Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Init container updates for persisting kibana plugins. #8389

Open
wants to merge 27 commits into
base: main
Choose a base branch
from
Open

Init container updates for persisting kibana plugins. #8389

wants to merge 27 commits into from

Conversation

naemono
Copy link
Contributor

@naemono naemono commented Jan 2, 2025
edited
Loading

resolves: #8388

With the recent changes in #7787 we broke users being able to install custom Kibana plugins. This updates the existing init container for Kibana configuration, and adds the ability to copy plugins to an emptyDir volume, and then mount this to /usr/share/kibana/plugins in the primary Kibana container. (effectively mirroring what we do with Elasticsearch)

Review Notes

Changes

  1. I've moved the initconatiner logic into it's own package, similar to what's done for elasticsearch. (pkg/controller/elasticsearch/initcontainer)
  2. I've moved many/most of the variables for volume naming/mountPoints to a new settings package to avoid import cycles.
  3. I've combined both the plugins copying logic, and the kibana config creation logic into the same init container that already existed, and renamed it appropriately.

Testing

  1. I've manually tested in an existing cluster that the kibana plugins copying works as expected, and noted this in the comments (will update with additional testing from last commit shortly). See notes/comments here, and here.
  2. I've also tested a keystore along-side this new init container.
  3. I'll be triggering a full set of e2e tests today.
  4. I've updated/added many unit tests.

naemono added 2 commits January 2, 2025 14:00
@naemono
Init container for persisting kibana plugins.
2e7be97 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
rendering configmap script.
af17827 
updating unit tests.

Signed-off-by: Michael Montgomery <[email protected]>
@botelastic botelastic bot added the triage label Jan 2, 2025
@pebrc
Copy link
Collaborator

pebrc commented Jan 3, 2025

Should we reuse the existing init container for this? What is the overhead of adding another container?

naemono added 3 commits January 3, 2025 09:09
@naemono
Adding missing file.
0ca1bca 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Fixing newpodtemplatespec unit test
e7488db 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Fix unit tests.
30aca6c 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Copy link
Contributor Author

naemono commented Jan 3, 2025

Should we reuse the existing init container for this? What is the overhead of adding another container?

The problem with using the existing init container is that the init-config init container is always included in the pod, and the init-filesystem is only included when the version >= 7.10 and the flag for setting security context is enabled. I thought this would make the logic more straight-forward. I guess we could include some templating logic in the original init container to only include that block when enabled, and only include the volumes as well. I'll verify that the approach I'm taking is working, then I'll see about adjusting to use the original init.

naemono added 2 commits January 3, 2025 10:21
@naemono
Remove unneeded vars/funcs
39d0f3e 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Add missing duration function
2b6b9ef 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Copy link
Contributor Author

naemono commented Jan 6, 2025

Ok, I've verified that this is working as intended by:

