param aggregator.nodeAffinityPreset.type Aggregator Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1272
##
1273
type: ""
1274
## @param aggregator.nodeAffinityPreset.key Aggregator Node label key to match Ignored if `affinity` is set.
1275
##
1276
key: ""
1277
## @param aggregator.nodeAffinityPreset.values Aggregator Node label values to match. Ignored if `affinity` is set.
1278
## E.g.
1279
## values:
1280
## - e2e-az1
1281
## - e2e-az2
1282
##
1283
values: []
1284
## @param aggregator.affinity Aggregator Affinity for pod assignment
1285
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1286
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
1287
##
1288
affinity: {}
1289
## @param aggregator.nodeSelector Aggregator Node labels for pod assignment
1290
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1291
##
1292
nodeSelector: {}
1293
## @param aggregator.tolerations Aggregator Tolerations for pod assignment
1294
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1295
##
1296
tolerations: []
1297
## @param aggregator.podAnnotations Pod annotations
1298
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1299
##
1300
podAnnotations: {}
1301
## @param aggregator.podLabels Extra labels to add to Pod
1302
##
1303
podLabels: {}
1304
## Pods Service Account
1305
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
1306
##
1307
serviceAccount:
1308
## @param aggregator.serviceAccount.create Specify whether a ServiceAccount should be created
1309
##
1310
create: true
1311
## @param aggregator.serviceAccount.name The name of the ServiceAccount to create
1312
## If not set and create is true, a name is generated using the common.names.fullname template
1313
name: ""
1314
## @param aggregator.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
1315
##
1316
annotations: {}
1317
## @param aggregator.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
1318
##
1319
automountServiceAccountToken: false
1320
## Autoscaling parameters
1321
## This is not recommended in a forwarder+aggregator architecture
1322
## @param aggregator.autoscaling.enabled Create an Horizontal Pod Autoscaler
1323
## @param aggregator.autoscaling.minReplicas Minimum number of replicas for the HPA
1324
## @param aggregator.autoscaling.maxReplicas Maximum number of replicas for the HPA
1325
## @param aggregator.autoscaling.metrics [array] Metrics for the HPA to manage the scaling
1326
## @param aggregator.autoscaling.behavior HPA Behavior
1327
##
1328
autoscaling:
1329
enabled: false
1330
minReplicas: 2
1331
maxReplicas: 5
1332
metrics:
1333
- type: Resource
1334
resource:
1335
name: cpu
1336
target:
1337
type: Utilization
1338
averageUtilization: 60
1339
- type: Resource
1340
resource:
1341
name: memory
1342
target:
1343
type: Utilization
1344
averageUtilization: 60
1345
behavior: {}
1346
## Persist data to a persistent volume
1347
##
1348
persistence:
1349
## @param aggregator.persistence.enabled Enable persistence volume for the aggregator
1350
##
1351
enabled: false
1352
## @param aggregator.persistence.storageClass Persistent Volume storage class
1353
## If defined, storageClassName: <storageClass>
1354
## If set to "-", storageClassName: "", which disables dynamic provisioning
1355
## If undefined (the default) or set to null, no storageClassName spec is
1356
## set, choosing the default provisioner. (gp2 on AWS, standard on
1357
## GKE, AWS & OpenStack)
1358
##
1359
storageClass: ""
1360
## @param aggregator.persistence.accessModes Persistent Volume access modes
1361
##
1362
accessModes:
1363
- ReadWriteOnce
1364
## @param aggregator.persistence.size Persistent Volume size
1365
##
1366
size: 10Gi
1367
## @param aggregator.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template)
1368
## selector:
1369
## matchLabels:
1370
## app: my-app
1371
selector: {}
1372
## @param aggregator.persistence.annotations Persistent Volume Claim annotations
1373
##
1374
annotations: {}
1375
## @param aggregator.command Override default container command (useful when using custom images)
1376
##
1377
command: []
1378
## @param aggregator.args Override default container args (useful when using custom images)
1379
##
1380
args: []
1381
## @param aggregator.lifecycleHooks Additional lifecycles to add to the pods
1382
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
1383
## e.g:
1384
## postStart:
1385
## exec:
1386
## command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
1387
## preStop:
1388
## exec:
1389
## command: ["/bin/sh","-c","nginx -s quit; while killall -0 nginx; do sleep 1; done"]
1390
##
1391
lifecycleHooks: {}
1392
## install-extra-gems and tmp-dir-permissions containers resource requests and limits
1393
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1394
## We usually recommend not to specify default resources and to leave this as a conscious
1395
## choice for the user. This also increases chances charts run on environments with little
1396
## resources, such as Minikube. If you do want to specify resources, uncomment the following
1397
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
1398
## @param aggregator.initResourcePresets Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if aggregator.resources is set (aggregator.resources is recommended for production).
