Change the config.tag value to actually be config.group to be more consistent with the master chart. Ensure backwards compatibility for config.tag in the process

Please add the following configuration option to the leader and worker helm chart to support other firewall rules than 0.0.0.0/0

spec:
  loadBalancerSourceRanges:
    - "10.0.0.0/8"

This is based on configuration options provided by GCP:
https://cloud.google.com/kubernetes-engine/docs/how-to/service-parameters

Add Support for running a workergroup as a daemonset

Add support for additionalContainers as sidecars.

For consistency with workergroup chart, health probes on leader chart should allow disabling, but be enabled by default.

When installing the charts for logstream-master, the following warning is thrown when specifying any group overrides:

coalesce.go:200: warning: cannot overwrite table with non table for groups (map[])

config.groups needs to be changed from and object to array {} -> []

At least:

• topologySpreadConstraints
• tolerations

References to master need to change to "Leader"
References to "whitelist" need to change to "allowlist"
References to "blacklist" need to change to "blocklist"

Allows for storing in Vault, etc. instead of Helm values

Add Support for extraInitContainers in workergroup chart config. This would most likely be used alongside any extraVolumeMounts to prepare a volume for use.

The following issues need to be documented in the repo:

1. Running a distributed deployment with a free license - need to note the caveats of only using one group and how to do it (there is a UI portion that needs to happen).
2. Issues with persisitent storage on master - specifically EKS issue due to EBS availability zone aware k8s scheduling.

The default of -2 for worker process can cause a problem on k8s (due to the pod seeing the CPUs allocated to the node, unrelated to the requests/limits setup. Have the default setup in LogStream equal the default request/limit values.

Currently, if you deploy on an IPv6 cluster, the chart will fail, because cribl.yml defaults to using 0.0.0.0 as the API Server bind address. Provide an option to use the IPv6 equivalent on install.

https://github.blog/2022-04-18-highlights-from-git-2-36/

Beginning in Git 2.35.2, Git changed its default behavior to prevent you from executing git commands in a repository owned by a different user than the current one. This is designed to prevent git invocations from unintentionally executing commands which the repository owner configured.

Noticing in deployments that workers will scale out on a commit/deploy because the CPU spikes for a few seconds. We should add a stabilizationWindowSeconds setting for scale up and down for the HPA configs.

I would like to have support for having custom labels to the Kubernetes resources and have it pass via the values.yaml.

I think we can probably add the custom lables support here, something like --

{{- if .Values.labels}}
{{ toYaml .Values.labels }}
{{- end }}

Add Support to define a user to run logstream as

For logstream-workergroup/template/hpa.yaml
metadata: {{- if .Values.config.group }} name: {{ include "logstream-workergroup.fullname" . }}-{{ .Values.config.group }} {{- else if .Values.config.tag }} name: {{ include "logstream-workergroup.fullname" . }}-{{ .Values.config.tag }} {{- end }}
Maybe we can use something other than values.config.group as its causing some issues with the hpa naming constraints.
Some of the group names in our org were setup by a different team and they contain underscores.
ERROR:
Error: UPGRADE FAILED: failed to create resource: HorizontalPodAutoscaler.autoscaling "foo-usc1-logstream-workergroup-cloud_foo_us-central-1" is invalid: metadata.name: Invalid value: "foo-usc1-logstream-workergroup-cloud_foo_us-central-1": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

Throws coalesce errors when overriding.

replace [] with {}

Add Support to define a user to run logstream as

Add Support for extraSecretMounts in workergroup chart config. Allow externally created secrets to be mounted within the cribl containers in the pods.

Add Support for extraConfigMapMounts in Master chart config to provide a mechanism for external configuration/file injection

HEC is a commonly used protocol and would be nice to have port 8088 added to the default ports for worker group chart

This doesn't allow setting a custom service account where you might be running multiple flavors of the workergroup in the same namespace and use one service account. Would be nice to have this as an overrideable field in values.yaml

We currently do not support using TLS to connect to the leader.

Create a single Helm Chart that can deploy an entire distributed system, supporting all the capabilities of the individual charts

Add nodeSelector option for the workgroup chart, examples exist for the pod config in the master chart. https://github.com/criblio/helm-charts/blob/master/helm-chart-sources/logstream-master/templates/_pod.tpl#L195-L198

Add Support for extraVolumeMounts in workergroup chart config. Allow externally created volume claims, or host mount or empty dir mounts to be mounted within the cribl containers in the pods.

Add support for arbitrary cluster role rules in addition to the default API rule.

Edge knows to look in /hostfs mount for the Docker sock, so this is redundant/unnecessary in current releases.

Add Support for extraInitContainers in master chart config. This would likely be used for any pre-run initialization of persistent storage beyond what is done by default.

Support the ability to use the liveness and readiness checks for all charts on IPv6

Add ability to support UDP in the Service

From #25

Add Support for extraSecretMounts in master chart config. Allow externally created secrets to be mounted within the cribl containers in the pods.

Installed build 4.0.4 via Helm and set a password using config.adminPassword

helm install ls-leader cribl/logstream-leader \
  --set "config.groups={wg1,wg2}" \
  --set config.token="criblmaster" \
  --set config.adminPassword="password" \
  --set config.license="<jwt license>" \
  -n cribl-stream

Updated the tags in the Releases helm chart and changed the tag to 4.1.0-TC44 and upgraded my instance and notice that the Role is now blank.

With the new Data Subscription role, something went wrong because the Admin user's "Admin" role changed to "User".

You have to be careful here and manually add Admin role back to prevent losing all access.

Add support for arbitrary cluster role rules in addition to the default API rule.

Right now .github/workflows/release.yml is a mess of actions I cobbled together almost 1.5 years ago. There is an official Helm Chart releaser action that does this same workflow in a single action step. Investigate whether we can replace the current solution with the official action from Helm.

https://github.com/helm/chart-releaser-action

Should have by default:

• Cribl HTTP (10200)
• Cribl TCP (10300)

Add Support for using an Ingress object in place of a loadbalancer service

@sbeamish points out that the worker group chart does not support privileged mode which will prevent Edge from reading the host logs in K8s.

Multiple customers have requested support for having fixed/static IP addresses for the load balancers in all of the services. This will implement the loadBalancerIP service parameter, but this is dependent upon the Kubernetes environment supporting that capability (many don't).

Add Support for extraVolumeMounts in workergroup chart config. Allow externally created volume claims, or host mount or empty dir mounts to be mounted within the cribl containers in the pods.

Add Support for extraConfigMapMounts in workergroup chart config to provide a mechanism for external configuration/file injection

Adding the externalTrafficPolicy option allows for configuring if the real IP is shown (Local) or not (Cluster). See MetalLB docs for details. Without it, internal kubernetes IPs are shown when sending logs to workers behind a kubernetes service.

No release artifacts are uploaded for the pod-killer chart. Are we still using this @stevelitras?

Possible source of issue: https://github.com/criblio/helm-charts/blob/master/.github/workflows/release.yml#L42