  1. Creating a fake kibana plugin and hosting it on GH.
  2. Creating a Dockerfile to use the fake plugin:
❯ cat Dockerfile.kibana-plugins
FROM docker.elastic.co/kibana/kibana:8.17.0
RUN /usr/share/kibana/bin/kibana-plugin install https://github.com/naemono/fake-kibana-plugin/releases/download/v0.0.1/fakePlugin-v8.17.0.zip
RUN /usr/share/kibana/bin/kibana --optimize
  1. Updating Kibana to use the image:
❯ kc get pod -n elastic eck-stack-eck-kibana-kb-5b9c947db-2nwq9 -o yaml | yq '.spec.containers[].image'
mmontg1/kibana-with-plugin:8.17.0
  1. Verifying in the logs that the copy operation is doing what we would expect:
❯ kc logs -n elastic eck-stack-eck-kibana-kb-5b9c947db-2nwq9 -c elastic-internal-init-filesystem
Copying /usr/share/kibana/plugins/* to /mnt/elastic-internal/kibana-plugins-local/
'/usr/share/kibana/plugins/fakePlugin' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin'
'/usr/share/kibana/plugins/fakePlugin/.i18nrc.json' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/.i18nrc.json'
'/usr/share/kibana/plugins/fakePlugin/common' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/common'
'/usr/share/kibana/plugins/fakePlugin/common/index.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/common/index.js'
'/usr/share/kibana/plugins/fakePlugin/kibana.json' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/kibana.json'
'/usr/share/kibana/plugins/fakePlugin/node_modules' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/node_modules'
'/usr/share/kibana/plugins/fakePlugin/node_modules/.yarn-integrity' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/node_modules/.yarn-integrity'
'/usr/share/kibana/plugins/fakePlugin/package.json' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/package.json'
'/usr/share/kibana/plugins/fakePlugin/server' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server'
'/usr/share/kibana/plugins/fakePlugin/server/index.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server/index.js'
'/usr/share/kibana/plugins/fakePlugin/server/plugin.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server/plugin.js'
'/usr/share/kibana/plugins/fakePlugin/server/routes' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server/routes'
'/usr/share/kibana/plugins/fakePlugin/server/routes/index.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server/routes/index.js'
'/usr/share/kibana/plugins/fakePlugin/server/types.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server/types.js'
'/usr/share/kibana/plugins/fakePlugin/target' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target'
'/usr/share/kibana/plugins/fakePlugin/target/public' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target/public'
'/usr/share/kibana/plugins/fakePlugin/target/public/fakePlugin.chunk.1.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target/public/fakePlugin.chunk.1.js'
'/usr/share/kibana/plugins/fakePlugin/target/public/fakePlugin.chunk.1.js.br' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target/public/fakePlugin.chunk.1.js.br'
'/usr/share/kibana/plugins/fakePlugin/target/public/fakePlugin.plugin.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target/public/fakePlugin.plugin.js'
'/usr/share/kibana/plugins/fakePlugin/target/public/fakePlugin.plugin.js.br' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target/public/fakePlugin.plugin.js.br'
'/usr/share/kibana/plugins/fakePlugin/translations' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/translations'
'/usr/share/kibana/plugins/fakePlugin/translations/ja-JP.json' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/translations/ja-JP.json'
'/usr/share/kibana/plugins/fakePlugin/tsconfig.json' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/tsconfig.json'
Files copy duration: 0 sec.
  1. Verifying in the KB UI that the plugin appears:

Screenshot From 2025-01-06 09-51-19

I'm going to now see about adding this functionality to the existing init container, and not adding a 2nd....

naemono added 13 commits January 6, 2025 13:19
@naemono
wip
4280ae5 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
cleanup
77346ac 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
cleanup
d43755a 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
cleanup
4989861 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
re-order the initcontainer config script
a485485 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Cleanup
437ef96 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Fix unit tests
ee769ba 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Add test for rendering template.
3712ed6 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
fix e2e kb test telemetry.
87c6bf4 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
optimization
e56d346 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Add additional unit tests
24b1a88 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Add additional unit tests
e1bd658 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Add back commented tests
c7c9e86 
Signed-off-by: Michael Montgomery <[email protected]>
@thbkrkr thbkrkr added the >enhancement Enhancement of existing functionality label Jan 8, 2025
@botelastic botelastic bot removed the triage label Jan 8, 2025
naemono added 3 commits January 8, 2025 11:42
@naemono
Add additional comments/godoc.
0ff1cad 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Fix comments.
47ec183 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Add comments, and update comments.
00b24ed 
Signed-off-by: Michael Montgomery <[email protected]>
@naemono
Copy link
Contributor Author

naemono commented Jan 8, 2025

Logs from recent commit showing init container that does both plugins initialization/copy, and config init.

