修改crd数据结构，支持匹配workload (#38)

Co-authored-by: lei.zhangDB <lei.zhangDB@eoitek.com>

README.md

@@ -0,0 +1,3 @@
+# Installation for Loggie
+
+Install loggie in kubernetes: https://loggie-io.github.io/docs/getting-started/install/kubernetes/

helm-chart/Chart.yaml

@@ -4,9 +4,8 @@ name: loggie
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.0.0
+version: v1.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.0.0
-
+appVersion: v1.4.0

helm-chart/crds/crd_v1beta1.yaml

@@ -1,82 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: clusterlogconfigs.loggie.io
-spec:
-  group: loggie.io
-  versions:
-  - name: v1beta1
-    served: true
-    storage: true
-  scope: Cluster
-  names:
-    plural: clusterlogconfigs
-    singular: clusterlogconfig
-    kind: ClusterLogConfig
-    listKind: ClusterLogConfigList
-    shortNames:
-    - clgc
-  subresources:
-    status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: logconfigs.loggie.io
-spec:
-  group: loggie.io
-  versions:
-  - name: v1beta1
-    served: true
-    storage: true
-  scope: Namespaced
-  names:
-    plural: logconfigs
-    singular: logconfig
-    kind: LogConfig
-    listKind: LogConfigList
-    shortNames:
-    - lgc
-  subresources:
-    status: {}
-
----
-
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: interceptors.loggie.io
-spec:
-  group: loggie.io
-  versions:
-  - name: v1beta1
-    served: true
-    storage: true
-  scope: Cluster
-  names:
-    kind: Interceptor
-    listKind: InterceptorList
-    plural: interceptors
-    shortNames:
-      - icp
-    singular: interceptor
-
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: sinks.loggie.io
-spec:
-  group: loggie.io
-  versions:
-  - name: v1beta1
-    served: true
-    storage: true
-  scope: Cluster
-  names:
-    kind: Sink
-    listKind: SinkList
-    plural: sinks
-    singular: sink

helm-chart/crds/crds.yaml

@@ -2,10 +2,11 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.1
+  creationTimestamp: null
   name: clusterlogconfigs.loggie.io
 spec:
-  conversion:
-    strategy: None
   group: loggie.io
   names:
     kind: ClusterLogConfig
@@ -17,17 +18,122 @@ spec:
   scope: Cluster
   versions:
     - name: v1beta1
-      served: true
-      storage: true
       schema:
         openAPIV3Schema:
-          type: object
           properties:
-            spec:
-              x-kubernetes-preserve-unknown-fields: true
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
               type: object
+            spec:
+              properties:
+                pipeline:
+                  properties:
+                    interceptorRef:
+                      type: string
+                    interceptors:
+                      type: string
+                    name:
+                      type: string
+                    sink:
+                      type: string
+                    sinkRef:
+                      type: string
+                    sources:
+                      type: string
+                  type: object
+                selector:
+                  properties:
+                    cluster:
+                      type: string
+                    eoiPodSelector:
+                      items:
+                        properties:
+                          expr:
+                            type: string
+                          key:
+                            type: string
+                          value:
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      type: array
+                    excludeNamespaceSelector:
+                      items:
+                        type: string
+                      type: array
+                    labelSelector:
+                      additionalProperties:
+                        type: string
+                      type: object
+                    namespaceSelector:
+                      items:
+                        type: string
+                      type: array
+                    nodeSelector:
+                      additionalProperties:
+                        type: string
+                      type: object
+                    type:
+                      type: string
+                    workload_selector:
+                      items:
+                        properties:
+                          excludeNamespaceSelector:
+                            items:
+                              type: string
+                            type: array
+                          nameSelector:
+                            items:
+                              type: string
+                            type: array
+                          namespaceSelector:
+                            items:
+                              type: string
+                            type: array
+                          type:
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      type: array
+                  type: object
+              type: object
+            status:
+              properties:
+                message:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    reason:
+                      type: string
+                  type: object
+              type: object
+          required:
+            - spec
+          type: object
+      served: true
+      storage: true
       subresources:
         status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
 
