first commit

templates/fluent-bit/logrotate/calico.netpol.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.fluentBit.logrotate.calicoNetpol.enabled }}
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: logrotate-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  order: 10
+  selector: dplane == 'logrotate-job'
+  types:
+    - Egress
+  egress:
+    # allow to communicate to DNS pods
+    - action: Allow
+      protocol: UDP
+      destination:
+        namespaceSelector: projectcalico.org/name == 'kube-system'
+        ports:
+          - 53
+    - action: Allow
+      protocol: TCP
+      destination:
+        namespaceSelector: projectcalico.org/name == 'kube-system'
+        ports:
+          - 53
+    # allow to communicate with k8s api server
+    - action: Allow
+      destination:
+        services:
+          name:  kubernetes
+          namespace: default
+      protocol: TCP
+{{- end}}

templates/fluent-bit/logrotate/logrotate-configmap.yaml

@@ -0,0 +1,76 @@
+{{- if and .Values.fluentBit.enabled .Values.fluentBit.logrotate.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: logrotate-{{ template "fluent-bit.appName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dataplane.labels" . | nindent 4 }}
+data:
+  dynamic-logrotate.sh: |
+    #!/bin/sh
+    set -e
+    STATE_FILE="/tmp/logrotate.status"
+    LOGROTATE_CONFIG="/tmp/dynamic-logrotate.conf"
+
+    # Determine base path based on dataplane mode
+    BASE_PATH="{{- if eq (include "parent.dataplaneMode" .) "shared" -}}/efs/logs{{- else -}}/efs/clusters/{{ tpl .Values.common.clusterRefId . }}/logs{{- end }}"
+
+    # List of service folders to scan
+    SERVICES="sink-agent inbound-worker pep-server orchestrator envoy fusion-operator"
+
+    # Clean up the old config file
+    echo "" > "$LOGROTATE_CONFIG"
+
+     # Get running pod names in current namespace
+    POD_NAMES=$(kubectl get pods -n $(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) \
+      --field-selector=status.phase=Running \
+      -o jsonpath='{.items[*].metadata.name}')
+
+    for svc in $SERVICES; do
+      for pod in $POD_NAMES; do
+        case "$svc" in
+          "envoy")
+            [[ "$pod" != *envoy* ]] && continue
+            LOG_PATH="$BASE_PATH/envoy/$pod/envoy.log"
+            ;;
+          "fusion-operator")
+            [[ "$pod" != *fusion-operator* ]] && continue
+            LOG_PATH="$BASE_PATH/fusion-operator/$pod/fusion-operator.log"
+            ;;
+          "sink-agent")
+            [[ "$pod" != *sink-agent* ]] && continue
+            LOG_PATH="$BASE_PATH/sinkagent/$pod/sinkagent.log"
+            ;;
+          "inbound-worker")
+            [[ "$pod" != *inbound-worker* ]] && continue
+            LOG_PATH="$BASE_PATH/inbound/$pod/inbound/inbound.log"
+            ;;
+          "pep-server")
+            [[ "$pod" != *pep-server* ]] && continue
+            LOG_PATH="$BASE_PATH/pep-server/$pod/pep-server.log"
+            ;;
+          "orchestrator")
+            [[ "$pod" != *orchestrator* ]] && continue
+            LOG_PATH="$BASE_PATH/ir/$pod/orchestrator.log"
+            ;;
+        esac
+
+        if [ -f "$LOG_PATH" ]; then
+          echo "$LOG_PATH {
+              size 10M
+              rotate -1
+              missingok
+              dateext
+              dateformat .%Y-%m-%d-%H-%M
+              notifempty
+              create
+              nocompress
+          }" >> "$LOGROTATE_CONFIG"
+        fi
+      done
+    done
+
+    # Run logrotate with the generated config
+    /usr/sbin/logrotate -v --state "$STATE_FILE" "$LOGROTATE_CONFIG"
+{{- end }}

templates/fluent-bit/logrotate/logrotate-cronjob.yaml

@@ -0,0 +1,64 @@
+{{- if and .Values.fluentBit.enabled .Values.fluentBit.logrotate.enabled -}}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: logrotate-{{ template "fluent-bit.appName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    dplane: "logrotate-job"
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: {{ .Values.fluentBit.logrotate.job_ttl }}
+      template:
+        metadata:
+          labels:
+            dplane: "logrotate-job"
+        spec:
+          serviceAccountName: {{ include "logrotate.serviceAccountName" . }}
+          containers:
+            - image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
+              imagePullPolicy: {{ .Values.global.image.pullPolicy }}
+              command: [ "/bin/sh", "-c" ]
+              args:
+                - |
+                  sh /etc/logrotate.d/dynamic-logrotate.sh
+              name: logrotate
+              {{- with .Values.fluentBit.logrotate.securityContext }}
+              securityContext:
+                {{- toYaml . | nindent 16 }}
+              {{- end }}
+              volumeMounts:
+                - mountPath: /etc/logrotate.d
+                  name: logrotate-config
+                - mountPath: /efs
+                  name: {{ .Values.global.volumeStorageName }}
+                - mountPath: /tmp
+                  name: tmpdir
+          restartPolicy: OnFailure
+          {{- with .Values.global.image.imagePullSecrets }}
+          imagePullSecrets:
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- if .Values.fluentBit.logrotate.podSecurityContextEnabled -}}
+          {{- with .Values.fluentBit.logrotate.podSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- end }}
+          volumes:
+            - configMap:
+                defaultMode: 420
+                name: logrotate-{{ template "fluent-bit.appName" . }}
+              name: logrotate-config
+            - name: {{ .Values.global.volumeStorageName }}
+              persistentVolumeClaim:
+                claimName: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
+            - emptyDir: {}
+              name: tmpdir
+  schedule: "{{ .Values.fluentBit.logrotate.schedule }}"
+  successfulJobsHistoryLimit: 1
+  suspend: false
+{{- end }}

templates/fluent-bit/logrotate/role.yaml

@@ -0,0 +1,17 @@
+{{- if ( and .Values.fluentBit.logrotate.serviceAccount.enabled ( not .Values.fluentBit.logrotate.serviceAccount.preexisting ) ) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: logrotate-{{ template "fluent-bit.appName" . }}-role
+  labels:
+    {{- include "dataplane.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - pods
+    verbs:
+      - get
+      - list
+{{- end }}

templates/fluent-bit/logrotate/roleBinding.yaml

@@ -0,0 +1,16 @@
+{{- if ( and .Values.fluentBit.logrotate.serviceAccount.enabled ( not .Values.fluentBit.logrotate.serviceAccount.preexisting ) ) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: logrotate-{{ template "fluent-bit.appName" . }}-role-binding
+  labels:
+    {{- include "dataplane.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: logrotate-{{ template "fluent-bit.appName" . }}-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "logrotate.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

templates/fluent-bit/logrotate/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.fluentBit.logrotate.serviceAccount.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "logrotate.serviceAccountName" . }}
+  labels:
+    {{- include "dataplane.labels" . | nindent 4 }}
+  {{- with .Values.fluentBit.logrotate.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}