❯ kc logs -n elastic eck-stack-eck-kibana-kb-6cb66db678-lpdwr -c elastic-internal-init
++ date +%s
+ mv_start=1736365111
++ ls -A /usr/share/kibana/plugins
+ [[ -z fakePlugin ]]
+ echo 'Copying /usr/share/kibana/plugins/* to /mnt/elastic-internal/kibana-plugins-local/'
Copying /usr/share/kibana/plugins/* to /mnt/elastic-internal/kibana-plugins-local/
+ yes
+ cp -avf /usr/share/kibana/plugins/fakePlugin /mnt/elastic-internal/kibana-plugins-local/
'/usr/share/kibana/plugins/fakePlugin' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin'
'/usr/share/kibana/plugins/fakePlugin/.i18nrc.json' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/.i18nrc.json'
'/usr/share/kibana/plugins/fakePlugin/common' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/common'
'/usr/share/kibana/plugins/fakePlugin/common/index.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/common/index.js'
'/usr/share/kibana/plugins/fakePlugin/kibana.json' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/kibana.json'
'/usr/share/kibana/plugins/fakePlugin/node_modules' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/node_modules'
'/usr/share/kibana/plugins/fakePlugin/node_modules/.yarn-integrity' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/node_modules/.yarn-integrity'
'/usr/share/kibana/plugins/fakePlugin/package.json' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/package.json'
'/usr/share/kibana/plugins/fakePlugin/server' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server'
'/usr/share/kibana/plugins/fakePlugin/server/index.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server/index.js'
'/usr/share/kibana/plugins/fakePlugin/server/plugin.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server/plugin.js'
'/usr/share/kibana/plugins/fakePlugin/server/routes' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server/routes'
'/usr/share/kibana/plugins/fakePlugin/server/routes/index.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server/routes/index.js'
'/usr/share/kibana/plugins/fakePlugin/server/types.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/server/types.js'
'/usr/share/kibana/plugins/fakePlugin/target' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target'
'/usr/share/kibana/plugins/fakePlugin/target/public' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target/public'
'/usr/share/kibana/plugins/fakePlugin/target/public/fakePlugin.chunk.1.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target/public/fakePlugin.chunk.1.js'
'/usr/share/kibana/plugins/fakePlugin/target/public/fakePlugin.chunk.1.js.br' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target/public/fakePlugin.chunk.1.js.br'
'/usr/share/kibana/plugins/fakePlugin/target/public/fakePlugin.plugin.js' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target/public/fakePlugin.plugin.js'
'/usr/share/kibana/plugins/fakePlugin/target/public/fakePlugin.plugin.js.br' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/target/public/fakePlugin.plugin.js.br'
'/usr/share/kibana/plugins/fakePlugin/translations' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/translations'
'/usr/share/kibana/plugins/fakePlugin/translations/ja-JP.json' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/translations/ja-JP.json'
'/usr/share/kibana/plugins/fakePlugin/tsconfig.json' -> '/mnt/elastic-internal/kibana-plugins-local/fakePlugin/tsconfig.json'
++ duration 1736365111
++ local start=1736365111
+++ date +%s
++ end=1736365111
++ echo 0
+ echo 'Files copy duration: 0 sec.'
+ init_config_initialized_flag=/mnt/elastic-internal/kibana-config-local/elastic-internal-init-config.ok
Files copy duration: 0 sec.
+ [[ -f /mnt/elastic-internal/kibana-config-local/elastic-internal-init-config.ok ]]
+ echo 'Setup Kibana configuration'
+ ln -sf /mnt/elastic-internal/kibana-config/kibana.yml /mnt/elastic-internal/kibana-config/telemetry.yml /mnt/elastic-internal/kibana-config-local/
Setup Kibana configuration
+ touch /mnt/elastic-internal/kibana-config-local/elastic-internal-init-config.ok
+ echo 'Kibana configuration successfully prepared.'
Kibana configuration successfully prepared.

