Add fluentd support

[zhu733756]

Signed-off-by: zhu733756 zhu733756@kubesphere.io

This pr add Fluentd-operator to implement the former proposal #138.

Backgrouds

See the former proposal mentioned in #138.

This proposal brought the basic concept to answer how to add fluentd-operator as a forward log layer to collect logs from fluentbit or other apps.

See below：

During the log Aggregation & Forwarding Phase, the Fluentd Operator defines five custom resources using CustomResourceDefinition (CRD):

• Fluentd: Defines Fluentd instances and its associated config.
  • defines common properties like pvc, replicas, resources, etc.
  • select FluentdClusterConfig/FluentdConfig CRDs to bind with this instance.
• FluentdClusterConfig:
  • Support for multiple namespaces isolation and cloud native selectors.
  • Integrate the logic of input and filter sections.
  • Select any cluster/namespaced scope output crds.
• FluentdConfig:
  • Support for single namespace isolation and cloud native selectors in this namespace.
  • Integrate the logic of input and filter sections
  • Select any cluster/namespaced scope output crds, the output log should be from this namespace.
• ClusterFilter: Global filters for fluentd.
• Filter: Namespaced filters for fluentd.
• ClusterOutput: Defines an output section without namespace restriction.
• Output: Defines an output section with a specified namespace.

But we made some changes during actual development.

Namespaced fluentdconfig CR can select the namespaced CRs and the cluster CRs. Cluster fluentdconfig CR only selects clusterfilters or clusteroutputs.

Besides, you will see inputs sections combined into the fluentd CR named as globalInputs. Since the globalInputs is manily used for collecting the logs from fluentbit through forward plugin or other apps through http plugin. And we will dynamically
add the related service ports(forward/http, see demo below) according to this configuration.

Now two reconcilers are brought to finish this work.

Fluentd reconciler watches the related resources like statefulset/secrect/service/buffer PVC etc, it setups fluentd instances once a secret is generated by FluendConfig reconciler. FluendConfig reconciler watches the created fluentd CRs, picks out the fluentdCfgSelector to select the related resources, and combines to a configuration that would be mounted as a secret for this fluentd.

Another useful idea activated by the former work is that we support a hot config reloader for fluentbit-operator. So if the related CRs changed, the fluentd-watcher agent will gracefully reload the fluentd instance.

That's the whole change, the other idea is welcome and if I lost the ideas from the proposal, pls remind me.

The practice part

Since the output plugins are huge, I will use es for example to test the whole logic. And for the input layer, I directly use the forward from fluentbit to test the workflow.

1 Setup elasticsearch cluster

If you use Kubesphere Container platform, you can install it through ks-installer.

2 Setup fluent operator

$ kubectl apply -f manifests/setup/setup.yaml
---
$ kubectl -n kubesphere-logging-system get po
NAME                                  READY   STATUS    RESTARTS   AGE
elasticsearch-logging-data-0                                      1/1     Running     1          13d
elasticsearch-logging-discovery-0                                 1/1     Running     1          13d
fluent-bit-6wrv7                                                  1/1     Running     0          69m
fluentd-forward-85f6bcb488-7rhrq                                  1/1     Running     0          80m
fluent-operator-6f959849c7-fq2lp     1/1     Running   0          16

3 Setup fluentbit logging-stack, deleting the fluentbit output plugin

$ vim manifests/logging-stack/kustomization.yaml
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- fluentbit-fluentBit.yaml
- fluentbitconfig-fluentBitConfig.yaml
- input-tail.yaml
- input-systemd-docker.yaml
- input-systemd-kubelet.yaml
- filter-kubernetes.yaml
- filter-systemd.yaml
# - output-elasticsearch.yaml
# - output-forward.yaml
# - output-kafka.yaml
- filter-containerd.yaml
- fluentbit-containerd-config.yaml
- systemd-lua-config.yaml
---
$ kubectl apply -k manifests/logging-stack

4 Test the forward demo

Namespaced fluentdconfig example see follows, it only collects the namespaced logs.

