config rework for elasticsearch upgrade (#1916)

* initial config rework for elasticsearch upgrade * update roles for elasticsearch * remove unused configs * fix pre-commit * add ingress annotation to allow kibana csp rules * Update charts/elasticsearch/templates/_helpers.tpl Co-authored-by: Daniel Hoherd <daniel.hoherd@gmail.com> * add default roles validation test * updated elastic test cases * update elastic images * update scan image --------- Co-authored-by: Daniel Hoherd <daniel.hoherd@gmail.com>
astronomer · Sep 5, 2023 · 7b87531 · 7b87531
1 parent 9cb9b85
commit 7b87531
Show file tree

Hide file tree

Showing 10 changed files with 138 additions and 12 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -343,16 +343,16 @@ workflows:
                 - quay.io/astronomer/ap-cli-install:0.26.17
                 - quay.io/astronomer/ap-commander:0.30.10
                 - quay.io/astronomer/ap-configmap-reloader:0.8.0
-                - quay.io/astronomer/ap-curator:7.0.0-6
+                - quay.io/astronomer/ap-curator:8.0.4
                 - quay.io/astronomer/ap-db-bootstrapper:0.31.4
                 - quay.io/astronomer/ap-default-backend:0.28.18
                 - quay.io/astronomer/ap-elasticsearch-exporter:1.5.0
-                - quay.io/astronomer/ap-elasticsearch:7.17.10
+                - quay.io/astronomer/ap-elasticsearch:8.8.1
                 - quay.io/astronomer/ap-fluentd:1.16.1-1
                 - quay.io/astronomer/ap-grafana:8.5.24
                 - quay.io/astronomer/ap-houston-api:0.30.37
                 - quay.io/astronomer/ap-init:3.18.0
-                - quay.io/astronomer/ap-kibana:7.17.10
+                - quay.io/astronomer/ap-kibana:8.8.1
                 - quay.io/astronomer/ap-kube-state:2.8.2
                 - quay.io/astronomer/ap-nats-exporter:0.10.0-6
                 - quay.io/astronomer/ap-nats-server:2.8.4-4

diff --git a/charts/elasticsearch/templates/_helpers.tpl b/charts/elasticsearch/templates/_helpers.tpl
@@ -136,3 +136,20 @@ imagePullSecrets:
   - name: {{ .Values.global.privateRegistry.secretName }}
 {{- end -}}
 {{- end -}}
+{{- define "elasticsearch.master.roles" -}}
+{{- range $.Values.master.roles -}}
+{{ . }},
+{{- end -}}
+{{- end -}}
+
+{{- define "elasticsearch.data.roles" -}}
+{{- range $.Values.data.roles -}}
+{{ . }},
+{{- end -}}
+{{- end -}}
+
+{{- define "elasticsearch.client.roles" -}}
+{{- range $.Values.client.roles -}}
+{{ . }},
+{{- end -}}
+{{- end -}}
diff --git a/charts/elasticsearch/templates/client/es-client-deployment.yaml b/charts/elasticsearch/templates/client/es-client-deployment.yaml
@@ -112,6 +112,8 @@ spec:
         - name: {{ $key | upper | replace "-" "_" }}
           value: {{ $value | quote }}
         {{- end }}
+        - name: node.roles
+          value: "{{ template "elasticsearch.client.roles" . }}"
         resources:
 {{ toYaml .Values.client.resources | indent 10 }}
         ports:

diff --git a/charts/elasticsearch/templates/data/es-data-statefulset.yaml b/charts/elasticsearch/templates/data/es-data-statefulset.yaml
@@ -110,6 +110,8 @@ spec:
         - name: {{ $key | upper | replace "-" "_" }}
           value: {{ $value | quote }}
         {{- end }}
+        - name: node.roles
+          value: "{{ template "elasticsearch.data.roles" . }}"
         resources:
 {{ toYaml .Values.data.resources | indent 10 }}
         ports:

