Adds EFK support

kustomize/observability/elasticsearch/README.md

@@ -0,0 +1,9 @@
+# Elasticsearch Configuration Requirements
+
+For Elasticsearch to work properly on Talos Linux nodes, the following sysctl configuration must be applied in the Talos machine configuration:
+
+```
+"machine":
+  "sysctls":
+    "vm.max_map_count": 262144
+```

kustomize/observability/elasticsearch/certificates.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: elasticsearch
+  namespace: system-observability
+spec:
+  secretName: elasticsearch-master-certs
+  issuerRef:
+    name: private
+    kind: ClusterIssuer
+  commonName: elasticsearch
+  dnsNames:
+    - "elasticsearch-master"
+    - "elasticsearch-master.system-observability"
+    - "elasticsearch-master.system-observability.svc"
+    - "elasticsearch-master.system-observability.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.elasticsearch-master.system-observability.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "elasticsearch-master-headless"
+    - "elasticsearch-master-headless.system-observability"
+    - "elasticsearch-master-headless.system-observability.svc"
+    - "elasticsearch-master-headless.system-observability.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.elasticsearch-master-headless.system-observability.svc.${CLUSTER_DOMAIN:-cluster.local}"
+  usages:
+    - server auth
+    - client auth

kustomize/observability/elasticsearch/helm-release.yaml

@@ -0,0 +1,62 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: elasticsearch
+  namespace: system-observability
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: elasticsearch
+      # renovate: datasource=helm depName=elasticsearch package=elasticsearch helmRepo=https://helm.elastic.co
+      version: "8.5.1"
+      sourceRef:
+        kind: HelmRepository
+        name: elastic-elasticsearch
+        namespace: system-observability
+  values:
+    createCert: false
+    secretMounts:
+    - name: elasticsearch-certificates
+      secretName: elasticsearch-master-certs
+      path: /usr/share/elasticsearch/config/certificates
+      defaultMode: 0755
+    extraEnvs:
+      - name: xpack.security.enabled
+        value: "true"
+      - name: xpack.security.transport.ssl.enabled
+        value: "true"
+      - name: xpack.security.http.ssl.enabled
+        value: "true"
+      - name: xpack.security.transport.ssl.verification_mode
+        value: "certificate"
+      - name: xpack.security.transport.ssl.key
+        value: "/usr/share/elasticsearch/config/certificates/tls.key"
+      - name: xpack.security.transport.ssl.certificate
+        value: "/usr/share/elasticsearch/config/certificates/tls.crt"
+      - name: xpack.security.transport.ssl.certificate_authorities
+        value: "/usr/share/elasticsearch/config/certificates/ca.crt"
+      - name: xpack.security.http.ssl.key
+        value: "/usr/share/elasticsearch/config/certificates/tls.key"
+      - name: xpack.security.http.ssl.certificate
+        value: "/usr/share/elasticsearch/config/certificates/tls.crt"
+      - name: xpack.security.http.ssl.certificate_authorities
+        value: "/usr/share/elasticsearch/config/certificates/ca.crt"
+    antiAffinity: "soft"
+    replicas: 1
+    sysctlInitContainer:
+      enabled: false
+    esJavaOpts: "-Xmx512m -Xms512m"
+    resources:
+      requests:
+        cpu: "100m"
+        memory: "768M"
+      limits:
+        cpu: "1000m"
+        memory: "1024M"
+    volumeClaimTemplate:
+      accessModes: [ "ReadWriteOnce" ]
+      storageClassName: "single"
+      resources:
+        requests:
+          storage: 500M

kustomize/observability/elasticsearch/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: elastic-elasticsearch
+  namespace: system-observability
+spec:
+  interval: 1h
+  url: https://helm.elastic.co

kustomize/observability/elasticsearch/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+- helm-release.yaml
+- helm-repository.yaml
+- certificates.yaml