Also keystore init container logs:

❯ kc logs -n elastic eck-stack-eck-kibana-kb-6cb66db678-lpdwr -c elastic-internal-init-keystore
Initializing keystore.
+ keystore_initialized_flag=/usr/share/kibana/config/elastic-internal-init-keystore.ok
+ [[ -f /usr/share/kibana/config/elastic-internal-init-keystore.ok ]]
+ echo 'Initializing keystore.'
+ /usr/share/kibana/bin/kibana-keystore create
Created Kibana keystore in /usr/share/kibana/config/kibana.keystore
+ for filename in /mnt/elastic-internal/secure-settings/*
+ [[ -e /mnt/elastic-internal/secure-settings/server.ssl.enabled ]]
++ basename /mnt/elastic-internal/secure-settings/server.ssl.enabled
+ key=server.ssl.enabled
+ echo 'Adding server.ssl.enabled to the keystore.'
+ /usr/share/kibana/bin/kibana-keystore add server.ssl.enabled --stdin
Adding server.ssl.enabled to the keystore.
+ touch /usr/share/kibana/config/elastic-internal-init-keystore.ok
Keystore initialization successful.
+ echo 'Keystore initialization successful.'

@naemono naemono changed the title WIP: Init container for persisting kibana plugins. Init container updates for persisting kibana plugins. Jan 8, 2025
@naemono naemono marked this pull request as ready for review January 8, 2025 19:54
pebrc
pebrc reviewed Jan 9, 2025
View reviewed changes
Copy link
Collaborator

@pebrc pebrc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a very quick browse through the code, which looks good to me. I still want to some testing.

pkg/apis/kibana/v1/name_test.go Show resolved Hide resolved
pkg/controller/kibana/initcontainer/configmap.go Outdated Show resolved Hide resolved
pkg/controller/kibana/initcontainer/configmap_test.go
Comment on lines +23 to +33
verify: func(v volume.ConfigMapVolume) error {
if v.Name() != "kibana-scripts" {
return fmt.Errorf("unexpected name: %s", v.Name())
}
if v.VolumeMount().MountPath != "/mnt/elastic-internal/scripts" {
return fmt.Errorf("unexpected mount path: %s", v.VolumeMount().MountPath)
}
if *v.Volume().ConfigMap.DefaultMode != 0755 {
return fmt.Errorf("unexpected default mode: %d", *v.Volume().ConfigMap.DefaultMode)
}
return nil
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this not be simple equality check on the struct? Or even use something like go-snaps?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately the struct's fields aren't exported, so that's why this was a bit... odd.

type ConfigMapVolume struct {
    configMapName string
    name          string
    mountPath     string
    items         []corev1.KeyToPath
    defaultMode   int32
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me know if this needs changing.

pkg/controller/kibana/initcontainer/fs_scripts.go Show resolved Hide resolved
@naemono naemono requested a review from pebrc January 9, 2025 19:01
pebrc
pebrc reviewed Jan 9, 2025
View reviewed changes
pkg/controller/kibana/pod.go Outdated
builder.WithContainersSecurityContext(defaultSecurityContext).
WithPodSecurityContext(defaultPodSecurityContext).
WithVolumes(LogsVolume.Volume()).WithVolumeMounts(LogsVolume.VolumeMount()).
WithVolumes(PluginsVolume.Volume()).WithVolumeMounts(PluginsVolume.VolumeMount()).
WithVolumes(TempVolume.Volume()).WithVolumeMounts(TempVolume.VolumeMount())
WithVolumes(TempVolume.Volume()).WithVolumeMounts(TempVolume.VolumeMount()).
WithVolumes(scriptsConfigMapVolume.Volume()).WithVolumeMounts(scriptsConfigMapVolume.VolumeMount())
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The scripts volume mount has to be present also when the security context is disabled.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have some unit tests to fix tomorrow, but it shouldn't block the continued review of this.

@naemono
always have scripts configmap
267ba54 
Signed-off-by: Michael Montgomery <[email protected]>
@pebrc
Copy link
Collaborator

pebrc commented Jan 10, 2025

buildkite test this -f E2E_TAGS=kb -m p=gke,p=ocp

barkbay
barkbay reviewed Jan 10, 2025
View reviewed changes
Copy link
Contributor

@barkbay barkbay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just did a quick static code review. I'll try to run some tests shortly...

pkg/controller/kibana/initcontainer/fs_scripts.go

import (
"bytes"
"html/template"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need the html/template package?

Suggested change
"html/template"
"text/template"

pkg/controller/kibana/driver.go
Comment on lines +179 to +182
err = initcontainer.ReconcileScriptsConfigMap(ctx, d.client, *kb, params.SetDefaultSecurityContext)
if err != nil {
return results.WithError(err)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
err = initcontainer.ReconcileScriptsConfigMap(ctx, d.client, *kb, params.SetDefaultSecurityContext)
if err != nil {
return results.WithError(err)
}
if err := initcontainer.ReconcileScriptsConfigMap(ctx, d.client, *kb, params.SetDefaultSecurityContext); err != nil {
return results.WithError(err)
}

pkg/controller/kibana/initcontainer/prepare_fs.go
Comment on lines +97 to +98
// RenderInitScript renders the init script that will be run by the init container.
func RenderInitScript(kb kbv1.Kibana, setDefaultSecurityContext bool) (string, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// RenderInitScript renders the init script that will be run by the init container.
func RenderInitScript(kb kbv1.Kibana, setDefaultSecurityContext bool) (string, error) {
// renderInitScript renders the init script that will be run by the init container.
func renderInitScript(kb kbv1.Kibana, setDefaultSecurityContext bool) (string, error) {

pkg/controller/kibana/initcontainer/fs_scripts.go
Comment on lines +82 to +83
// RenderScriptTemplate renders initFsScriptTemplate using the given TemplateParams
func RenderScriptTemplate(params templateParams) (string, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// RenderScriptTemplate renders initFsScriptTemplate using the given TemplateParams
func RenderScriptTemplate(params templateParams) (string, error) {
// renderScriptTemplate renders initFsScriptTemplate using the given TemplateParams
func renderScriptTemplate(params templateParams) (string, error) {

pkg/controller/kibana/initcontainer/configmap.go
Comment on lines +88 to +89
!reflect.DeepEqual(expected.Labels, reconciled.Labels) ||
!reflect.DeepEqual(expected.Annotations, reconciled.Annotations)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really want a strict equality?

Suggested change
!reflect.DeepEqual(expected.Labels, reconciled.Labels) ||
!reflect.DeepEqual(expected.Annotations, reconciled.Annotations)
!maps.IsSubset(expected.Labels, reconciled.Labels) ||
!maps.IsSubset(expected.Annotations, reconciled.Annotations)

pkg/controller/kibana/initcontainer/configmap.go
var HardenedSecurityContextSupportedVersion = version.From(7, 9, 0)

// NewScriptsConfigMapVolume creates a new volume for the ConfigMap containing scripts used by the Kibana init container.
func NewScriptsConfigMapVolume(kbName string) volume.ConfigMapVolume {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think configmaps are watched by this controller:

cloud-on-k8s/pkg/controller/kibana/controller.go

Lines 66 to 106 in 6c1bf95

func addWatches(mgr manager.Manager, c controller.Controller, r *ReconcileKibana) error {
// Watch for changes to Kibana
if err := c.Watch(source.Kind(mgr.GetCache(), &kbv1.Kibana{}, &handler.TypedEnqueueRequestForObject[*kbv1.Kibana]{})); err != nil {
return err
}
// Watch deployments
if err := c.Watch(source.Kind(mgr.GetCache(), &appsv1.Deployment{}, handler.TypedEnqueueRequestForOwner[*appsv1.Deployment](
mgr.GetScheme(), mgr.GetRESTMapper(),
&kbv1.Kibana{}, handler.OnlyControllerOwner(),
))); err != nil {
return err
}
// Watch Pods, to ensure `status.version` and version upgrades are correctly reconciled on any change.
// Watching Deployments only may lead to missing some events.
if err := watches.WatchPods(mgr, c, kblabel.KibanaNameLabelName); err != nil {
return err
}
// Watch services
if err := c.Watch(source.Kind(mgr.GetCache(), &corev1.Service{}, handler.TypedEnqueueRequestForOwner[*corev1.Service](
mgr.GetScheme(), mgr.GetRESTMapper(),
&kbv1.Kibana{}, handler.OnlyControllerOwner(),
))); err != nil {
return err
}
// Watch owned and soft-owned secrets
if err := c.Watch(source.Kind(mgr.GetCache(), &corev1.Secret{}, handler.TypedEnqueueRequestForOwner[*corev1.Secret](
mgr.GetScheme(), mgr.GetRESTMapper(),
&kbv1.Kibana{}, handler.OnlyControllerOwner(),
))); err != nil {
return err
}
if err := watches.WatchSoftOwnedSecrets(mgr, c, kbv1.Kind); err != nil {
return err
}
// dynamically watch referenced secrets to connect to Elasticsearch
return c.Watch(source.Kind(mgr.GetCache(), &corev1.Secret{}, r.dynamicWatches.Secrets))
}