1399
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
1400
##
1401
initResourcePresets: "nano"
1402
## @param aggregator.initResources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1403
## Example:
1404
## initResources:
1405
## requests:
1406
## cpu: 2
1407
## memory: 512Mi
1408
## limits:
1409
## cpu: 3
1410
## memory: 1024Mi
1411
##
1412
initResources: {}
1413
## @param aggregator.initContainers Add init containers to aggregator pods
1414
## Example
1415
##
1416
## initContainers:
1417
## - name: do-something
1418
## image: busybox
1419
## command: ['do', 'something']
1420
##
1421
initContainers: []
1422
## @param aggregator.sidecars Add sidecars to aggregator pods
1423
##
1424
## For example:
1425
## sidecars:
1426
## - name: your-image-name
1427
## image: your-image
1428
## imagePullPolicy: Always
1429
## ports:
1430
## - name: portname
1431
## containerPort: 1234
1432
##
1433
sidecars: []
1434
## @param aggregator.extraVolumes Extra volumes
1435
## Example Use Case: mount an emptyDir into /tmp to support running with readOnlyRootFileSystem
1436
## - name: tmpDir
1437
## emptyDir: {}
1438
##
1439
extraVolumes: []
1440
## @param aggregator.extraVolumeMounts Mount extra volume(s)
1441
## - name: tmpDir
1442
## mountPath: /tmp
1443
##
1444
extraVolumeMounts: []
1445
## @param aggregator.extraVolumeClaimTemplates Optionally specify extra list of additional volume claim templates for the Fluentd Aggregator pods in StatefulSet
1446
##
1447
extraVolumeClaimTemplates: []
1448
## @param aggregator.initScripts Dictionary of init scripts. Evaluated as a template.
1449
## Specify dictionary of scripts to be run at first boot
1450
## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
1451
## For example:
1452
## initScripts:
1453
## my_init_script.sh: |
1454
## #!/bin/sh
1455
## echo "Do something."
1456
##
1457
initScripts: {}
1458
## @param aggregator.initScriptsCM ConfigMap with the init scripts. Evaluated as a template.
1459
## Note: This will override initScripts
1460
##
1461
initScriptsCM: ""
1462
## @param aggregator.initScriptsSecret Secret containing `/docker-entrypoint-initdb.d` scripts to be executed at initialization time that contain sensitive data. Evaluated as a template.
1463
##
1464
initScriptsSecret: ""
1465
## Pod Disruption Budget configuration
1466
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1467
## @param aggregator.pdb.create Enable/disable a Pod Disruption Budget creation
1468
## @param aggregator.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1469
## @param aggregator.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable.Defaults to `1` if both `secondary.pdb.minAvailable` and `secondary.pdb.maxUnavailable` are empty.