 ---
 apiVersion: apiextensions.k8s.io/v1
@@ -48,15 +154,82 @@ spec:
   scope: Namespaced
   versions:
     - name: v1beta1
-      served: true
-      storage: true
+      additionalPrinterColumns:
+      - description: select pods
+        jsonPath: .spec.selector.labelSelector
+        name: Pod Selector
+        type: string
+      - jsonPath: .metadata.creationTimestamp
+        name: Age
+        type: date
       schema:
         openAPIV3Schema:
-          type: object
           properties:
-            spec:
-              x-kubernetes-preserve-unknown-fields: true
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation
+                of an object. Servers should convert recognized schemas to the latest
+                internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this
+                object represents. Servers may infer this from the endpoint the client
+                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
               type: object
+            spec:
+              properties:
+                pipeline:
+                  properties:
+                    interceptorRef:
+                      type: string
+                    interceptors:
+                      type: string
+                    name:
+                      type: string
+                    sink:
+                      type: string
+                    sinkRef:
+                      type: string
+                    sources:
+                      type: string
+                    queue:
+                      type: string
+                  type: object
+                selector:
+                  properties:
+                    cluster:
+                      type: string
+                    labelSelector:
+                      additionalProperties:
+                        type: string
+                      type: object
+                    nodeSelector:
+                      additionalProperties:
+                        type: string
+                      type: object
+                    type:
+                      type: string
+                  type: object
+              type: object
+            status:
+              properties:
+                message:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    reason:
+                      type: string
+                  type: object
+              type: object
+          required:
+          - spec
+          type: object
+      served: true
+      storage: true
       subresources:
         status: {}
 ---
@@ -78,15 +251,31 @@ spec:
   scope: Cluster
   versions:
   - name: v1beta1
-      served: true
-      storage: true
     schema:
       openAPIV3Schema:
-          type: object
         properties:
-            spec:
-              x-kubernetes-preserve-unknown-fields: true
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
             type: object
+          spec:
+            properties:
+              interceptors:
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
 
 ---
 apiVersion: apiextensions.k8s.io/v1
@@ -105,14 +294,29 @@ spec:
   scope: Cluster
   versions:
   - name: v1beta1
-      served: true
-      storage: true
     schema:
       openAPIV3Schema:
-          type: object
         properties:
-            spec:
-              x-kubernetes-preserve-unknown-fields: true
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
             type: object
-
+          spec:
+            properties:
+              sink:
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
 

helm-chart/templates/loggie-agent-daemonset.yaml

@@ -0,0 +1,127 @@
+{{- if .Values.aggregator.enabled }}
+# Do not create DaemonSet in Aggregator mode
+{{- else }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: loggie
+    instance: {{ template "loggie.name" . }}
+  name: {{ template "loggie.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: loggie
+      instance: {{ template "loggie.name" . }}
+  template:
+    metadata:
+      labels:
+        app: loggie
+        instance: {{ template "loggie.name" . }}
+    spec:
+      containers:
+        - args:
+            - -meta.nodeName=$(HOST_NAME)
+            - -config.system=/opt/loggie/loggie.yml
+            - -config.pipeline=/opt/loggie/pipeline/*.yml
+          {{- range $key, $value := .Values.extraArgs }}
+            - -{{ $key }}={{ $value }}
+          {{- end }}
+          env:
+            - name: HOST_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: TZ
+              value: {{.Values.timezone }}
+          {{- range $key, $value := .Values.extraEnvs }}
+            - name: {{ $key }}
+              value: {{ $value }}
+          {{- end }}
+          image: {{ .Values.image }}
+          name: loggie
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- if eq .Values.config.loggie.discovery.kubernetes.rootFsCollectionEnabled true }}
+          {{- if eq .Values.config.loggie.discovery.kubernetes.containerRuntime "containerd" }}
+          securityContext:
+            privileged: true
+          {{- end }}
+          {{- end }}
+          volumeMounts:
+            {{- if .Values.extraVolumeMounts }}
+              {{ toYaml .Values.extraVolumeMounts | nindent 12}}
+            {{- end }}
+            - mountPath: /opt/loggie/loggie.yml
+              name: loggie-config
+              subPath: loggie.yml
+            - mountPath: /opt/loggie/pipeline
+              name: pipeline
+            - mountPath: /data/
+              name: registry
+            {{- if eq .Values.config.loggie.discovery.kubernetes.rootFsCollectionEnabled true }}
+            {{- if eq .Values.config.loggie.discovery.kubernetes.containerRuntime "docker" }}
+            - mountPath: /var/run/docker.sock
+              name: dockersocket
+            - mountPath: /var/lib/docker
+              mountPropagation: HostToContainer
+              name: docker
+            {{- end }}
+            {{- if eq .Values.config.loggie.discovery.kubernetes.containerRuntime "containerd" }}
+            - mountPath: /run/
+              mountPropagation: HostToContainer
+              name: hostrun
+            {{- end }}
+            {{- end }}
+
+      serviceAccountName: {{ template "loggie.name" . }}
+      nodeSelector:
+        {{- toYaml .Values.nodeSelector | nindent 8 }}
+      affinity:
+        {{- toYaml .Values.affinity | nindent 8 }}
+      tolerations:
+        {{- toYaml .Values.tolerations | nindent 8 }}
+      volumes:
+{{- if .Values.extraVolumes }}
+{{ toYaml .Values.extraVolumes | indent 8}}
+{{- end }}
+        - configMap:
+            defaultMode: 384
+            name: loggie-config-{{ template "loggie.name" . }}
+          name: loggie-config
+        - hostPath:
+            path: /data/loggie-{{ template "loggie.name" . }}
+            type: DirectoryOrCreate
+          name: registry
+        - emptyDir: {}
+          name: pipeline
+        {{- if eq .Values.config.loggie.discovery.kubernetes.rootFsCollectionEnabled true }}
+        {{- if eq .Values.config.loggie.discovery.kubernetes.containerRuntime "docker" }}
+        - hostPath:
+            path: /var/run/docker.sock
+            type: ""
+          name: dockersocket
+        - hostPath:
+            path: /var/lib/docker
+            type: DirectoryOrCreate
+          name: docker
+        {{- end }}
+        {{- if eq .Values.config.loggie.discovery.kubernetes.containerRuntime "containerd" }}
+        - hostPath:
+            path: /run
+            type: ""
+          name: hostrun
+        {{- end }}
+        {{- end }}
+
+      {{- if eq .Values.config.loggie.discovery.kubernetes.rootFsCollectionEnabled true }}
+      {{- if eq .Values.config.loggie.discovery.kubernetes.containerRuntime "containerd" }}
+      hostPID: true  
+      {{- end }}
+      {{- end }}
+
+  updateStrategy:
+    {{- toYaml .Values.updateStrategy | nindent 4 }}
+{{- end }}