diff --git a/charts/elasticsearch/templates/es-configmap.yaml b/charts/elasticsearch/templates/es-configmap.yaml
@@ -19,11 +19,6 @@ data:
         - {{ $releaseName }}-elasticsearch-master-{{ $i }}
         {{- end }}
     node:
-      master: ${NODE_MASTER}
-      name: ${NODE_NAME}
-      data: ${NODE_DATA}
-      ingest: ${NODE_INGEST}
-      max_local_storage_nodes: ${MAX_LOCAL_STORAGE_NODES}
       processors: ${PROCESSORS:1}
 
     network.host: 0.0.0.0
@@ -35,7 +30,7 @@ data:
       compression: true
       cors:
         enabled: ${HTTP_CORS_ENABLE}
-        allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}
+        allow-origin: "${HTTP_CORS_ALLOW_ORIGIN}"
 
 
     # disable xpack security by default
@@ -54,7 +49,12 @@ data:
         - {{ template "elasticsearch.fullname" . }}-headless-discovery
 
     # Disable scripting for security.
+    {{ if semverCompare "<8" .Values.images.es.tag -}}
     script.allowed_types: none
+    {{- else -}}
+    script.allowed_types: inline
+    {{- end }}
+
 
     # Prevent a user from overriding an index in the body of a request.
     # We force the index pattern at the NGINX layer, and this prevents anybody

diff --git a/charts/elasticsearch/templates/master/es-master-statefulset.yaml b/charts/elasticsearch/templates/master/es-master-statefulset.yaml
@@ -109,6 +109,8 @@ spec:
         - name: {{ $key | upper | replace "-" "_" }}
           value: {{ $value | quote }}
         {{- end }}
+        - name: node.roles
+          value: "{{ template "elasticsearch.master.roles" . }}"
         resources:
 {{ toYaml .Values.master.resources | indent 10 }}
         ports:

diff --git a/charts/elasticsearch/values.yaml b/charts/elasticsearch/values.yaml
@@ -10,15 +10,15 @@ tolerations: []
 images:
   es:
     repository: quay.io/astronomer/ap-elasticsearch
-    tag: 7.17.10
+    tag: 8.8.1
     pullPolicy: IfNotPresent
   init:
     repository: quay.io/astronomer/ap-base # needs root permissions for sysctl changes
     tag: 3.18.0-1
     pullPolicy: IfNotPresent
   curator:
     repository: quay.io/astronomer/ap-curator
-    tag: 7.0.0-6
+    tag: 8.0.4
     pullPolicy: IfNotPresent
   exporter:
     repository: quay.io/astronomer/ap-elasticsearch-exporter
@@ -87,6 +87,11 @@ client:
     NODE_INGEST: "true"
     HTTP_ENABLE: "true"
 
+  roles:
+    - ingest
+    - ml
+    - remote_cluster_client
+
 # Data nodes hold the shards that contain the documents you have indexed. Data
 # nodes handle data related operations like CRUD, search, and aggregations.
 # These operations are I/O-, memory-, and CPU-intensive. It is important to
@@ -115,6 +120,17 @@ data:
     NODE_INGEST: "false"
     HTTP_ENABLE: "false"
 
+  roles:
+    - data
+    - data_cold
+    - data_content
+    - data_frozen
+    - data_hot
+    - data_warm
+    - ml
+    - remote_cluster_client
+    - transform
+
   # Determines the properties of the persistent volume claim associated with a
   # data node StatefulSet that is created when the common.persistence.enabled
   # attribute is true.
@@ -148,6 +164,11 @@ master:
     NODE_INGEST: "false"
     HTTP_ENABLE: "false"
 
+  roles:
+    - master
+    - ml
+    - remote_cluster_client
+
   # Determines the properties of the persistent volume claim associated with a
   # data node StatefulSet that is created when the common.stateful.enabled
   # attribute is true.

diff --git a/charts/kibana/templates/ingress.yaml b/charts/kibana/templates/ingress.yaml
@@ -21,6 +21,8 @@ metadata:
     nginx.ingress.kubernetes.io/auth-url: https://houston.{{ .Values.global.baseDomain }}/v1/authorization
     nginx.ingress.kubernetes.io/auth-signin: https://app.{{ .Values.global.baseDomain }}/login
     nginx.ingress.kubernetes.io/auth-response-headers: authorization, username, email
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "Content-Security-Policy: script-src 'self'";
     {{- end }}
 spec:
   {{- if or .Values.global.tlsSecret .Values.global.acme }}

diff --git a/charts/kibana/values.yaml b/charts/kibana/values.yaml
@@ -5,7 +5,7 @@ tolerations: []
 images:
   kibana:
     repository: quay.io/astronomer/ap-kibana
-    tag: 7.17.10
+    tag: 8.8.1
     pullPolicy: IfNotPresent
 
 clusterName: "astronomer"

diff --git a/tests/chart_tests/test_elasticsearch.py b/tests/chart_tests/test_elasticsearch.py
@@ -274,3 +274,83 @@ def test_elasticsearch_exporter_securitycontext_overrides(self, kube_version):
         pod_data = doc["spec"]["template"]["spec"]
         assert pod_data["securityContext"]["runAsNonRoot"] is True
         assert pod_data["securityContext"]["runAsUser"] == 2000
+
+    def test_elasticsearch_role_defaults(self, kube_version):
+        """Test ElasticSearch master, data and client with default roles"""
+        docs = render_chart(
+            kube_version=kube_version,
+            values={},
+            show_only=[
+                "charts/elasticsearch/templates/master/es-master-statefulset.yaml",
+                "charts/elasticsearch/templates/data/es-data-statefulset.yaml",
+                "charts/elasticsearch/templates/client/es-client-deployment.yaml",
+            ],
+        )
+        assert len(docs) == 3
+        node_master_roles_env = {
+            "name": "node.roles",
+            "value": "master,ml,remote_cluster_client,",
+        }
+        assert (
+            node_master_roles_env
+            in docs[0]["spec"]["template"]["spec"]["containers"][0]["env"]
+        )
+        node_data_roles_env = {
+            "name": "node.roles",
+            "value": "data,data_cold,data_content,data_frozen,data_hot,data_warm,ml,remote_cluster_client,transform,",
+        }
+        assert (
+            node_data_roles_env
+            in docs[1]["spec"]["template"]["spec"]["containers"][0]["env"]
+        )
+        node_client_roles_env = {
+            "name": "node.roles",
+            "value": "ingest,ml,remote_cluster_client,",
+        }
+        assert (
+            node_client_roles_env
+            in docs[2]["spec"]["template"]["spec"]["containers"][0]["env"]
+        )
+
+    def test_elasticsearch_role_overrides(self, kube_version):
+        """Test ElasticSearch master, data and client with custom roles"""
+        docs = render_chart(
+            kube_version=kube_version,
+            values={
+                "elasticsearch": {
+                    "master": {"roles": ["master"]},
+                    "data": {"roles": ["data"]},
+                    "client": {"roles": ["ingest"]},
+                }
+            },
+            show_only=[
+                "charts/elasticsearch/templates/master/es-master-statefulset.yaml",
+                "charts/elasticsearch/templates/data/es-data-statefulset.yaml",
+                "charts/elasticsearch/templates/client/es-client-deployment.yaml",
+            ],
+        )
+        assert len(docs) == 3
+        node_master_roles_env = {
+            "name": "node.roles",
+            "value": "master,",
+        }
+        assert (
+            node_master_roles_env
+            in docs[0]["spec"]["template"]["spec"]["containers"][0]["env"]
+        )
+        node_data_roles_env = {
+            "name": "node.roles",
+            "value": "data,",
+        }
+        assert (
+            node_data_roles_env
+            in docs[1]["spec"]["template"]["spec"]["containers"][0]["env"]
+        )
+        node_client_roles_env = {
+            "name": "node.roles",
+            "value": "ingest,",
+        }
+        assert (
+            node_client_roles_env
+            in docs[2]["spec"]["template"]["spec"]["containers"][0]["env"]
+        )