pkg/controller/kibana/initcontainer/configmap.go
}
}

// ReconcileScriptsConfigMap reconciles the ConfigMap containing scripts used by the Kibana init container.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: just to make it clear that it is not used by the one used for the keystore?

Suggested change
// ReconcileScriptsConfigMap reconciles the ConfigMap containing scripts used by the Kibana init container.
// ReconcileScriptsConfigMap reconciles the ConfigMap containing scripts used by the Kibana elastic-internal-init init container.

pkg/controller/kibana/initcontainer/configmap.go
}

// newConfigMapWithData constructs a new ConfigMap with the given data.
func newConfigMapWithData(cm, kb types.NamespacedName, data map[string]string) corev1.ConfigMap {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we just inline this function? IMHO I'm not sure it adds much, and it would make the code easier to read.

pkg/controller/kibana/initcontainer/configmap.go
}

// reconcileConfigMap checks for an existing ConfigMap and updates it or creates one if it does not exist.
func reconcileConfigMap(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, this function is just calling reconciler.ReconcileResource I would inline it.

pkg/controller/kibana/initcontainer/fs_scripts.go
Comment on lines +26 to +28
// IncludePlugins indicates whether the script should include
// the plugins persistence logic.
IncludePlugins bool
Copy link
Contributor

@barkbay barkbay Jan 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, naming...

Suggested change
// IncludePlugins indicates whether the script should include
// the plugins persistence logic.
IncludePlugins bool
// CopyPlugins indicates whether the script should copy the plugins from the Kibana image.
// This should be set to true when the file system is in read only mode and the plugin directory is replaced by an emptyDir.
CopyPlugins bool

barkbay
barkbay reviewed Jan 10, 2025
View reviewed changes
pkg/controller/kibana/initcontainer/prepare_fs.go
if err != nil {
return corev1.Container{}, err // error unlikely and should have been caught during validation
}
enablePluginsMounts := v.GTE(HardenedSecurityContextSupportedVersion) && setDefaultSecurityContext
Copy link
Contributor

@barkbay barkbay Jan 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why setDefaultSecurityContext is required to be true? Does it mean that if a user is running on OCP and wants to set readOnlyRootFilesystem: true for example, then this volume and the init-container should be added/adjusted manually?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could just always copy the plugins and avoid a lot of conditional logic?

barkbay
barkbay reviewed Jan 10, 2025
View reviewed changes
pkg/controller/kibana/initcontainer/prepare_fs.go
Resources: defaultResources,
}

if enablePluginsMounts {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we can remove the variable (or move it closer to where it is used)

Suggested change
if enablePluginsMounts {
if v.GTE(HardenedSecurityContextSupportedVersion) && setDefaultSecurityContext {
container.VolumeMounts = append(container.VolumeMounts, PluginsSharedVolume.InitContainerVolumeMount())
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@barkbay barkbay barkbay left review comments

@pebrc pebrc pebrc left review comments

@thbkrkr thbkrkr Awaiting requested review from thbkrkr

@rhr323 rhr323 Awaiting requested review from rhr323

@kvalliyurnatt kvalliyurnatt Awaiting requested review from kvalliyurnatt

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
>enhancement Enhancement of existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Kibana plugins directory in custom image is no longer accessible since ECK 2.16.0
4 participants
@naemono @pebrc @barkbay @thbkrkr