BDRK-3245: Update module and add securityContext variables (#10)

* Update module and add securityContext variables * Fix tfline image tag * Update consul-template image
basisai · Jul 13, 2021 · d9b16f4 · d9b16f4
1 parent b69f09d
commit d9b16f4
Show file tree

Hide file tree

Showing 10 changed files with 113 additions and 21 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,4 @@
+# Order is important; the last matching pattern takes the most
+# precedence.
+# https://help.github.com/en/articles/about-code-owners
+* @basisai/infrastructure
diff --git a/README.md b/README.md
@@ -132,7 +132,7 @@ No modules.
 | <a name="input_chart_namespace"></a> [chart\_namespace](#input\_chart\_namespace) | Namespace to install the chart into | `string` | `"default"` | no |
 | <a name="input_chart_repository"></a> [chart\_repository](#input\_chart\_repository) | Helm repository for the chart | `string` | `"https://helm.releases.hashicorp.com"` | no |
 | <a name="input_chart_timeout"></a> [chart\_timeout](#input\_chart\_timeout) | Timeout to wait for the Chart to be deployed. The chart waits for all Daemonset pods to be healthy before ending. Increase this for larger clusers to avoid timeout | `number` | `1800` | no |
-| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Version of Chart to install. Set to empty to install the latest version | `string` | `"0.31.1"` | no |
+| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Version of Chart to install. Set to empty to install the latest version | `string` | `"0.32.1"` | no |
 | <a name="input_client_affinity"></a> [client\_affinity](#input\_client\_affinity) | affinity Settings for Client pods, formatted as a multi-line YAML string. | `any` | `null` | no |
 | <a name="input_client_annotations"></a> [client\_annotations](#input\_client\_annotations) | A YAML string for client pods | `string` | `""` | no |
 | <a name="input_client_enabled"></a> [client\_enabled](#input\_client\_enabled) | Enable running Consul client agents on every Kubernetes node | `string` | `"-"` | no |
@@ -197,6 +197,7 @@ No modules.
 | <a name="input_esm_chart_name"></a> [esm\_chart\_name](#input\_esm\_chart\_name) | Name of the ESM Chart name | `string` | `"consul-esm"` | no |
 | <a name="input_esm_chart_repository"></a> [esm\_chart\_repository](#input\_esm\_chart\_repository) | ESM Chart repository | `string` | `"https://basisai.github.io/charts/"` | no |
 | <a name="input_esm_chart_version"></a> [esm\_chart\_version](#input\_esm\_chart\_version) | ESM Chart version | `string` | `"0.2.2"` | no |
+| <a name="input_esm_container_security_context"></a> [esm\_container\_security\_context](#input\_esm\_container\_security\_context) | securityContext for ESM containers | `map` | `{}` | no |
 | <a name="input_esm_env"></a> [esm\_env](#input\_esm\_env) | Environment variables for Consul ESM | `list` | `[]` | no |
 | <a name="input_esm_external_node_meta"></a> [esm\_external\_node\_meta](#input\_esm\_external\_node\_meta) | The node metadata values used for the ESM to qualify a node in the catalog as an "external node". | `map` | <pre>{<br>  "external-node": "true"<br>}</pre> | no |
 | <a name="input_esm_http_addr"></a> [esm\_http\_addr](#input\_esm\_http\_addr) | HTTP address of the local Consul agent | `string` | `""` | no |
@@ -208,6 +209,7 @@ No modules.
 | <a name="input_esm_node_probe_interval"></a> [esm\_node\_probe\_interval](#input\_esm\_node\_probe\_interval) | The interval to ping and update coordinates for external nodes that have 'external-probe' set to true. By default, ESM will attempt to ping and  update the coordinates for all nodes it is watching every 10 seconds. | `string` | `"10s"` | no |
 | <a name="input_esm_node_reconnect_timeout"></a> [esm\_node\_reconnect\_timeout](#input\_esm\_node\_reconnect\_timeout) | The length of time to wait before reaping an external node due to failed pings. | `string` | `"72h"` | no |
 | <a name="input_esm_ping_type"></a> [esm\_ping\_type](#input\_esm\_ping\_type) | The method to use for pinging external nodes. | `string` | `"udp"` | no |
+| <a name="input_esm_pod_security_context"></a> [esm\_pod\_security\_context](#input\_esm\_pod\_security\_context) | securityContext for ESM pods | `map` | `{}` | no |
 | <a name="input_esm_release_name"></a> [esm\_release\_name](#input\_esm\_release\_name) | Name of the ESM Chart Release | `string` | `"consul-esm"` | no |
