From c1582a5c080f2f17eaeb362c0ae154010b9546a8 Mon Sep 17 00:00:00 2001 From: wajihyassine Date: Mon, 23 Sep 2024 13:30:45 -0700 Subject: [PATCH] Make ingress more generalized, remove roll and config override --- charts/timesketch/Chart.lock | 2 +- charts/timesketch/Chart.yaml | 2 +- charts/timesketch/README.md | 143 +++------ charts/timesketch/templates/_helpers.tpl | 23 +- .../timesketch/templates/_initContainer.tpl | 6 +- charts/timesketch/templates/configmap.yaml | 12 - charts/timesketch/templates/ingress.yaml | 23 +- .../timesketch/templates/serviceaccount.yaml | 1 + .../timesketch/templates/web-deployment.yaml | 9 +- .../templates/worker-deployment.yaml | 9 +- charts/timesketch/values-production.yaml | 280 ------------------ charts/timesketch/values.yaml | 19 +- 12 files changed, 87 insertions(+), 442 deletions(-) delete mode 100644 charts/timesketch/templates/configmap.yaml delete mode 100644 charts/timesketch/values-production.yaml diff --git a/charts/timesketch/Chart.lock b/charts/timesketch/Chart.lock index bb957142..15f74e78 100644 --- a/charts/timesketch/Chart.lock +++ b/charts/timesketch/Chart.lock @@ -9,4 +9,4 @@ dependencies: repository: https://opensearch-project.github.io/helm-charts/ version: 2.20.0 digest: sha256:3fbaef8755ed79056d10a0c93cf5d278a47bb5f55b9a98802922edef4faa0610 -generated: "2024-05-16T13:22:27.139681-07:00" +generated: "2024-09-23T13:14:31.525789-07:00" diff --git a/charts/timesketch/Chart.yaml b/charts/timesketch/Chart.yaml index 8f0ad215..fd125dc7 100644 --- a/charts/timesketch/Chart.yaml +++ b/charts/timesketch/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: timesketch -version: 1.0.7 +version: 1.0.8 description: A Helm chart for Timesketch Kubernetes deployments. keywords: - timesketch diff --git a/charts/timesketch/README.md b/charts/timesketch/README.md index e223f4ef..0a789760 100644 --- a/charts/timesketch/README.md +++ b/charts/timesketch/README.md @@ -40,34 +40,21 @@ helm repo add osdfir-charts https://google.github.io/osdfir-infrastructure/ helm repo update ``` -To install the chart, specify any release name of your choice. For example, using `my-release` as the release name, run: +To install the chart, specify any release name of your choice. For example, +using `my-release` as the release name, run: ```console helm install my-release osdfir-charts/timesketch ``` -The command deploys Timesketch on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured -during installation or see [Installating for Production](#installing-for-production) -for a recommended production installation. +The command deploys Timesketch on the Kubernetes cluster in the default configuration. +The [Parameters](#parameters) section lists the parameters that can be configured +during installation. -> **Tip**: You can override the default Timesketch configuration by pulling the Helm -chart locally and adding a `configs/` directory at the root of the Helm chart with user-provided configs. +> **Tip**: See the [Managing and updating Timesketch configs](#managing-and-updating-timesketch-configs) +section for more details on managing the Timesketch configs. -## Installing for Production - -Pull the chart locally then cd into `/timesketch` and review the `values-production.yaml` file for a list of values that will be used for production. - -```console -helm pull osdfir-charts/timesketch --untar -``` - -Install the chart with the base values in `values.yaml` and the production values in `values-production.yaml`, then using a release name such as `my-release`, run: - -```console -helm install my-release ../timesketch -f values.yaml -f values-production.yaml -``` - -### Enabling GKE Ingress and OIDC Authentication +## Enabling GKE Ingress and OIDC Authentication Follow these steps to externally expose Timesketch and enable Google Cloud OIDC to control user access to Timesketch. @@ -115,6 +102,7 @@ OAuth client. helm upgrade my-release ../timesketch \ -f values-production.yaml \ --set ingress.enabled=true \ + --set ingress.className="gce" \ --set ingress.host= \ --set ingress.gcp.staticIPName= \ --set ingress.gcp.managedCertificates=true \ @@ -318,8 +306,8 @@ helm install my-release osdfir-charts/timesketch --set opensearch.replicas=3 The above command installs Timesketch with 3 Opensearch Replicas. -Alternatively, the `values.yaml` and `values-production.yaml` file can be -directly updated if the Helm chart was pulled