apiVersion: fluentd.fluent.io/v1alpha1
kind: Fluentd
metadata:
  name: fluentd-forward
  namespace: kubesphere-logging-system
  labels:
    app.kubernetes.io/name: fluentd
spec:
  globalInputs:
    - forward: 
        bind: 0.0.0.0
        port: 24224
  replicas: 1
  image: zhu733756/fluentd:config-reloader 
  fluentdCfgSelector: 
    matchLabels:
      config.fluentd.fluent.io/enabled: "true"
   
---
apiVersion: fluentd.fluent.io/v1alpha1
kind: FluentdConfig
metadata:
  name: fluentd-config
  namespace: kubesphere-logging-system
  labels:
    config.fluentd.fluent.io/enabled: "true"
spec:
  outputSelector:
    matchLabels:
      output.fluentd.fluent.io/enabled: "true"

---
apiVersion: fluentd.fluent.io/v1alpha1
kind: Output
metadata:
  name: fluentd-stdout
  namespace: kubesphere-logging-system
  labels:
    output.fluentd.fluent.io/enabled: "true"
spec: 
  outputs: 
    - elasticsearch:
        host: elasticsearch-logging-data.kubesphere-logging-system.svc
        port: 9200
        logstashFormat: true
        logstashPrefix: ks-logstash-log

CluserFluentdConfig exmaple see follows, it collects logs from the watched namespaces.

apiVersion: fluentd.fluent.io/v1alpha1
kind: Fluentd
metadata:
  name: fluentd-forward
  namespace: kubesphere-logging-system
  labels:
    app.kubernetes.io/name: fluentd
spec:
  globalInputs:
    - forward: 
        bind: 0.0.0.0
        port: 24224
  replicas: 1
  image: zhu733756/fluentd:config-reloader
  fluentdCfgSelector: 
    matchLabels:
      config.fluentd.fluent.io/enabled: "true"
   
---
apiVersion: fluentd.fluent.io/v1alpha1
kind: ClusterFluentdConfig
metadata:
  name: fluentd-config
  labels:
    config.fluentd.fluent.io/enabled: "true"
spec:
  watchedNamespaces: 
      - kube-system
      - kubesphere-logging-system # will collect logs from these namespaces.
  outputSelector:
    matchLabels:
      output.fluentd.fluent.io/enabled: "true"

---
apiVersion: fluentd.fluent.io/v1alpha1
kind: ClusterOutput
metadata:
  name: fluentd-stdout
  labels:
    output.fluentd.fluent.io/enabled: "true"
spec: 
  outputs: 
    -  elasticsearch:
        host: elasticsearch-logging-data.kubesphere-logging-system.svc
        port: 9200
        logstashFormat: true
        logstashPrefix: ks-logstash-log

I will use the cluster scope CRs to test it. Manifests located at manifests/forward.

kubectl apply -f manifests/forward/fluentd-cluster-cfg-output-es.yaml

After a while, a default buffer pvc(1G) bound to this statefulset, and a service named fluentd-forward created. You may disable pvc/service, change the volume type according the definition in fluentd CR.

$ kubectl -n kubesphere-logging-system get po 
NAME                                  READY   STATUS    RESTARTS   AGE
elasticsearch-logging-data-0                                      1/1     Running     1          13d
elasticsearch-logging-discovery-0                                 1/1     Running     1          13d
fluent-bit-6wrv7                                                  1/1     Running     0          72m
fluentd-forward-0                                1/1     Running     0          83m
fluent-operator-6f959849c7-fq2lp     1/1     Running   0          8m3s
$ kubectl -n kubesphere-logging-system get pvc
NAME                                     STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
data-elasticsearch-logging-data-0        Bound    pvc-48f6bdfa-bed0-448e-88be-cd284a113529   8Gi        RWO            standard       78m
data-elasticsearch-logging-discovery-0   Bound    pvc-b2f89a45-f94a-4b49-93f6-f48fc0c17645   4Gi        RWO            standard       78m
fluentd-forward-buffer-pvc-fluentd-forward-0   Bound    pvc-059e0c27-c009-4caf-a160-06c6ab0ce32c   1Gi        RWO            standard       22h
$ kubectl -n kubesphere-logging-system get svc
NAME                              TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)     AGE
elasticsearch-logging-data        ClusterIP   10.96.98.206   <none>        9200/TCP    80m
elasticsearch-logging-discovery   ClusterIP   None           <none>        9300/TCP    80m
fluentd-forward                   ClusterIP   10.96.244.52   <none>        24224/TCP   3m10s