kustomize/observability/kibana/helm-release.yaml

@@ -0,0 +1,29 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kibana
+  namespace: system-observability
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: kibana
+      # renovate: datasource=helm depName=kibana package=kibana helmRepo=https://helm.elastic.co
+      version: "8.5.1"
+      sourceRef:
+        kind: HelmRepository
+        name: elastic-kibana
+        namespace: system-observability
+  values:
+    kibanaConfig:
+      kibana.yml: |
+        elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/certs/ca.crt"]
+        elasticsearch.ssl.certificate: "/usr/share/kibana/config/certs/tls.crt"
+        elasticsearch.ssl.key: "/usr/share/kibana/config/certs/tls.key"
+    resources:
+      requests:
+        cpu: "1000m"
+        memory: "1Gi"
+      limits:
+        cpu: "1000m"
+        memory: "1Gi"

kustomize/observability/kibana/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: elastic-kibana
+  namespace: system-observability
+spec:
+  interval: 1h
+  url: https://helm.elastic.co

kustomize/observability/kibana/ingress/ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kibana
+  namespace: system-observability
+  annotations:
+    cert-manager.io/cluster-issuer: private
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: kibana.${DOMAIN}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: kibana-kibana
+            port:
+              number: 5601

kustomize/observability/kibana/ingress/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - ingress.yaml

kustomize/observability/kibana/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+- helm-release.yaml
+- helm-repository.yaml

kustomize/telemetry/base/filebeat/certificates.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: filebeat
+  namespace: system-telemetry
+spec:
+  secretName: filebeat-tls
+  issuerRef:
+    name: private
+    kind: ClusterIssuer
+  commonName: filebeat
+  usages:
+    - client auth

kustomize/telemetry/base/filebeat/helm-release.yaml

@@ -0,0 +1,44 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: filebeat
+  namespace: system-telemetry
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: filebeat
+      # renovate: datasource=helm depName=filebeat package=filebeat helmRepo=https://helm.elastic.co
+      version: "8.5.1"
+      sourceRef:
+        kind: HelmRepository
+        name: elastic-filebeat
+        namespace: system-telemetry
+  values:
+    daemonset:
+      secretMounts:
+        - name: filebeat-tls
+          secretName: filebeat-tls
+          path: /usr/share/filebeat/certs/
+      extraEnvs:
+        - name: ELASTICSEARCH_HOSTS
+          value: "elasticsearch-master.system-observability.svc.cluster.local"
+        - name: "ELASTICSEARCH_USERNAME"
+          valueFrom:
+            secretKeyRef:
+              name: elasticsearch-master-credentials
+              key: username
+        - name: "ELASTICSEARCH_PASSWORD"
+          valueFrom:
+            secretKeyRef:
+              name: elasticsearch-master-credentials
+              key: password
+        - name: "ssl.certificate_authorities"
+          value: "/usr/share/filebeat/certs/ca.crt"
+    resources:
+      requests:
+        cpu: "100m"
+        memory: "100M"
+      limits:
+        cpu: "500m"
+        memory: "300M"

kustomize/telemetry/base/filebeat/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: elastic-filebeat
+  namespace: system-telemetry
+spec:
+  interval: 1h
+  url: https://helm.elastic.co

kustomize/telemetry/base/filebeat/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+- secret-mgr.yaml
+- helm-release.yaml
+- helm-repository.yaml
+- certificates.yaml

kustomize/telemetry/base/filebeat/secret-mgr.yaml

@@ -0,0 +1,51 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: secret-manager
+  namespace: system-telemetry
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: secret-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: secret-manager
+    namespace: system-telemetry
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: secret-manager-init-job
+  namespace: system-telemetry
+spec:
+  backoffLimit: 10
+  template:
+    spec:
+      containers:
+      - name: copy-k8s-secret
+        image: bitnami/kubectl:1.31.2
+        command: ["/bin/sh", "-c", "--"]
+        args:
+          - |
+            kubectl get secret elasticsearch-master-credentials -n system-observability -o yaml \
+              | yq eval 'del(.metadata.resourceVersion, .metadata.uid, .metadata.creationTimestamp, .metadata.managedFields) | .metadata.namespace = "system-telemetry"' - \
+              | kubectl apply -n system-telemetry -f -
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 1000
+          capabilities:
+            drop:
+              - ALL
+      restartPolicy: Never
+      volumes:
+        - name: temp-volume
+          emptyDir: {}
+      serviceAccountName: secret-manager
+