locally. For example, +Alternatively, the `values.yaml` file can be directly updated if the Helm chart +was pulled locally. For example, ```console helm pull osdfir-charts/timesketch --untar @@ -358,100 +346,61 @@ image tag to `latest` and increasing persistent volume size of an existing volum to 10 Terabytes. Note that existing data will not be deleted and instead triggers an expansion of the volume that backs the underlying PersistentVolume. See [here](https://kubernetes.io/docs/concepts/storage/persistent-volumes/). -### Managing and updating Timesketch configs - -This section outlines how to deploy and manage Timesketch configuration files within OSDFIR infrastructure. There are three primary methods: - -1. **Using Default Configurations** - - If you don't provide your own Timesketch config files during deployment, - the Timesketch deployment will automatically retrieve the latest default configs - from the Timesketch Github repository. This method requires no further action from you. - - > **NOTE:** When using the default method, you cannot update the Timesketch config files directly. - -2. **Embedding Timesketch configs in the Helm Chart** - - To customize Timesketch with your own config files and include them directly in the Helm chart deployment, follow these steps: - - 1. Download and Extract the Helm chart: +## Managing and updating Timesketch configs - ```console - helm pull osdfir-charts/timesketch --untar - cd timesketch/ - ``` +This section outlines how to deploy and manage Timesketch configuration files +within OSDFIR infrastructure. - 2. Download the default Timesketch configs: +There are two primary methods: - ```console - ./tools/download-timesketch-configs.sh - ``` +### Using Default Configurations** - This script downloads the default Timesketch configuration files to the `config/` directory within the extracted Helm chart directory. +If you don't provide your own Timesketch config files during deployment, +the Timesketch deployment will automatically retrieve the latest default configs +from the Timesketch Github repository. This method requires no further action from you. - 3. Modify config files then deploy the Helm chart: +> **NOTE:** When using the default method, you cannot update the Timesketch config files directly. - ```console - helm install my-release ../timesketch - ``` +### Managing Timesketch configs externally - > **NOTE**: The Helm chart checks the path specified in `config.override` for existing config files. By default this path is set to `configs/` within the Helm chart directory. +For more advanced configuration management, you can manage Timesketch config +files independently of the Helm chart: - To update configs changes using this method: +1. Prepare your Config Files: - 1. Modify Configuration Files + Organize all the Timesketch configuration files in a directory with your + desired customizations. - Make the necessary changes to your configuration files in the `config/` directory. +2. Create a ConfigMap: - 2. Upgrade the Helm Release: - - ```console - helm upgrade my-release ../timesketch - ``` - - This will automatically apply the updated config changes and restart the Timesketch deployment so the changes can be picked up. - - -3. **Managing Timesketch configs externally** - - For more advanced configuration management, you can manage Timesketch config - files independently of the Helm chart: - - 1. Prepare your Config Files: - - Organize all the Timesketch configuration files in a directory with your - desired customizations. - - 2. Create a ConfigMap: - - ```console - kubectl create configmap timesketch-configs --from-file=./my-configs/ - ``` + ```console + kubectl create configmap timesketch-configs --from-file=./timesketch-configs/ + ``` - Replace `./my-configs/` with the actual path to your configuration files. + Replace `./timesketch-configs/` with the actual path to your configuration files. - 3. Install or Upgrade the Helm Chart: +3. Install or Upgrade the Helm Chart: - ```console - helm install my-release osdfir-charts/timesketch --set config.existingConfigMap="timesketch-configs" - ``` + ```console + helm install my-release osdfir-charts/timesketch --set config.existingConfigMap="timesketch-configs" + ``` - This command instructs the Helm chart to use the `timesketch-configs` ConfigMap for - Timesketch's config files. + This command instructs the Helm chart to use the `timesketch-configs` ConfigMap