Skip to content

Instantly share code, notes, and snippets.

@charith-elastic
Last active April 9, 2020 08:30
Show Gist options
  • Save charith-elastic/12010683e9948d10b878942c14560c51 to your computer and use it in GitHub Desktop.
Save charith-elastic/12010683e9948d10b878942c14560c51 to your computer and use it in GitHub Desktop.
ECK manifest generator
-------------------------------------------------------------------------------------------
$ bin/eck manifest
Utilities for generating an installation manifest for ECK
Usage:
eck manifest [command]
Available Commands:
generate Generate ECK manifests
options List manifest options
versions List available distribution versions
Flags:
-h, --help help for manifest
Use "eck manifest [command] --help" for more information about a command.
-------------------------------------------------------------------------------------------
$ bin/eck manifest generate --help
Generates a manifest for installing ECK.
There are two pre-defined profiles for installing ECK. The "global" profile installs ECK with access to the
whole Kubernetes cluster. The "restricted" profile installs ECK restricted to a single (or several) namespaces.
The generated manifest can be customized using the "--set" flag(s). Use the "options" command to list all
available configuration options. The behaviour of this flag is identical to how the Helm "--set" flag
operates (https://helm.sh/docs/intro/using_helm/).
By default, the operator is installed into the "elastic-system" namespace. This can be overridden by setting the
"operator.namespace" option.
Global operator:
$ eck manifest generate
Global operator with the validation webhook disabled:
$ eck manifest generate --set=config.webhook.enabled=false
Global operator with resource memory limit increased to 300Mi and CPU limit increased to 2:
$ eck manifest generate --set=operator.resources.limits.cpu=2,operator.resources.limits.memory=300Mi
Restricted operator without CRDs, managing the "elastic-system" namespace:
$ eck manifest generate --profile=restricted --exclude-crds
Restricted operator installed to and managing the single namespace named "namespacex":
$ eck manifest generate --profile=restricted --set=operator.namespace=namespacex --set=config.managedNamespaces='{namespacex}'
Restricted operator managing "elastic-system", "nsa" and "nsb":
$ eck manifest generate --profile=restricted --set=config.managedNamespaces='{elastic-system, nsa, nsb}'
Restricted operator with tracing configured:
$ eck manifest generate --profile=restricted --set=config.tracing.enabled=true --set=config.tracing.config.ELASTIC_APM_SERVER_URL=http://apm:8200
Usage:
eck manifest generate [flags]
Flags:
--exclude-crds Exclude CRDs from generated manifest
-h, --help help for generate
--profile string Operator profile (global, restricted) (default "global")
--set stringArray Set additional options
--version string Distribution version (default "1.1.0")
-------------------------------------------------------------------------------------------
$ bin/eck manifest options
operator:
name: elastic-operator
namespace: elastic-system
version: 1.1.0-bc0
selectorLabels:
control-plane: elastic-operator
image:
repository: docker.elastic.co/eck/eck-operator
pullPolicy: IfNotPresent
resources:
limits:
cpu: 1
memory: 150Mi
requests:
cpu: 100m
memory: 50Mi
config:
createClusterResources: true
managedNamespaces: []
logVerbosity: 0
metricsPort: 0
containerRegistry: docker.elastic.co
maxConcurrentReconciles: 3
tracing:
enabled: false
config:
ELASTIC_APM_SERVER_URL: http://localhost:8200
ELASTIC_APM_SERVER_TIMEOUT: 30s
ca:
validity: 8760h
rotateBefore: 24h
certificates:
validity: 8760h
rotateBefore: 24h
refs:
enforceRBAC: false
webhook:
enabled: true
manageCerts: true
certsDir: "/tmp/k8s-webhook-server/serving-certs"
secret: elastic-webhook-server-cert
name: elastic-webhook.k8s.elastic.co
serviceName: elastic-webhook-server
-------------------------------------------------------------------------------------------
# Output of `bin/eck manifest generate --exclude-crds`
---
# Source: eck/templates/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: elastic-system
---
# Source: eck/templates/service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: elastic-operator
namespace: elastic-system
---
# Source: eck/templates/webhook.yaml
apiVersion: v1
kind: Secret
metadata:
name: "elastic-webhook-server-cert"
namespace: elastic-system
---
# Source: eck/templates/cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: elastic-operator
rules:
- apiGroups:
- "authorization.k8s.io"
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
- pods
- endpoints
- events
- persistentvolumeclaims
- secrets
- services
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- elasticsearch.k8s.elastic.co
resources:
- elasticsearches
- elasticsearches/status
- elasticsearches/finalizers
- enterpriselicenses
- enterpriselicenses/status
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- kibana.k8s.elastic.co
resources:
- kibanas
- kibanas/status
- kibanas/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apm.k8s.elastic.co
resources:
- apmservers
- apmservers/status
- apmservers/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- enterprisesearch.k8s.elastic.co