5 apply fluentbit output forward

Forward example:

apiVersion: logging.kubesphere.io/v1alpha2
kind: Output
metadata:
  name: fluentd
  namespace: kubesphere-logging-system
  labels:
    logging.kubesphere.io/enabled: "true"
    logging.kubesphere.io/component: logging
spec:
  matchRegex: (?:kube|service)\.(.*)
  forward:
    host: fluentd-forward.kubesphere-logging-system.svc # modify here according to the fluentd name
    port: 24224

6 Check results

$ kubectl -n kubesphere-logging-system exec -it elasticsearch-logging-data-0 -c elasticsearch -- curl -X GET "localhost:9200/ks-logstash*/_search?pretty" -H 'Content-Type: application/json' -d '{                                                           
  "size" : 0,
  "aggs" : {
     "kubernetes_ns": {
        "terms" : {
          "field": "kubernetes.namespace_name.keyword"
        }
     }
  }
}'

{
  "took" : 5,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 58,
    "max_score" : 0.0,
    "hits" : [ ]
  },
  "aggregations" : {
    "kubernetes_ns" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "kube-system",
          "doc_count" : 53
        },
        {
          "key" : "kubesphere-logging-system",
          "doc_count" : 5
        }
      ]
    }
  }
}

Todo

See #190

/cc @benjaminhuo @wanjunlei @wenchajun

[wenchajun]

Do fluentd images have different configurations when different container runtime?

[zhu733756]

Added to TODO list.

[benjaminhuo]

no, it's a log aggregator, not a log agent. So it only receives logs via network.

[wenchajun]

maybe errors is better

[zhu733756]

modified to kubesphere.io

[wanjunlei]

Why is kubesphere.io? Shouldn't it be fluent.io?

[zhu733756]

I see @wenchajun make this change in another pr :) /cc @wenchajun

[wenchajun]

Is fluentd's domain also kubesphere.io, if so, it may need to be changed as well.

[zhu733756]

will fix

[zhu733756]

clean up these

[zhu733756]

2022

[wanjunlei]

The crd version of the new fluent bit is v2alpha1 or v1beta1, maybe the version of fluentd should be the same as the version of fluent bit?

[zhu733756]

The crd version of the new fluent bit is v2alpha1 or v1beta1, maybe the version of fluentd should be the same as the version of fluent bit?

I think no need to. Since the two operators can be deployed by themselves, there is no strong attachment. And this is the first version it published. What do you think @benjaminhuo @wenchajun

[wanjunlei]

Please change the director api to apis.

[zhu733756]

Please change the director api to apis.

OK

[benjaminhuo]

We'd better combine operator of fluentbit and fluentd together into one single deployment/image with fluentbit/fluentd crds/controllers in it and then rename the project to fluent-operator

[zhu733756]

We'd better combine operator of fluentbit and fluentd together into one single deployment/image with fluentbit/fluentd crds/controllers in it and then rename the project to fluent-operator

I will combine the two operators into one

[benjaminhuo]

hosts => namespaces

[benjaminhuo]

Is it better to use []string for WatchedNamespaces, WatchedHosts, WatchedContainers?

[zhu733756]

yeah.

[benjaminhuo]

Call MatchCfgSelector FluentdConfigSelector is better?

[zhu733756]

I wonder whether FluentdConfigSelector is a bit confusing since there also has a ClusterFluentdConfig.

[benjaminhuo]

FluentdCfgSelector?

[zhu733756]

Seems better.

[benjaminhuo]

Is the []input are sorted to make sure the config generated are the same if no changes are made for every reconcile?
The same concerns applies to outputs/filters/configs

[zhu733756]

I will fix it.

[benjaminhuo]

clusterfilters/clusteroutputs/filtersList/outputsList all should be sorted using the same standard to make sure the config generated are the same for every reconcile.

filtersList/outputsList => filters/outputs ?

[zhu733756]

Yeah.

[benjaminhuo]

We'd better sync gcr distroless to https://hub.docker.com/repository/docker/kubesphere/distroless-static and use that instead

[zhu733756]

Let's replace it when the dockerhub address supports both arm/amd arches in one manifest. Because we use buildx to push image.