for + Timesketch's config files. - To update the config changes using this method: +To update the config changes using this method: - 1. Update the ConfigMap: +1. Update the ConfigMap: - ```console - kubectl create configmap timesketch-configs --from-file=./my-configs/ --dry-run -o yaml | kubectl replace -f - - ``` + ```console + kubectl create configmap timesketch-configs --from-file=./my-configs/ --dry-run -o yaml | kubectl replace -f - + ``` - 2. Restart the Timesketch deployment to apply the new configs +2. Restart the Timesketch deployment to apply the new configs - ```console - kubectl rollout restart deployment -l app.kubernetes.io/name=timesketch - ``` + ```console + kubectl rollout restart deployment -l app.kubernetes.io/name=timesketch + ``` ### Upgrade Timesketch Database Schema diff --git a/charts/timesketch/templates/_helpers.tpl b/charts/timesketch/templates/_helpers.tpl index cdc454d4..d9d9a1fc 100644 --- a/charts/timesketch/templates/_helpers.tpl +++ b/charts/timesketch/templates/_helpers.tpl @@ -28,11 +28,10 @@ Return the proper persistence volume claim name */}} {{- define "timesketch.pvc.name" -}} {{- $pvcName := .Values.persistence.name -}} -{{- if .Values.global -}} - {{- if .Values.global.existingPVC -}} - {{- $pvcName = .Values.global.existingPVC -}} - {{- end -}} -{{- printf "%s-%s" $pvcName "claim" }} +{{- if and .Values.global .Values.global.existingPVC -}} +{{- .Values.global.existingPVC -}} +{{- else -}} +{{- printf "%s-%s-claim" .Release.Name $pvcName }} {{- end -}} {{- end -}} @@ -93,10 +92,10 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "timesketch.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "timesketch.fullname" .) .Values.serviceAccount.name }} +{{- if .Values.serviceAccount.name }} +{{- .Values.serviceAccount.name }} {{- else }} -{{- default "default" .Values.serviceAccount.name }} +{{- printf "%s-%s" .Release.Name "timesketch" }} {{- end }} {{- end }} @@ -172,11 +171,3 @@ Timesketch service port {{- printf "%s-access-list" (include "timesketch.fullname" .) -}} {{- end -}} {{- end -}} - -{{- define "timesketch.configmap" -}} -{{- if .Values.config.existingConfigMap -}} -{{- .Values.config.existingConfigMap -}} -{{- else -}} -{{- include "timesketch.fullname" . }}-configmap -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/timesketch/templates/_initContainer.tpl b/charts/timesketch/templates/_initContainer.tpl index 27fff9f5..6597404b 100644 --- a/charts/timesketch/templates/_initContainer.tpl +++ b/charts/timesketch/templates/_initContainer.tpl @@ -59,11 +59,13 @@ Worker pod upon startup. name: init-timesketch - mountPath: /etc/timesketch name: timesketch-configs + {{- if .Values.config.existingConfigMap }} - mountPath: /tmp/timesketch name: uploaded-configs - {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }} + {{- end }} + {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }} - name: authenticated-emails mountPath: /init/authenticated-emails readOnly: true - {{- end }} + {{- end }} {{- end }} diff --git a/charts/timesketch/templates/configmap.yaml b/charts/timesketch/templates/configmap.yaml deleted file mode 100644 index a8339b1a..00000000 --- a/charts/timesketch/templates/configmap.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- $userconfigs := .Files.Glob .Values.config.override }} -{{- if $userconfigs }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "timesketch.fullname" . }}-configmap - namespace: {{ .Release.Namespace | quote }} - labels: - {{- include "timesketch.labels" . | nindent 4 }} -data: -{{ ($userconfigs).AsConfig | indent 2 }} -{{- end }} \ No newline at end of file diff --git a/charts/timesketch/templates/ingress.yaml b/charts/timesketch/templates/ingress.yaml index 260c31d7..1088ecdd 100644 --- a/charts/timesketch/templates/ingress.yaml +++ b/charts/timesketch/templates/ingress.yaml @@ -8,19 +8,19 @@ metadata: {{- include "timesketch.labels" . | nindent 4 }} annotations: kubernetes.io/ingressClassName: {{ .Values.ingress.className }} - {{- if .Values.ingress.gcp.managedCertificates }} - networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl - {{- end }} {{- if .Values.ingress.certManager }} kubernetes.io/tls-acme: "true" cert-manager.io/issuer: {{ include "timesketch.fullname" . }}-letsencrypt-production {{- end }} + # GKE specific annotations {{- if (eq .Values.ingress.className "gce") }} {{- if .Values.ingress.gcp.staticIPName }} kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPName }} networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config - {{- else }} - {{- fail "A valied .Values.ingress.gcp.staticIPName entry is required when using the GCE Ingress" }} + {{- end }} + {{- if .Values.ingress.gcp.managedCertificates }} + networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl + networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config {{- end }} {{- end }} spec: @@ -31,7 +31,7 @@ spec: secretName: {{ include "timesketch.fullname" . }}-tls {{- end }} rules: - - host: {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }} + - host: {{ .Values.ingress.host }} http: paths: - path: / @@ -58,19 +58,18 @@ metadata: {{- include "timesketch.labels" . | nindent 4 }} annotations: kubernetes.io/ingressClassName: {{ .Values.ingress.className }} - {{- if .Values.ingress.gcp.managedCertificates }} - networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl - {{- end }} {{- if .Values.ingress.certManager }} kubernetes.io/tls-acme: "true" cert-manager.io/issuer: {{ include "timesketch.fullname" . }}-letsencrypt-production {{- end }} + # GKE specific annotations {{- if (eq .Values.ingress.className "gce") }} {{- if .Values.ingress.gcp.staticIPV6Name }} kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPV6Name }} + {{- end }} + {{- if .Values.ingress.gcp.managedCertificates }} + networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config - {{- else }} - {{- fail "A valied .Values.ingress.gcp.staticIPV6Name entry is required when using the GCE Ingress" }} {{- end }} {{- end }} spec: @@ -81,7 +80,7 @@ spec: secretName: {{ include "timesketch.fullname" . }}-tls {{- end }} rules: - - host: {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }} + - host: {{ .Values.ingress.host }} http: paths: - path: / diff --git a/charts/timesketch/templates/serviceaccount.yaml b/charts/timesketch/templates/serviceaccount.yaml index 64a09475..2adcb074 100644 --- a/charts/timesketch/templates/serviceaccount.yaml +++ b/charts/timesketch/templates/serviceaccount.yaml @@ -9,4 +9,5 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: false {{- end }} diff --git a/charts/timesketch/templates/web-deployment.yaml b/charts/timesketch/templates/web-deployment.yaml index 73a4a4c9..dc9af9f2 100644 --- a/charts/timesketch/templates/web-deployment.yaml +++ b/charts/timesketch/templates/web-deployment.yaml @@ -15,8 +15,8 @@ spec: template: metadata: annotations: - # Have Deployment restart after each upgrade - roll: {{ randAlphaNum 5 | quote }} + # Restart pod if values.yaml parameters that affect the config were changed + checksum/config: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }} {{- if .Values.metrics.enabled }} prometheus.io/port: {{ .Values.metrics.port | quote }} prometheus.io/scrape: "true" @@ -83,10 +83,11 @@ spec: defaultMode: 0744 - name: timesketch-configs emptyDir: {} + {{- if .Values.config.existingConfigMap }} - name: uploaded-configs configMap: - name: {{ include "timesketch.configmap" . }} - optional: true + name: {{ .Values.config.existingConfigMap }} + {{- end }} {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }} - name: authenticated-emails secret: diff --git a/charts/timesketch/templates/worker-deployment.yaml b/charts/timesketch/templates/worker-deployment.yaml index ad7b568a..18180040 100644 --- a/charts/timesketch/templates/worker-deployment.yaml +++ b/charts/timesketch/templates/worker-deployment.yaml @@ -15,8 +15,8 @@ spec: template: metadata: annotations: - # Have Deployment restart after each upgrade - roll: {{ randAlphaNum 5 | quote }} + # Restart pod if values.yaml parameters that affect the config were changed + checksum/config: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }} {{- if .Values.metrics.enabled }} prometheus.io/port: {{ .Values.metrics.port | quote }} prometheus.io/scrape: "true" @@ -72,10 +72,11 @@ spec: defaultMode: 0744 - name: timesketch-configs emptyDir: {} + {{- if .Values.config.existingConfigMap }} - name: uploaded-configs configMap: - name: {{ include "timesketch.configmap" . }} - optional: true + name: {{ .Values.config.existingConfigMap }} + {{- end }} {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }} - name: authenticated-emails secret: diff --git a/charts/timesketch/values-production.yaml b/charts/timesketch/values-production.yaml deleted file mode 100644 index a041a8ce..00000000 --- a/charts/timesketch/values-production.yaml +++ /dev/null @@ -1,280 +0,0 @@ -## Timesketch Helm Production Values -## Please use these values to override the default Timesketch values with recommended resources and replica counts for production installations -## -## @section Timesketch Frontend Configuration -## -frontend: - ## @param frontend.podSecurityContext Holds pod-level security attributes and common frontend container settings - ## Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext - ## ref https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core - ## e.g. - ## fsgroup: 2000 - ## - podSecurityContext: {} - ## @param frontend.securityContext Holds security configuration that will be applied to the frontend container - ## Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence - ## ref https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#securitycontext-v1-core - ## e.g. - ## capabilities - ## drop: - ## - ALL - ## readOnlyRootFilesystem: true - ## runAsNonRoot: true - ## runAsUser: 1000 - ## - securityContext: {} - ## Frontend resource requests and limits - ## @param frontend.resources.requests.cpu Requested cpu for the frontend container - ## @param frontend.resources.requests.memory Requested memory for the frontend container - ## @param frontend.resources.limits.cpu Resource cpu limits for the frontend container - ## @param frontend.resources.limits.memory Resource memory limits for the frontend container - ## - resources: - requests: - cpu: 2000m - memory: 4000Mi - limits: - cpu: 8000m - memory: 16000Mi - ## @param frontend.nodeSelector Node labels for Timesketch frontend pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param frontend.tolerations Tolerations for Timesketch frontend pods assignment - ## ref https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - ## - tolerations: [] - ## @param frontend.affinity Affinity for Timesketch frontend pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## - affinity: {} -## @section Timesketch Worker Configuration -## -worker: - ## @param worker.podSecurityContext Holds pod-level security attributes and common worker container settings - ## Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext - ## ref https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core - ## e.g. - ## fsgroup: 2000 - ## - podSecurityContext: {} - ## @param worker.securityContext Holds security configuration that will be applied to the worker container - ## Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence - ## ref https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#securitycontext-v1-core - ## e.g. - ## capabilities - ## drop: - ## - ALL - ## readOnlyRootFilesystem: true - ## runAsNonRoot: true - ## runAsUser: 1000 - ## - securityContext: {} - ## Worker resource requests and limits - ## @param worker.resources.requests.cpu Requested cpu for the worker container - ## @param worker.resources.requests.memory Requested memory for the worker container - ## @param worker.resources.limits.cpu Resource cpu limits for the worker container - ## @param worker.resources.limits.memory Resource memory limits for the worker container - ## - resources: - requests: - cpu: 2000m - memory: 4000Mi - limits: - cpu: 8000m - memory: 16000Mi - ## @param worker.nodeSelector Node labels for Timesketch worker pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param worker.tolerations Tolerations for Timesketch worker pods assignment - ## ref https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - ## - tolerations: [] - ## @param worker.affinity Affinity for Timesketch worker pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## - affinity: {} -## Persistence Storage Parameters -## -persistence: - ## @param persistence.name Timesketch persistent volume name - ## - name: timesketchvolume - ## @param persistence.size Timesketch persistent volume size - ## - size: 1T - ## @param persistence.storageClass PVC Storage Class for Timesketch volume - ## If default, storageClassName: , which enables GCP Filestore - ## when using the Filestore CSI Driver - ## ref https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/filestore-csi-driver#access - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## ref https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/#using-dynamic-provisioning - ## - storageClass: standard-rwx - ## @param persistence.accessModes PVC Access Mode for Timesketch volume - ## Access mode may need to be updated based on the StorageClass - ## ref https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes - ## - accessModes: - - ReadWriteMany -## @section Third Party Configuration -## This section contains all the main configuration for third party dependencies -## Timesketch requires to run -## -## @section Opensearch Configuration Parameters -## IMPORTANT: The Opensearch Security Plugin / TLS has not yet been configured by default -## ref on steps required https://opensearch.org/docs/1.1/security-plugin/configuration/index/ -## To see a full list of available values, run helm show values charts/opensearch* -## -opensearch: - ## @param opensearch.enabled Enables the Opensearch deployment - ## - enabled: true - ## @param opensearch.replicas Number of Opensearch instances to deploy - ## - replicas: 3 - ## @param opensearch.sysctlInit.enabled Sets optimal sysctl's through privileged initContainer - ## - sysctlInit: - enabled: true - ## @param opensearch.opensearchJavaOpts Sets the size of the Opensearch Java heap - ## It is recommended to use at least half the system's available ram - ## - opensearchJavaOpts: "-Xms64g -Xmx64g" - ## @param opensearch.httpPort Opensearch service port - ## - httpPort: 9200 - ## Opensearch persistence configuration - ## - persistence: - ## @param opensearch.persistence.size Opensearch Persistent Volume size. A persistent volume would be created for each Opensearch replica running - ## - size: 1Ti - ## Opensearch resource requests - ## @param opensearch.resources.requests.cpu Requested cpu for the Opensearch containers - ## @param opensearch.resources.requests.memory Requested memory for the Opensearch containers - ## - resources: - requests: - cpu: 8000m - memory: 32Gi - ## @param opensearch.nodeSelector Node labels for Opensearch pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} -## @section Redis Configuration Parameters -## IMPORTANT: Redis is deployed with Auth enabled by default -## To see a full list of available values, run helm show values charts/redis* -## -redis: - ## @param redis.enabled Enables the Redis deployment - ## - enabled: true - ## @param redis.sentinel.enabled Enables Redis Sentinel on Redis pods - ## IMPORTANT: This has not been tested for Timesketch so would leave this disabled - ## - sentinel: - enabled: false - ## Master Redis Service configuration - ## - master: - ## @param redis.master.count Number of Redis master instances to deploy (experimental, requires additional configuration) - ## - count: 1 - ## Redis master persistence configuration - ## - persistence: - ## @param redis.master.persistence.size Redis master Persistent Volume size - ## - size: 500Gi - ## Redis master resource requests and limits - ## @param redis.master.resources.requests.cpu Requested cpu for the Redis master containers - ## @param redis.master.resources.requests.memory Requested memory for the Redis master containers - ## @param redis.master.resources.limits.cpu Resource cpu limits for the Redis master containers - ## @param redis.master.resources.limits.memory Resource memory limits for the Redis master containers - ## - resources: - requests: - cpu: 4000m - memory: 8Gi - limits: - cpu: 8000m - memory: 16Gi - ## Redis replicas configuration parameters - ## - replica: - ## @param redis.replica.replicaCount Number of Redis replicas to deploy - ## - replicaCount: 3 - ## Redis replicas persistence configuration - ## - persistence: - ## @param redis.replica.persistence.size Redis replica Persistent Volume size - ## - size: 500Gi - ## Redis Replica resource requests and limits - ## @param redis.replica.resources.requests.cpu Requested cpu for the Redis replica containers - ## @param redis.replica.resources.requests.memory Requested memory for the Redis replica containers - ## @param redis.replica.resources.limits.cpu Resource cpu limits for the Redis replica containers - ## @param redis.replica.resources.limits.memory Resource memory limits for the Redis replica containers - ## - resources: - requests: - cpu: 4000m - memory: 8Gi - limits: - cpu: 8000m - memory: 16Gi -## @section Postgresql Configuration Parameters -## IMPORTANT: Postgresql is deployed with Auth enabled by default -## To see a full list of available values, run helm show values charts/postgresql* -## -postgresql: - ## @param postgresql.enabled Enables the Postgresql deployment - ## - enabled: true - ## PostgreSQL Primary configuration parameters - ## - primary: - ## PostgreSQL Primary persistence configuration - ## - persistence: - ## @param postgresql.primary.persistence.size PostgreSQL Persistent Volume size - ## - size: 500Gi - ## PostgreSQL Primary resource requests and limits - ## @param postgresql.primary.resources.requests.cpu Requested cpu for the PostgreSQL Primary containers - ## @param postgresql.primary.resources.requests.memory Requested memory for the PostgreSQL Primary containers - ## @param postgresql.primary.resources.limits Resource limits for the PostgreSQL Primary containers - ## - resources: - requests: - cpu: 250m - memory: 256Mi - limits: {} - ## PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) - ## - readReplicas: - ## @param postgresql.readReplicas.replicaCount Number of PostgreSQL read only replicas - ## - replicaCount: 1 - ## PostgreSQL Persistent Storage configuration - ## - persistence: - ## @param postgresql.readReplicas.persistence.size PostgreSQL Persistent Volume size - ## - size: 500Gi - ## PostgreSQL read only resource requests and limits - ## @param postgresql.readReplicas.resources.requests.cpu Requested cpu for the PostgreSQL read only containers - ## @param postgresql.readReplicas.resources.requests.memory Requested memory for the PostgreSQL read only containers - ## @param postgresql.readReplicas.resources.limits Resource limits for the PostgreSQL read only containers - ## - resources: - requests: - cpu: 250m - memory: 256Mi - limits: {} \ No newline at end of file diff --git a/charts/timesketch/values.yaml b/charts/timesketch/values.yaml index ba8f5a8d..059239d8 100644 --- a/charts/timesketch/values.yaml +++ b/charts/timesketch/values.yaml @@ -64,12 +64,6 @@ image: ## ref: https://github.com/google/timesketch/blob/master/data/timesketch.conf ## config: - ## @param config.override Overrides the default Timesketch configs to instead use a user specified directory if present on the root directory of the Helm chart - ## to retrieve the config files from. Please ensure the appropriate configs are in the directory else Timesketch - ## may not run properly. To see which config files are required, review the tools/download-timesketch-configs.sh - ## script packaged along with this Helm chart. - ## - override: configs/* ## @param config.existingConfigMap Use an existing ConfigMap as the default Timesketch config. ## Please ensure that the ConfigMap has been created prior to deployment ## (e.g. kubectl create configmap timesketch-configs --from-file=timesketch-configs/) @@ -279,7 +273,7 @@ serviceAccount: ## @param serviceAccount.name The name of the service account to use ## If not set and create is true, a name is generated using the fullname template ## - name: "timesketch" + name: "" ## Service Parameters ## service: @@ -330,15 +324,14 @@ ingress: ## enabled: false ## @param ingress.host Domain name Timesketch will be hosted under - ## Please ensure this value is set when enabling Ingress. If using "gce" for - ## ingress.className, please ensure you have a DNS record set for the IP address - ## registered under ingress.gcp.staticIPName + ## Please ensure you have a DNS record set for the IP address registered under + ## ingress.gcp.staticIPName ## host: "" ## @param ingress.className IngressClass that will be be used to implement the Ingress ## ref https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ ## - className: "gce" + className: "" ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm ## selfSigned: false @@ -352,11 +345,11 @@ ingress: ## ref https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs ## managedCertificates: false - ## @param ingress.gcp.staticIPName Name of the static IP address you reserved in GCP. Required when using "gce" in ingress.className + ## @param ingress.gcp.staticIPName Name of the static IP address you reserved in GCP. ## ref https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address ## staticIPName: "" - ## @param ingress.gcp.staticIPV6Name Name of the static IPV6 address you reserved in GCP. This can be optionally provided to deploy a loadbalancer with an IPV6 address + ## @param ingress.gcp.staticIPV6Name Name of the static IPV6 address you reserved. This can be optionally provided to deploy a loadbalancer with an IPV6 address in GCP. ## ref https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address ## staticIPV6Name: ""