resources:
- enterprisesearches
- enterprisesearches/status
- enterprisesearches/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
# Source: eck/templates/cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: "elastic-operator-view"
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["elasticsearch.k8s.elastic.co"]
resources: ["elasticsearches"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apm.k8s.elastic.co"]
resources: ["apmservers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["kibana.k8s.elastic.co"]
resources: ["kibanas"]
verbs: ["get", "list", "watch"]
---
# Source: eck/templates/cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: "elastic-operator-edit"
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["elasticsearch.k8s.elastic.co"]
resources: ["elasticsearches"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["apm.k8s.elastic.co"]
resources: ["apmservers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["kibana.k8s.elastic.co"]
resources: ["kibanas"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
---
# Source: eck/templates/managed-ns-role-bindings.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: elastic-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: elastic-operator
subjects:
- kind: ServiceAccount
name: elastic-operator
namespace: elastic-system
---
# Source: eck/templates/operator-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: elastic-operator
namespace: elastic-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: elastic-operator
subjects:
- kind: ServiceAccount
name: elastic-operator
namespace: elastic-system
---
# Source: eck/templates/webhook.yaml
apiVersion: v1
kind: Service
metadata:
name: elastic-webhook-server
namespace: elastic-system
spec:
ports:
- name: https
port: 443
targetPort: 9443
selector:
control-plane: elastic-operator
---
# Source: eck/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: elastic-operator
namespace: elastic-system
labels:
control-plane: elastic-operator
spec:
selector:
matchLabels:
control-plane: elastic-operator
serviceName: elastic-operator
template:
metadata:
annotations:
# Rename the fields "error" to "error.message" and "source" to "event.source"
# This is to avoid a conflict with the ECS "error" and "source" documents.
"co.elastic.logs/raw": "[{\"type\":\"container\",\"json.keys_under_root\":true,\"paths\":[\"/var/log/containers/*${data.kubernetes.container.id}.log\"],\"processors\":[{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"error\",\"to\":\"_error\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_error\",\"to\":\"error.message\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"source\",\"to\":\"_source\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_source\",\"to\":\"event.source\"}]}}]}]"
labels:
control-plane: elastic-operator
spec:
terminationGracePeriodSeconds: 10
serviceAccountName: elastic-operator
containers:
- image: "docker.elastic.co/eck/eck-operator:1.1.0-bc0"
imagePullPolicy: IfNotPresent
name: manager
args:
- "manager"
- "--log-verbosity=0"
- "--metrics-port=0"
- "--container-registry=docker.elastic.co"
- "--max-concurrent-reconciles=3"
- "--ca-cert-validity=8760h"
- "--ca-cert-rotate-before=24h"
- "--cert-validity=8760h"
- "--cert-rotate-before=24h"
- "--enable-webhook"
env:
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: OPERATOR_IMAGE
value: "docker.elastic.co/eck/eck-operator:1.1.0-bc0"
- name: WEBHOOK_SECRET
value: "elastic-webhook-server-cert"
resources:
limits:
cpu: 1
memory: 150Mi
requests:
cpu: 100m
memory: 50Mi
ports:
- containerPort: 9443
name: https-webhook
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
volumes:
- name: cert
secret:
defaultMode: 420
secretName: "elastic-webhook-server-cert"
---
# Source: eck/templates/webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: elastic-webhook.k8s.elastic.co
webhooks:
- clientConfig:
caBundle: Cg==
service:
name: elastic-webhook-server
namespace: elastic-system
path: /validate-apm-k8s-elastic-co-v1-apmserver
failurePolicy: Ignore
name: elastic-apm-validation-v1.k8s.elastic.co
rules:
- apiGroups:
- apm.k8s.elastic.co
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- apmservers
- clientConfig:
caBundle: Cg==
service:
name: elastic-webhook-server
namespace: elastic-system
path: /validate-apm-k8s-elastic-co-v1beta1-apmserver
failurePolicy: Ignore
name: elastic-apm-validation-v1beta1.k8s.elastic.co
rules:
- apiGroups:
- apm.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- apmservers
- clientConfig:
caBundle: Cg==
service:
name: elastic-webhook-server
namespace: elastic-system
path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch
failurePolicy: Ignore
name: elastic-es-validation-v1.k8s.elastic.co
rules:
- apiGroups:
- elasticsearch.k8s.elastic.co
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- elasticsearches
- clientConfig:
caBundle: Cg==
service:
name: elastic-webhook-server
namespace: elastic-system
path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch
failurePolicy: Ignore
name: elastic-es-validation-v1beta1.k8s.elastic.co
rules:
- apiGroups:
- elasticsearch.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- elasticsearches
- clientConfig:
caBundle: Cg==
service:
name: elastic-webhook-server
namespace: elastic-system
path: /validate-kibana-k8s-elastic-co-v1-kibana
failurePolicy: Ignore
name: elastic-kb-validation-v1.k8s.elastic.co
rules:
- apiGroups:
- kibana.k8s.elastic.co
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- kibanas
- clientConfig:
caBundle: Cg==
service:
name: elastic-webhook-server
namespace: elastic-system
path: /validate-kibana-k8s-elastic-co-v1beta1-kibana
failurePolicy: Ignore
name: elastic-kb-validation-v1beta1.k8s.elastic.co
rules:
- apiGroups:
- kibana.k8s.elastic.co
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- kibanas
# Output of `bin/eck manifest generate --profile=restricted --exclude-crds --set=operator.namespace=eck1 --set=config.managedNamespaces='{eck1,eck2}'`
---
# Source: eck/templates/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: eck1
---
# Source: eck/templates/service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: elastic-operator
namespace: eck1
---
# Source: eck/templates/managed-ns-role-bindings.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: elastic-operator
namespace: eck1
rules:
- apiGroups:
- "authorization.k8s.io"
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
- pods
- endpoints
- events
- persistentvolumeclaims
- secrets
- services
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- elasticsearch.k8s.elastic.co
resources:
- elasticsearches
- elasticsearches/status
- elasticsearches/finalizers
- enterpriselicenses
- enterpriselicenses/status
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- kibana.k8s.elastic.co
resources:
- kibanas
- kibanas/status
- kibanas/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apm.k8s.elastic.co
resources:
- apmservers
- apmservers/status
- apmservers/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- enterprisesearch.k8s.elastic.co
resources:
- enterprisesearches
- enterprisesearches/status
- enterprisesearches/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
# Source: eck/templates/managed-ns-role-bindings.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: elastic-operator
namespace: eck2
rules:
- apiGroups:
- "authorization.k8s.io"
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
- pods
- endpoints
- events
- persistentvolumeclaims
- secrets
- services
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- elasticsearch.k8s.elastic.co
resources:
- elasticsearches
- elasticsearches/status
- elasticsearches/finalizers
- enterpriselicenses
- enterpriselicenses/status
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- kibana.k8s.elastic.co
resources:
- kibanas
- kibanas/status
- kibanas/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apm.k8s.elastic.co
resources:
- apmservers
- apmservers/status
- apmservers/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- enterprisesearch.k8s.elastic.co
resources:
- enterprisesearches
- enterprisesearches/status
- enterprisesearches/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
# Source: eck/templates/managed-ns-role-bindings.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: elastic-operator
namespace: eck1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: elastic-operator
subjects:
- kind: ServiceAccount
name: elastic-operator
namespace: eck1
---
# Source: eck/templates/managed-ns-role-bindings.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: elastic-operator
namespace: eck2
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: elastic-operator
subjects:
- kind: ServiceAccount
name: elastic-operator
namespace: eck1
---
# Source: eck/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: elastic-operator
namespace: eck1
labels:
control-plane: elastic-operator
spec:
selector:
matchLabels:
control-plane: elastic-operator
serviceName: elastic-operator
template:
metadata:
annotations:
# Rename the fields "error" to "error.message" and "source" to "event.source"
# This is to avoid a conflict with the ECS "error" and "source" documents.
"co.elastic.logs/raw": "[{\"type\":\"container\",\"json.keys_under_root\":true,\"paths\":[\"/var/log/containers/*${data.kubernetes.container.id}.log\"],\"processors\":[{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"error\",\"to\":\"_error\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_error\",\"to\":\"error.message\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"source\",\"to\":\"_source\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_source\",\"to\":\"event.source\"}]}}]}]"
labels:
control-plane: elastic-operator
spec:
terminationGracePeriodSeconds: 10
serviceAccountName: elastic-operator
containers:
- image: "docker.elastic.co/eck/eck-operator:1.1.0-bc0"
imagePullPolicy: IfNotPresent
name: manager
args:
- "manager"
- "--log-verbosity=0"
- "--metrics-port=0"
- "--container-registry=docker.elastic.co"
- "--max-concurrent-reconciles=3"
- "--ca-cert-validity=8760h"
- "--ca-cert-rotate-before=24h"
- "--cert-validity=8760h"
- "--cert-rotate-before=24h"
- "--namespaces=eck1,eck2"
env:
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: OPERATOR_IMAGE
value: "docker.elastic.co/eck/eck-operator:1.1.0-bc0"
resources:
limits:
cpu: 1
memory: 150Mi
requests:
cpu: 100m
memory: 50Mi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment