[fluentd] Simplified chart for AWS elasticsearch (#205)

Author: Nuru

incubator/fluentd-kubernetes-aws/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

incubator/fluentd-kubernetes-aws/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+description: Collect Kubernetes logs with Fluentd and forward to AWS-hosted Elasticsearch.
+icon: https://raw.githubusercontent.com/fluent/fluentd-docs/master/public/logo/Fluentd_square.png
+name: fluentd-kubernetes-aws
+version: 0.1.0
+appVersion: 1.4.2
+home: https://www.fluentd.org/
+sources:
+- https://hub.docker.com/r/fluent/fluentd-kubernetes-daemonset
+- https://github.com/fluent/fluentd-kubernetes-daemonset
+maintainers:
+- name: cloudposse
+  email: hello@cloudposse.com

incubator/fluentd-kubernetes-aws/README.md

@@ -0,0 +1,49 @@
+# Fluentd AWS
+
+Helm chart to run [fluentd](https://www.fluentd.org/) on kubernetes and connect to
+an AWS Elasticsearch domain protected by IAM.
+
+## Use cases
+
+This specialized chart covers the case where:
+- your Kubernetes cluster has RBAC enabled
+- you are using [`kiam`](https://github.com/uswitch/kiam) to assign IAM roles to pods
+- you have an [AWS Elasticsearch](https://aws.amazon.com/elasticsearch-service/)
+- you have created an IAM role that has access to Elasticsearch
+- you want Fluentd to collect logs from your Kubernetes cluster and forward them to Elasticsearch.
+
+## Credit
+
+This chart is based on [fluentd-daemonset-elasticsearch-rbac.yaml](https://github.com/fluent/fluentd-kubernetes-daemonset/blob/8c76f51/fluentd-daemonset-elasticsearch-rbac.yaml)
+
+#### Quick start
+```
+helm install incubator/fluentd-kubernetes-aws \
+    --set elasticsearch.endpoint=<elasticsearch_domain_endpoint> \
+    --set role=<IAM role>
+```
+
+#### Full config
+
+This chart installs the [fluentd-kubernetes-daemonset](https://github.com/fluent/fluentd-kubernetes-daemonset)
+that is specialied to forward logs to Elasticsearch. That installation is entirely configured
+with environment variables which are not specifcially documented, but are well named
+and can be found by inspecting the templates at https://github.com/fluent/fluentd-kubernetes-daemonset/tree/8c76f51/templates
+
+Those values can be set using `env.NAME=value`
+
+Example `values.yaml` file:
+```yaml
+image: 
+  repository: fluent/fluentd-kubernetes-daemonset
+  tag: v1.3.3-debian-elasticsearch-1.8
+
+role: elasticsearch-user
+
+elasticsearch:
+  endpoint: my-elasticsearch-jivhavxbcd5dvcbjzrac7j42rm.us-west-2.es.amazonaws.com
+  
+env:
+  FLUENT_ELASTICSEARCH_RELOAD_CONNECTIONS: false
+  FLUENT_ELASTICSEARCH_BUFFER_FLUSH_INTERVAL: 10s
+```

incubator/fluentd-kubernetes-aws/templates/NOTES.txt

@@ -0,0 +1,6 @@
+To verify that Fluentd  has started, run:
+
+  kubectl --namespace={{ .Release.Namespace }} get all -l "app={{ template "fluentd_kubernetes.name" . }},release={{ .Release.Name }}"
+
+THIS APPLICATION CAPTURES ALL CONSOLE OUTPUT AND FORWARDS IT TO configured backend storage. Anything that might be identifying,
+including things like IP addresses, container images, and object names will NOT be anonymized.

incubator/fluentd-kubernetes-aws/templates/_helpers.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "fluentd_kubernetes.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "fluentd_kubernetes.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "fluentd_kubernetes.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

incubator/fluentd-kubernetes-aws/templates/clusterrole.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "fluentd_kubernetes.fullname" . }}
+  labels:
+    app: {{ template "fluentd_kubernetes.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch

incubator/fluentd-kubernetes-aws/templates/clusterrolebinding.yaml

@@ -0,0 +1,17 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "fluentd_kubernetes.fullname" . }}
+  labels:
+    app: {{ template "fluentd_kubernetes.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "fluentd_kubernetes.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "fluentd_kubernetes.fullname" . }}
+    namespace: {{ .Release.Namespace }}