[benjaminhuo]

now it's multi-arch

[zhu733756]

OK.

[benjaminhuo]

This is a great enhancement to the upcoming fluent-operator, thanks @zhu733756

[patrick-stephens]

I think pretty good initial commit but I think documentation and testing need a fair bit of work. However, this could be done with future PRs.
We also need to consider how to integrate into Github actions well but also allow local development.

My concern is particularly the CRDs are not well spec'd so hard to use - testing will both stabilise them but also highlight issues and usage.
CRD upgrade is hard so we want to avoid it as much as possible and get them good to start with rather than evolve when people have them deployed.
kubectl explain ... should give a user enough information to fill in their CRD values, having to refer to somewhere else for simple questions is not good. It is also something that shows up in editors, etc. so really very helpful to have good context-sensitive documentation.

[patrick-stephens]

Probably need to sort these to use the fluent organisation ones and likely latest too for dev but with tagged versions for release.

[benjaminhuo]

Yeah, we'll change this eventually maybe after we finish adjusting the CI

[patrick-stephens]

I can't remember if there was a specific reason we could not support arm32 or just that it is uncommon for K8S? That may change though...

[benjaminhuo]

We have few user requirements for arm32 version actually, but we can provide that if there is such requirement in the fluent community

[patrick-stephens]

Bit of a mix of BuildKit and classic docker, although this depends on whether DOCKER_BUILDKIT is set as well. Is the intention just to do a local build of the operator images then push later?
Why do we build & push the others rather than offer the same? Just because they're more stable or would we want to use locally too during dev?

[patrick-stephens]

Probably a general comment but I think this needs a lot more documentation in the comments with examples, defaults, etc. well covered for every field and structure. It should explain usage rather than just being a simple data dictionary, if there are any rules or exclusions to consider they should be covered. Linkage to in-depth documentation and examples as well.

I'm assuming this all feeds into the CRD as well so we definitely want that being very well documented. The goal should be that kubectl explain ... gives the user enough information to actually use the CRD rather than having to reference out to other documentation.

[benjaminhuo]

Agree, we need better comments

[patrick-stephens]

This is the kind of comment that should have a linkage to Fluent documentation explaining what filters are but also expanding here to provide a bit more detail to help users of kubectl explain .... Are there any things to watch out for, etc.?

[patrick-stephens]

These comments are pretty self-explanatory, they should link out at the very least to reference documentation I think. Currently they do not provide much help to the user, the name tells as much as the comment.

[patrick-stephens]

Potentially you can define a FilterItem with multiple fields in it, what happens then? I think the intent is this is similar to a union in that you should only have one of the internal fields set - is that right? Having a single item of multiple filters seems strange if not. Either way I think it needs more documentation explaining what it is and how to create/use it.

[patrick-stephens]

I think Match and MatchRegex are mutually exclusive but also required - you must have one and only one? Again, needs a bit more documentation here I think. Is this the right type structure to show that? They're both strings so you could have a regex as well in either so would it be better to have a specific type that is one or the other?

[patrick-stephens]

We probably want to expand this a bit to some data driven tests with the config provided via files or similar. We need to exercise a few different combinations and failure cases I think.

[patrick-stephens]

Probably need to update Golang version here

[zhu733756]

will fix

[zhu733756]

I think pretty good initial commit but I think documentation and testing need a fair bit of work. However, this could be done with future PRs. We also need to consider how to integrate into Github actions well but also allow local development.

My concern is particularly the CRDs are not well spec'd so hard to use - testing will both stabilise them but also highlight issues and usage. CRD upgrade is hard so we want to avoid it as much as possible and get them good to start with rather than evolve when people have them deployed. kubectl explain ... should give a user enough information to fill in their CRD values, having to refer to somewhere else for simple questions is not good. It is also something that shows up in editors, etc. so really very helpful to have good context-sensitive documentation.

@patrick-stephens Good suggestions！ We would add multi images/binaries build, enhance docs explanations, and e2e tests to the schedule marked by an issue. Someone would like to contribute it.

[zhu733756]

Seems useless, removed. Will add it later.

[zhu733756]

Hi folks, come to #190 to implement the to-do list.

[benjaminhuo]

That's good. Please also take a look at @patrick-stephens‘ comments and add todo items into #190 if necessary

[benjaminhuo]

clusterfluentdconfigs.kubesphere.io should be clusterfluentdconfigs.fluentd.fluent.io?

[benjaminhuo]

Do we have clusterfluentds crd?

[benjaminhuo]

we have clusterinputs crd?

[benjaminhuo]

Please check all crd/patches file if the domain is correct: clusterfilters.kubesphere.io?
These files are auto-generated?

[benjaminhuo]

fluentbit.fluent.io doesn't have clusterfilters now

[benjaminhuo]

All the apiVersion in config/samples are not correct

[benjaminhuo]

ClusterInput doesn't exist

[benjaminhuo]

we might need to consider if the outputs: layer is necessary and if the type field could be removed。

[zhu733756]

This part will fix after I come back from the holidays. :)

[benjaminhuo]

What I think is that the outputs field is somehow duplicated with the CRD name, maybe we can change it to items?
The same applies to filters.

Your original idea of using an array to store outputs or filters is good, we can keep using the array.
Let's see if it's possible to deal with the type part, it's also ok to keep current implementation if we cannot find a better way

[zhu733756]

I think the type field combined into the plugin is reasonable, I will try to fix it.

[benjaminhuo]

kubesphere:operator:fluent-operator => fluent-operator is ok?

[zhu733756]

fix these done

[benjaminhuo]

kubesphere:operator:fluent-operator => fluent-operator

[benjaminhuo]

I think we can check out a branch fluentbit-operator from the current master branch for the legacy fluent-bit operator(with the old kubesphere.io domain) maintenance purpose, maybe someday in the future, this branch can be deleted once the fluent-operator is mature enough.

And then the master branch is used for the development of fluent-operator under the new domain fluent.io

This way, we'll have fewer works to do on each branch and the directory structure will be simplified.

@zhu733756 @wanjunlei @wenchajun

[benjaminhuo]

Agree, we need better comments

[patrick-stephens]

I think pretty good initial commit but I think documentation and testing need a fair bit of work. However, this could be done with future PRs. We also need to consider how to integrate into Github actions well but also allow local development.
My concern is particularly the CRDs are not well spec'd so hard to use - testing will both stabilise them but also highlight issues and usage. CRD upgrade is hard so we want to avoid it as much as possible and get them good to start with rather than evolve when people have them deployed. kubectl explain ... should give a user enough information to fill in their CRD values, having to refer to somewhere else for simple questions is not good. It is also something that shows up in editors, etc. so really very helpful to have good context-sensitive documentation.

@patrick-stephens Good suggestions！ We would add multi images/binaries build, enhance docs explanations, and e2e tests to the schedule marked by an issue. Someone would like to contribute it.

Yeah that seems a good idea to me, I would say nothing can go past beta until docs and tests are done. Ideally probably not past alpha as people tend to adopt even beta.
This is a fairly substantial change too so it would be better to get the base in for it then iterate in smaller PRs otherwise it is too large to review.

[zhu733756]

These CRDs copies from the generated CRDs with make manifest

[benjaminhuo]

Yeah that seems a good idea to me, I would say nothing can go past beta until docs and tests are done. Ideally probably not past alpha as people tend to adopt even beta. This is a fairly substantial change too so it would be better to get the base in for it then iterate in smaller PRs otherwise it is too large to review.

Agree with the comments, a test fluentd config has been added there apis/fluentd/v1alpha1/tests/expected-main-cfgs.cfg

[benjaminhuo]

After changing the domain from logging.kubesphere.io to fluent.io, The new directory structure looks better and simpler, thanks @zhu733756!

[zhu733756]

Signed-off-by: zhu733756 zhu733756@kubesphere.io

This pr add Fluentd-operator to implement the former proposal #138.

Backgrouds

...

Docs updated. Please help to review the new commit. If no other requested changes, we can push the official images at first, then continue working for the todos #190

[benjaminhuo]

The new commit looks good to me, thanks @zhu733756
Would you push fluent-operator:v1.0.0 to your own registry and then I'll sync it to kubesphere, maybe later to fluent org

[zhu733756]

fluent-operator:v1.0.0

OK.

[benjaminhuo]

Merge this first, we'll continue to work on items in #190 in separate PRs