 | <a name="input_esm_replica"></a> [esm\_replica](#input\_esm\_replica) | Number of ESM replica | `number` | `3` | no |
 | <a name="input_esm_resources"></a> [esm\_resources](#input\_esm\_resources) | Resources for ESM | `map` | <pre>{<br>  "limits": {<br>    "memory": "256Mi"<br>  },<br>  "requests": {<br>    "cpu": "200m"<br>  }<br>}</pre> | no |
@@ -221,7 +223,7 @@ No modules.
 | <a name="input_exporter_affinity"></a> [exporter\_affinity](#input\_exporter\_affinity) | Affinity for Consul Exporter | `map` | `{}` | no |
 | <a name="input_exporter_chart_name"></a> [exporter\_chart\_name](#input\_exporter\_chart\_name) | Name of the Consul Exporter Chart name | `string` | `"prometheus-consul-exporter"` | no |
 | <a name="input_exporter_chart_repository"></a> [exporter\_chart\_repository](#input\_exporter\_chart\_repository) | Consul Exporter Chart repository | `string` | `"https://prometheus-community.github.io/helm-charts"` | no |
-| <a name="input_exporter_chart_version"></a> [exporter\_chart\_version](#input\_exporter\_chart\_version) | Consul Exporter Chart version | `string` | `"0.2.0"` | no |
+| <a name="input_exporter_chart_version"></a> [exporter\_chart\_version](#input\_exporter\_chart\_version) | Consul Exporter Chart version | `string` | `"0.4.0"` | no |
 | <a name="input_exporter_env"></a> [exporter\_env](#input\_exporter\_env) | Additional Environment Variables for Exporter | `list` | `[]` | no |
 | <a name="input_exporter_extra_containers"></a> [exporter\_extra\_containers](#input\_exporter\_extra\_containers) | Extra extra Containers | `list` | `[]` | no |
 | <a name="input_exporter_extra_volume_mounts"></a> [exporter\_extra\_volume\_mounts](#input\_exporter\_extra\_volume\_mounts) | Extra volume mounts for Exporter | `list` | `[]` | no |
@@ -235,11 +237,13 @@ No modules.
 | <a name="input_exporter_replica"></a> [exporter\_replica](#input\_exporter\_replica) | Number of Consul Exporter replicas | `number` | `1` | no |
 | <a name="input_exporter_resources"></a> [exporter\_resources](#input\_exporter\_resources) | Resources for Consul Exporter | `map` | <pre>{<br>  "limits": {<br>    "memory": "256Mi"<br>  },<br>  "requests": {<br>    "cpu": "200m"<br>  }<br>}</pre> | no |
 | <a name="input_exporter_service_annotations"></a> [exporter\_service\_annotations](#input\_exporter\_service\_annotations) | Consul Exporter service's annotations | `map` | `{}` | no |
+| <a name="input_exporter_service_monitor"></a> [exporter\_service\_monitor](#input\_exporter\_service\_monitor) | Create a ServiceMonitor to configure scraping | `bool` | `false` | no |
 | <a name="input_exporter_tag"></a> [exporter\_tag](#input\_exporter\_tag) | Docker Image tag for Consul Exporter | `string` | `"v0.7.1"` | no |
 | <a name="input_exporter_tolerations"></a> [exporter\_tolerations](#input\_exporter\_tolerations) | Tolerations for Consul Exporter | `list` | `[]` | no |
 | <a name="input_fullname_override"></a> [fullname\_override](#input\_fullname\_override) | Fullname Override of Helm resources | `string` | `""` | no |
 | <a name="input_gossip_encryption_key"></a> [gossip\_encryption\_key](#input\_gossip\_encryption\_key) | 32 Bytes Base64 Encoded Consul Gossip Encryption Key. Set to `null` to disable | `any` | `null` | no |
 | <a name="input_image_envoy"></a> [image\_envoy](#input\_image\_envoy) | Image and tag for Envoy Docker image to use for sidecar proxies, mesh, terminating and ingress gateways | `string` | `"envoyproxy/envoy-alpine:v1.18.3"` | no |
+| <a name="input_log_json_enable"></a> [log\_json\_enable](#input\_log\_json\_enable) | Enable all component logs to be output in JSON format | `bool` | `false` | no |
 | <a name="input_max_history"></a> [max\_history](#input\_max\_history) | Max History for Helm | `number` | `20` | no |
 | <a name="input_metrics_enabled"></a> [metrics\_enabled](#input\_metrics\_enabled) | Configures the Helm chart’s components to expose Prometheus metrics for the Consul service mesh. | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Sets the prefix used for all resources in the helm chart. If not set, the prefix will be "<helm release name>-consul". | `any` | `null` | no |

diff --git a/esm.tf b/esm.tf
@@ -25,6 +25,9 @@ locals {
     affinity    = jsonencode(var.esm_affinity)
     tolerations = jsonencode(var.esm_tolerations)
 
+    pod_security_context       = jsonencode(var.esm_pod_security_context)
+    container_security_context = jsonencode(var.esm_container_security_context)
+
     env       = jsonencode(var.esm_env)
     log_level = var.esm_log_level
 

diff --git a/exporter.tf b/exporter.tf
@@ -151,8 +151,9 @@ data "template_file" "exporter_values" {
       "consul.ca-file" = var.tls_enable_auto_encrypt ? "/${local.exporter_volume}/connect.pem" : (var.tls_ca != null ? "/${local.exporter_volume}/server.pem" : "")
     }))
 
-    rbac_enabled = var.exporter_rbac_enabled
-    psp_emabled  = var.exporter_psp
+    rbac_enabled            = var.exporter_rbac_enabled
+    psp_enabled             = var.exporter_psp
+    service_monitor_enabled = var.exporter_service_monitor
 
     consul_server_and_port = "${var.tls_enabled ? "https://" : ""}$(HOST_IP):${var.tls_enabled ? "8501" : "8500"}"
 

diff --git a/main.tf b/main.tf
@@ -30,6 +30,7 @@ locals {
     image_envoy = var.image_envoy
 
     pod_security_policy_enable = var.pod_security_policy_enable
+    log_json_enable            = var.log_json_enable
 
     datacenter = var.server_datacenter
 

diff --git a/templates/esm-values.yaml b/templates/esm-values.yaml
@@ -3,6 +3,11 @@ replicaCount: ${replica}
 image:
   repository: ${image}
   tag: ${tag}
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
 
 resources: ${resources}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -16,8 +21,27 @@ resources: ${resources}
   #   cpu: 100m
   #   memory: 128Mi
 
+nodeSelector: null
+
+tolerations: ${tolerations}
+
+affinity: ${affinity}
+
 env: ${env}
 
+# The sysctl below is needed for UDP Ping to work
+# See https://github.com/tatsushid/go-fastping/issues/25#issuecomment-236203705
+# It is not enabled by default because it is an "unsafe" sysctl
+# See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+# Alternatively, set initContainerSetSysCtl to `true`
+podSecurityContext: ${pod_security_context}
+  # sysctls:
+  #   - name: "net.ipv4.ping_group_range"
+  #     value: "0 65535"
+
+containerSecurityContext: ${container_security_context}
+
+# See above
 initContainerSetSysCtl: ${init_container_set_sysctl}
 
 config:
@@ -37,8 +61,8 @@ config:
 
   # The node metadata values used for the ESM to qualify a node in the catalog
   # as an "external node".
-
   externalNodeMeta: ${external_node_meta}
+
   # The length of time to wait before reaping an external node due to failed
   # pings.
   nodeReconnectTimeout: "${node_reconnect_timeout}"
@@ -77,7 +101,3 @@ config:
       server:
         address: ${server_address}
         port: 8501
-
-affinity: ${affinity}
-
-tolerations: ${tolerations}
diff --git a/templates/exporter-values.yaml b/templates/exporter-values.yaml
@@ -3,7 +3,7 @@ replicaCount: ${replica}
 rbac:
   # Specifies whether RBAC resources should be created
   create: ${rbac_enabled}
-  pspEnabled: ${psp_emabled}
+  pspEnabled: ${psp_enabled}
   pspUseAppArmor: true
 serviceAccount:
   # Specifies whether a ServiceAccount should be created
@@ -15,11 +15,17 @@ serviceAccount:
 image:
   repository: ${image}
   tag: ${tag}
+  pullPolicy: IfNotPresent
+
+nameOverride: ""
+fullnameOverride: ""
 
 consulServer: ${consul_server_and_port}
 
 # Flags - for a list visit https://github.com/prometheus/consul_exporter#flags
 options: ${options}
+  # no-consul.health-summary:
+  # kv.filter=foobar
 
 service:
   type: ClusterIP
@@ -51,6 +57,25 @@ resources: ${resources}
   #   cpu: 100m
   #   memory: 128Mi
 
+serviceMonitor:
+  # When set true then use a ServiceMonitor to configure scraping
+  enabled: ${service_monitor_enabled}
+  # Set the namespace the ServiceMonitor should be deployed
+  # namespace: monitoring
+  # Set how frequently Prometheus should scrape
+  # interval: 30s
+  # Set path to consul-exporter telemtery-path
+  # telemetryPath: /metrics
+  # Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
+  # labels:
+  # Set timeout for scrape
+  # timeout: 10s
+  # Set of labels to transfer on the Kubernetes Service onto the target.
+  # targetLabels: []
+  # metricRelabelings: []
+
+nodeSelector: null
+
 tolerations: ${tolerations}
 
 affinity: ${affinity}

diff --git a/templates/values.yaml b/templates/values.yaml
@@ -9,6 +9,16 @@ global:
   # setting `server.enabled` to true.
   enabled: true
 
+  # The default log level to apply to all components which do not otherwise override this setting.
+  # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity.
+  # One of "debug", "info", "warn", or "error".
+  # @type: string
+  logLevel: "info"
+
+  # Enable all component logs to be output in JSON format.
+  # @type: boolean
+  logJSON: ${log_json_enable}
+
   # Set the prefix used for all resources in the Helm chart. If not set,
   # the prefix will be `<helm release name>-consul`.
   # @type: string
@@ -693,6 +703,12 @@ client:
   # required for Connect.
   grpc: ${client_grpc}
 
+  # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node
+  # (see https://www.consul.io/docs/agent/options.html#_node_meta)
+  nodeMeta:
+    pod-name: $${HOSTNAME}
+    host-ip: $${HOST_IP}
+
   # If true, the Helm chart will expose the clients' gossip ports as hostPorts.
   # This is only necessary if pod IPs in the k8s cluster are not directly routable
   # and the Consul servers are outside of the k8s cluster.
@@ -892,7 +908,7 @@ client:
     # If true, the chart will install resources necessary to run the snapshot agent.
     enabled: false
 
-        # The number of snapshot agents to run.
+    # The number of snapshot agents to run.
     replicas: 2
 
     # A Kubernetes secret that should be manually created to contain the entire
@@ -1038,6 +1054,9 @@ ui:
     # @type: boolean
     enabled: false
 
+    # pathType override - see: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
+    pathType: Prefix
+
     # hosts is a list of host name to create Ingress rules.
     #
     # ```yaml
@@ -1307,7 +1326,7 @@ connectInject:
 
   # Image for consul-k8s that contains the injector
   # @type: string
-  iamge: null
+  image: null
 
   # If true, the injector will inject the
   # Connect sidecar into all pods by default. Otherwise, pods must specify the
@@ -1768,11 +1787,6 @@ meshGateway:
     # @type: string
     annotations: null
 
-  # If there are no connect-enabled services running, then the gateway
-  # will fail health checks. You may disable health checks as a temporary
-  # workaround.
-  enableHealthChecks: true
-
   resources:
     requests:
       memory: "100Mi"

diff --git a/tests/Dockerfile b/tests/Dockerfile
@@ -1,6 +1,6 @@
 FROM wata727/tflint:0.29.1
 
-ARG TERRAFORM_VERSION=1.0.0
+ARG TERRAFORM_VERSION=1.0.1
 
 RUN apk add --no-cache curl git \
   && curl -L https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip > terraform.zip \

diff --git a/variables.tf b/variables.tf
@@ -15,7 +15,7 @@ variable "chart_repository" {
 
 variable "chart_version" {
   description = "Version of Chart to install. Set to empty to install the latest version"
-  default     = "0.31.1"
+  default     = "0.32.1"
 }
 
 variable "chart_namespace" {
@@ -38,6 +38,11 @@ variable "fullname_override" {
   default     = ""
 }
 
+variable "log_json_enable" {
+  description = "Enable all component logs to be output in JSON format"
+  default     = false
+}
+
 variable "max_history" {
   description = "Max History for Helm"
   default     = 20
@@ -858,6 +863,16 @@ variable "esm_tolerations" {
   default     = []
 }
 
+variable "esm_pod_security_context" {
+  description = "securityContext for ESM pods"
+  default     = {}
+}
+
+variable "esm_container_security_context" {
+  description = "securityContext for ESM containers"
+  default     = {}
+}
+
 variable "esm_log_level" {
   description = "Log level for ESM"
   default     = "INFO"
@@ -928,7 +943,7 @@ variable "esm_node_agent_port" {
 
 variable "consul_template_image" {
   description = "Image for Consul Template"
-  default     = "hashicorp/consul-template:0.25.1-light"
+  default     = "hashicorp/consul-template:0.26.0"
 }
 
 variable "esm_server_address" {
@@ -966,7 +981,7 @@ variable "exporter_chart_repository" {
 
 variable "exporter_chart_version" {
   description = "Consul Exporter Chart version"
-  default     = "0.2.0"
+  default     = "0.4.0"
 }
 
 variable "exporter_replica" {
@@ -1022,6 +1037,11 @@ variable "exporter_psp" {
   default     = true
 }
 
+variable "exporter_service_monitor" {
+  description = "Create a ServiceMonitor to configure scraping"
+  default     = false
+}
+
 variable "exporter_options" {
   description = "Arguments for Exporter. See https://github.com/prometheus/consul_exporter#flags"
   default     = {}