diff --git a/CHANGELOG.md b/CHANGELOG.md index cc75da00c41749f1b3918b2efa4135c807434a50..1f229bb4e69d2235ade76cd0dd0325686a21154e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [0.1.15-bb.0] - 2021-06-22 +### Changed +- Upgrade to version 7.12.0 of Kibana and Elasticsearch +- Tweaks to autoRollingUpgrade job to allow for transition from 7.10 to 7.12 . + ## [0.1.14-bb.1] - 2021-06-17 ### Added - Network Policy templates. diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 86584102f9a87934e4d7b4cc71309d122a072009..f8778f6ed4c3069ffec148d09909304c59787420 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: logging -version: 0.1.14-bb.1 -appVersion: 7.10.0 +version: 0.1.15-bb.0 +appVersion: 7.12.0 dependencies: - name: bb-test-lib version: "0.4.0" diff --git a/chart/templates/bigbang/networkpolicies/kb-allow.yaml b/chart/templates/bigbang/networkpolicies/kb-allow.yaml new file mode 100644 index 0000000000000000000000000000000000000000..617118d514eb364ef1efdce1288e33c8e299c36e --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/kb-allow.yaml @@ -0,0 +1,21 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: kb-communication-eck-operator + namespace: {{ .Release.Namespace }} +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: elastic-operator + ports: + - port: 5601 + protocol: TCP + podSelector: + matchLabels: + common.k8s.elastic.co/type: kibana + policyTypes: +{{- end }} diff --git a/chart/templates/bigbang/upgrade-job.yaml b/chart/templates/bigbang/upgrade-job.yaml index 118aeecdd79358646c2b224a5384f704a9553f0e..fa728b00d78e9bbb209f2f3ffd857f58d6f86470 100644 --- a/chart/templates/bigbang/upgrade-job.yaml +++ b/chart/templates/bigbang/upgrade-job.yaml @@ -1,4 +1,31 @@ {{- if .Values.autoRollingUpgrade.enabled }} +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: api-egress-upgrade-job + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-10" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation +spec: + egress: + - to: + - ipBlock: + cidr: {{ .Values.networkPolicies.controlPlaneCidr }} + {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }} + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 + {{- end }} + podSelector: + matchLabels: + app.kubernetes.io/name: bigbang-ek-upgrade-job + policyTypes: + - Egress +{{- end }} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -7,7 +34,7 @@ metadata: annotations: "helm.sh/hook": post-upgrade "helm.sh/hook-weight": "-10" - "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -17,7 +44,7 @@ metadata: annotations: "helm.sh/hook": post-upgrade "helm.sh/hook-weight": "-10" - "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation rules: - apiGroups: ["elasticsearch.k8s.elastic.co"] resources: ["elasticsearches"] @@ -37,7 +64,7 @@ metadata: annotations: "helm.sh/hook": post-upgrade "helm.sh/hook-weight": "-10" - "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -57,12 +84,14 @@ metadata: "helm.sh/hook-weight": "-5" spec: backoffLimit: 3 - ttlSecondsAfterFinished: 300 + ttlSecondsAfterFinished: 480 template: metadata: name: bb-{{ .Release.Name }}-upgrade annotations: sidecar.istio.io/inject: 'false' + labels: + app.kubernetes.io/name: bigbang-ek-upgrade-job spec: serviceAccountName: {{ .Release.Name }}-bb-upgrade containers: @@ -79,14 +108,24 @@ spec: curl -XPUT -ku "elastic:$elastic" "https://{{ .Release.Name }}-es-http.