feat: conditionally enable k8s logs requirements

Adds the ability to conditionally enable some role and volume access settings to enable k8s logs as a source Also adds the ability to supply a PersistentVolumeClaim name ref: LOG-18839
mezmo · Feb 5, 2024 · 3a55c94 · 3a55c94
1 parent 42f9841
commit 3a55c94
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 2 deletions.
diff --git a/charts/edge/Chart.yaml b/charts/edge/Chart.yaml
@@ -5,7 +5,7 @@ icon: https://app.mezmo.com/assets/img/mz-logo-square-128.png
 description: A Helm chart for deploying Mezmo Edge
 type: application
 appVersion: "3.1.2"
-version: 0.8.3
+version: 0.8.4
 maintainers:
   - name: Mezmo
     email: help@mezmo.com
diff --git a/charts/edge/README.md b/charts/edge/README.md
@@ -40,5 +40,7 @@ helm install edge mezmo/edge \
 | service.sourcePorts.start | int      | 8000            | The start of the port range (inclusive [start, end])
 | service.sourcePorts.end   | int      | 8010            | The end of the port range (set 0 or "" to disable port range)
 | service.sourcePorts.list  | array[]  | []              | Optional list of discrete ports to configure on the service
+| enableK8sLogs             | boolean  | false           | Whether or not to add ClusterRole and Volume access required for k8s logs source
+| pvcName                   | string   | ""              | Optional name for an existing PersistentVolumeClaim to use for disk buffering, aggregate persistence and k8s log checkpoints. Leaving undefined will default to ephemeral storage lasting the lifetime of the pod
 
 \* Port 8686 is reserved for internal use, and should not be additionally configured for sourcePorts
diff --git a/charts/edge/templates/rbac.yaml b/charts/edge/templates/rbac.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.enableK8sLogs }}
+# Permissions to use Kubernetes API.
+# Requires that RBAC authorization is enabled.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "edge.fullname" . }}
+  labels:
+    {{- include "edge.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - nodes
+      - pods
+    verbs:
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "edge.fullname" . }}
+  labels:
+    {{- include "edge.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "edge.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "edge.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/edge/templates/statefulset.yaml b/charts/edge/templates/statefulset.yaml
@@ -30,12 +30,25 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       volumes:
         - name: data
+          {{- if .Values.pvcName }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.pvcName | quote }}
+          {{- else }}
           emptyDir: {}
+          {{- end }}
         - name: config
           projected:
             sources:
               - configMap:
                   name: {{ include "edge.fullname" . }}
+        {{- if .Values.enableK8sLogs }}
+        - hostPath:
+            path: /var/log/
+          name: var-log
+        - hostPath:
+            path: /var/lib/
+          name: var-lib
+        {{- end }}
       terminationGracePeriodSeconds: 60
       containers:
         - name: {{ .Chart.Name }}
@@ -71,6 +84,12 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.labels['apps.kubernetes.io/pod-index']
+          {{- if .Values.enableK8sLogs }}
+          - name: EDGE_SELF_NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          {{- end }}
           - name: MEZMO_RESHAPE_MESSAGE
             value: "1"
           args:
@@ -80,10 +99,18 @@ spec:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
             - name: data
-              mountPath: "/vector-data-dir"
+              mountPath: "/data/vector"
             - name: config
               mountPath: "/etc/vector/"
               readOnly: true
+            {{- if .Values.enableK8sLogs }}
+            - mountPath: /var/log/
+              name: var-log
+              readOnly: true
+            - mountPath: /var/lib/
+              name: var-lib
+              readOnly: true
+            {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/edge/values.yaml b/charts/edge/values.yaml
@@ -70,3 +70,8 @@ podSecurityContext: {}
 securityContext: {}
 
 imagePullSecrets: []
+
+enableK8sLogs: false
+
+# Optional PersistentVolumeClaim name to use for default storage
+pvcName: ""