incubator/fluentd-kubernetes-aws/templates/daemonset.yaml

@@ -0,0 +1,104 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ template "fluentd_kubernetes.fullname" . }}
+  labels:
+    k8s-app: fluentd-logging
+    version: v1
+    kubernetes.io/cluster-service: "true"
+    app: {{ template "fluentd_kubernetes.name" . }}
+    chart: {{ template "fluentd_kubernetes.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: fluentd-logging
+      app: {{ template "fluentd_kubernetes.name" . }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        k8s-app: fluentd-logging
+        version: v1
+        kubernetes.io/cluster-service: "true"
+        app: {{ template "fluentd_kubernetes.name" . }}
+        release: {{ .Release.Name }}
+      {{- if .Values.role }}
+      annotations:
+        iam.amazonaws.com/role: {{ .Values.role }}
+      {{- end }}
+    spec:
+      serviceAccountName: {{ template "fluentd_kubernetes.fullname" . }}
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      containers:
+      - name: fluentd
+        image: {{ .Values.image.repository}}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
+        env:
+        {{- if .Values.role }}
+          - name: FLUENT_ELASTICSEARCH_HOST
+            value: "localhost"
+          - name: FLUENT_ELASTICSEARCH_PORT
+            value: "9200"
+          - name: FLUENT_ELASTICSEARCH_SCHEME
+            value: "http"
+        {{- else }}
+          - name: FLUENT_ELASTICSEARCH_HOST
+            value: "{{ .Values.elasticsearch.endpoint }}"
+          - name: FLUENT_ELASTICSEARCH_PORT
+            value: "443"
+          - name: FLUENT_ELASTICSEARCH_SCHEME
+            value: "https"
+        {{- end }}
+          {{- range $name, $value := .Values.env }}
+          {{- if (not (empty $value)) and (not (eq $name "FLUENT_ELASTICSEARCH_HOST" "FLUENT_ELASTICSEARCH_SCHEME")) }}
+          - name: {{ $name | quote }}
+            value: {{ $value | quote }}
+          {{- end }}
+          {{- end }}
+        resources:
+{{ toYaml .Values.resources | indent 10 }}
+        volumeMounts:
+        - name: varlog
+          mountPath: /var/log
+        - name: varlibdockercontainers
+          mountPath: /var/lib/docker/containers
+          readOnly: true
+      {{- if .Values.role }}
+      - name: signing-proxy
+        # This image, abutaha/aws-es-proxy:0.9, still has issues, but the Fluentd plugin seems not to be affected by them.
+        # Still, the image should be updated when possible, but once we find a good image it should not need to be
+        # updated further until AWS changes their signing algorithm.
+        # https://github.com/abutaha/aws-es-proxy/issues/27
+        # https://github.com/abutaha/aws-es-proxy/issues/29
+        # https://github.com/abutaha/aws-es-proxy/issues/35
+        # An alternative is mozilla/aws-signing-proxy but as of version 1.0.3 it did not work
+        # https://github.com/mozilla-services/aws-signing-proxy/issues/9
+        image: abutaha/aws-es-proxy:0.9
+        imagePullPolicy: IfNotPresent
+        args:
+        - "-endpoint"
+        - "https://{{ .Values.elasticsearch.endpoint }}"
+        - "-listen"
+        - "127.0.0.1:9200"
+        {{- if .Values.debug.signer }}
+        - "-pretty"
+        - "-verbose"
+        - "-log-to-file"
+        {{- end }}
+        resources:
+          requests:
+           cpu: 5m
+           memory: 10Mi
+      {{- end }}
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: varlog
+          hostPath:
+            path: /var/log
+        - name: varlibdockercontainers
+          hostPath:
+            path: /var/lib/docker/containers

incubator/fluentd-kubernetes-aws/templates/prometheusrule.yaml

@@ -0,0 +1,69 @@
+{{- if .Values.prometheus.createRule }}
+# Copied from https://github.com/kiwigrid/helm-charts/blob/416e9ef84ad865846d263e2fccdf0c32ed9fee81/charts/fluentd-elasticsearch/templates/prometheusrule.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name:  {{ template "fluentd_kubernetes.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "fluentd_kubernetes.name" . }}
+    helm.sh/chart: {{ include "fluentd_kubernetes.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.prometheus.labels }}
+{{- toYaml .Values.prometheus.labels | nindent 4 }}
+{{- end }}
+spec:
+  groups:
+  - name: fluentd
+    rules:
+    - alert: FluentdNodeDown
+      expr: up{job="{{ .Release.Name }}"} == 0
+      for: 10m
+      labels:
+        service: fluentd
+        severity: warning
+      annotations:
+        summary: fluentd cannot be scraped
+        description: Prometheus could not scrape {{ "{{ $labels.job }}" }} for more than 10 minutes
+
+    - alert: FluentdNodeDown
+      expr: up{job="{{ .Release.Name }}"} == 0
+      for: 30m
+      labels:
+        service: fluentd
+        severity: critical
+      annotations:
+        summary: fluentd cannot be scraped
+        description: Prometheus could not scrape {{ "{{ $labels.job }}" }} for more than 30 minutes
+
+    - alert: FluentdQueueLength
+      expr: rate(fluentd_status_buffer_queue_length[5m]) > 0.3
+      for: 1m
+      labels:
+        service: fluentd
+        severity: warning
+      annotations:
+        summary: fluentd node are failing
+        description: In the last 5 minutes, fluentd queues increased 30%. Current value is {{ "{{ $value }}" }}
+
+    - alert: FluentdQueueLength
+      expr: rate(fluentd_status_buffer_queue_length[5m]) > 0.5
+      for: 1m
+      labels:
+        service: fluentd
+        severity: critical
+      annotations:
+        summary: fluentd node are critical
+        description: In the last 5 minutes, fluentd queues increased 50%. Current value is {{ "{{ $value }}" }}
+
+    - alert: FluentdRecordsCountsHigh
+      expr: sum(rate(fluentd_record_counts{job="{{ .Release.Name }}"}[5m])) BY (instance) >  (3 * sum(rate(fluentd_record_counts{job="{{ .Release.Name }}"}[15m])) BY (instance))
+      for: 1m
+      labels:
+        service: fluentd
+        severity: critical
+      annotations:
+        summary: fluentd records count are critical
+        description: In the last 5m, records counts increased 3 times, comparing to the latest 15 min.
+
+{{- end }}

incubator/fluentd-kubernetes-aws/templates/service.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.prometheus.createService }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "fluentd_kubernetes.fullname" . }}-prometheus
+  labels:
+    app: {{ template "fluentd_kubernetes.name" . }}-prometheus
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+
+spec:
+  type: ClusterIP
+  ports:
+    - name: prometheus
+      port: 9224
+      protocol: TCP
+      targetPort: {{ index .Values.env "FLUENTD_PROMETHEUS_PORT" | default "24231" }}
+  selector:
+    app: {{ template "fluentd_kubernetes.name" . }}
+    release: {{ .Release.Name }}
+{{- end }}