{{ .Release.Namespace }}.svc:9200/_cluster/settings?pretty" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } }' curl -XPOST -ku "elastic:$elastic" "https://{{ .Release.Name }}-es-http.{{ .Release.Namespace }}.svc:9200/_flush/synced?pretty" + export ES_DESIRED_VERSION="7.10.*" + echo "Rolling Upgrade Prep Commands Completed" + elif [[ $(kubectl get elasticsearch {{ .Release.Name }} -n {{ .Release.Namespace }} -o jsonpath='{.status.version}') == 7.10.* ]] && [[ $(kubectl get elasticsearch {{ .Release.Name }} -n {{ .Release.Namespace }} -o jsonpath='{.spec.version}') == 7.12.* ]]; then + echo "Running Rolling Upgrade Prep Commands" + kubectl annotate --overwrite kibana {{ .Release.Name }} -n {{ .Release.Namespace }} 'eck.k8s.elastic.co/managed=false' + kubectl delete deployment -l kibana.k8s.elastic.co/name={{ .Release.Name }},common.k8s.elastic.co/type=kibana -n {{ .Release.Namespace }} + + curl -XPUT -ku "elastic:$elastic" "https://{{ .Release.Name }}-es-http.{{ .Release.Namespace }}.svc:9200/_cluster/settings?pretty" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } }' + curl -XPOST -ku "elastic:$elastic" "https://{{ .Release.Name }}-es-http.{{ .Release.Namespace }}.svc:9200/_flush/synced?pretty" + export ES_DESIRED_VERSION="7.12.*" echo "Rolling Upgrade Prep Commands Completed" else echo "No Upgrade Prep Necessary :D" exit 0 fi - until [[ $( kubectl get elasticsearch {{ .Release.Name }} -n {{ .Release.Namespace }} -o jsonpath='{.status.phase}' ) == "Ready" ]] && [[ $(kubectl get elasticsearch {{ .Release.Name }} -n {{ .Release.Namespace }} -o jsonpath='{.status.version}') == 7.10.* ]]; do - echo "ES cluster not Ready" && sleep 10; + until [[ $( kubectl get elasticsearch {{ .Release.Name }} -n {{ .Release.Namespace }} -o jsonpath='{.status.phase}' ) == "Ready" ]] && [[ $(kubectl get elasticsearch {{ .Release.Name }} -n {{ .Release.Namespace }} -o jsonpath='{.status.version}') == $ES_DESIRED_VERSION ]]; do + echo "ES cluster version $ES_DESIRED_VERSION not yet Ready" && sleep 10; done if [ $( curl -ku "elastic:$elastic" -k "https://{{ .Release.Name }}-es-http.{{ .Release.Namespace }}.svc:9200/_cluster/settings?pretty" | yq r - persistent.cluster.routing.allocation.enable ) == "primaries" ]; then diff --git a/chart/values.yaml b/chart/values.yaml index 510a477685c3175ae19c1adbe6c6c9b48d27f244..2f36fcd084a01e4b4ddc76bc7031a0464201e356 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -6,10 +6,10 @@ autoRollingUpgrade: enabled: true kibana: - version: 7.10.2 + version: 7.12.0 image: repository: registry1.dso.mil/ironbank/elastic/kibana/kibana - tag: 7.10.2 + tag: 7.12.0 # Number of Kibana replicas count: 3 @@ -60,10 +60,10 @@ kibana: # command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] elasticsearch: - version: 7.10.0 + version: 7.12.0 image: repository: registry1.dso.mil/ironbank/elastic/elasticsearch/elasticsearch - tag: 7.10.0 + tag: 7.12.0 imagePullSecrets: [ ] @@ -267,6 +267,8 @@ networkPolicies: ingressLabels: app: istio-ingressgateway istio: ingressgateway + # See `kubectl cluster-info` and then resolve to IP + controlPlaneCidr: 0.0.0.0/0 upgradeJob: image: diff --git a/tests/test-values.yml b/tests/test-values.yml index 94fcb2a31d4c4fcf03cc0f61a13020d07ea40a1e..3a840cfee28e1a367340b0b09a4d8bc185d2b8e1 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -29,6 +29,7 @@ istio: networkPolicies: enabled: true + controlPlaneCidr: 172.16.0.0/12 bbtests: enabled: true