1470
##
1471
pdb:
1472
create: true
1473
minAvailable: ""
1474
maxUnavailable: ""
1475
## Prometheus Exporter / Metrics
1476
##
1477
metrics:
1478
## @param metrics.enabled Enable the export of Prometheus metrics
1479
##
1480
enabled: false
1481
## Prometheus Exporter service parameters
1482
##
1483
service:
1484
## @param metrics.service.type Prometheus metrics service type
1485
##
1486
type: ClusterIP
1487
## @param metrics.service.port Prometheus metrics service port
1488
##
1489
port: 24231
1490
## @param metrics.service.loadBalancerIP Load Balancer IP if the Prometheus metrics server type is `LoadBalancer`
1491
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1492
##
1493
loadBalancerIP: ""
1494
## @param metrics.service.clusterIP Prometheus metrics service Cluster IP
1495
## e.g.:
1496
## clusterIP: None
1497
##
1498
clusterIP: ""
1499
## @param metrics.service.loadBalancerSourceRanges Prometheus metrics service Load Balancer sources
1500
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1501
## e.g:
1502
## loadBalancerSourceRanges:
1503
## - 10.10.10.0/24
1504
##
1505
loadBalancerSourceRanges: []
1506
## @param metrics.service.externalTrafficPolicy Prometheus metrics service external traffic policy
1507
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1508
##
1509
externalTrafficPolicy: Cluster
1510
## @param metrics.service.annotations [object] Annotations for the Prometheus Exporter service service
1511
## If port or path annotation is provided the values will be used to in the prometheus ServiceMonitor CRD.
1512
##
1513
annotations:
1514
prometheus.io/scrape: "true"
1515
prometheus.io/port: "24231"
1516
prometheus.io/path: "/metrics"
1517
## @param metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
1518
## If "ClientIP", consecutive client requests will be directed to the same Pod
1519
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
1520
##
1521
sessionAffinity: None
1522
## @param metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity
1523
## sessionAffinityConfig:
1524
## clientIP:
1525
## timeoutSeconds: 300
1526
##
1527
sessionAffinityConfig: {}
1528
## Prometheus Operator ServiceMonitor configuration
1529
##
1530
serviceMonitor:
1531
## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
1532
##
1533
enabled: false
1534
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
1535
##
1536
namespace: ""
1537
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
1538
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1539
## e.g:
1540
## interval: 10s
1541
##
1542
interval: ""
1543
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
1544
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1545
## e.g:
1546
## scrapeTimeout: 10s
1547
##
1548
scrapeTimeout: ""
1549
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
1550
##
1551
jobLabel: ""
1552
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
1553
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
1554
##
1555
relabelings: []
1556
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
1557
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
1558
##
1559
metricRelabelings: []
1560
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
1561
## ref: https://github.com/iamguarded/charts/tree/main/iamguarded/prometheus-operator#prometheus-configuration
1562
## e.g:
1563
## selector:
1564
## prometheus: my-prometheus
1565
##
1566
selector: {}
1567
## @param metrics.serviceMonitor.labels ServiceMonitor extra labels
1568
##
1569
labels: {}
1570
## @param metrics.serviceMonitor.annotations ServiceMonitor annotations
1571
##
1572
annotations: {}
1573
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1574
##
1575
honorLabels: false
1576
## @param metrics.serviceMonitor.path path defines the path that promethues will use to pull metrics from the container
1577
##
1578
path: "/metrics"
1579
## Enable internal SSL/TLS encryption
1580
##
1581
tls:
1582
## @param tls.enabled Enable TLS/SSL encrytion for internal communications
1583
##
1584
enabled: false
1585
## @param tls.autoGenerated Generate automatically self-signed TLS certificates.
1586
##
1587
autoGenerated: false
1588
## @param tls.forwarder.existingSecret Name of the existing secret containing the TLS certificates for the Fluentd forwarder
1589
##
1590
forwarder:
1591
existingSecret: ""
1592
## @param tls.aggregator.existingSecret Name of the existing secret containing the TLS certificates for the Fluentd aggregator
1593
##
1594
aggregator:
1595
existingSecret: ""
1596