helm-chart/templates/loggie-aggregator-statefulset.yaml

@@ -1,6 +1,6 @@
----
+{{- if .Values.aggregator.enabled }}
 apiVersion: apps/v1
-kind: DaemonSet
+kind: StatefulSet
 metadata:
   labels:
     app: loggie
@@ -8,6 +8,8 @@ metadata:
   name: {{ template "loggie.name" . }}
   namespace: {{ .Release.Namespace }}
 spec:
+  serviceName: {{ template "loggie.name" . }}
+  replicas: {{ .Values.aggregator.replicas }}
   selector:
     matchLabels:
       app: loggie
@@ -32,6 +34,12 @@ spec:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: spec.nodeName
+            - name: TZ
+              value: {{ .Values.timezone }}
+          {{- range $key, $value := .Values.extraEnvs }}
+            - name: {{ $key }}
+              value: {{ $value }}
+          {{- end }}
           image: {{ .Values.image }}
           name: loggie
           resources:
@@ -69,5 +77,7 @@ spec:
           name: registry
         - emptyDir: {}
           name: pipeline
+
   updateStrategy:
     {{- toYaml .Values.updateStrategy | nindent 4 }}
+{{- end }}

helm-chart/templates/loggie-configmap.yaml

@@ -2,7 +2,11 @@
 apiVersion: v1
 data:
   loggie.yml: |-
+    {{- if .Values.aggregator.enabled }}
+    {{- toYaml .Values.aggregator.config | nindent 4 }}
+    {{- else }}
     {{- toYaml .Values.config | nindent 4 }}
+    {{- end }}
 kind: ConfigMap
 metadata:
   name: loggie-config-{{ template "loggie.name" . }}

helm-chart/templates/loggie-rbac.yaml

@@ -7,7 +7,9 @@ rules:
   - apiGroups:
     - ""
     resources:
+      - replicasets
       - pods
+      - pods/log
       - nodes
     verbs:
       - get
@@ -48,6 +50,22 @@ rules:
       - watch
       - update
       - patch
+  - apiGroups:
+    - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - list
+      - update
+  - apiGroups:
+    - metrics.k8s.io
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

helm-chart/templates/loggie-servicemonitor.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: loggie-config-{{ template "loggie.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: loggie
+    instance: {{ template "loggie.name" . }}
+spec:
+  endpoints:
+  - port: monitor
+    {{- if .Values.serviceMonitor.interval }}
+    interval: {{ .Values.serviceMonitor.interval }}
+    {{- end }}
+    honorLabels: true
+{{- if .Values.serviceMonitor.metricRelabelings }}
+    metricRelabelings:
+{{ tpl (toYaml .Values.serviceMonitor.metricRelabelings | indent 4) . }}
+{{- end }}
+{{- if .Values.serviceMonitor.relabelings }}
+    relabelings:
+{{ toYaml .Values.serviceMonitor.relabelings | indent 4 }}
+{{- end }}
+  selector:
+    matchLabels:
+      app: loggie
+      instance: {{ template "loggie.name" . }}
+{{- end }}

helm-chart/values.yaml

@@ -1,5 +1,4 @@
-
-image: hub.c.163.com/loggie/loggie:v1.0.0
+image: loggieio/loggie:v1.4.0
 
 resources:
   limits:
@@ -11,31 +10,32 @@ resources:
 
 extraArgs: {}
   # log.level: debug
-  # log.jsonFormat: false
+  # log.jsonFormat: true
 
 extraVolumeMounts:
   - mountPath: /var/log/pods
     name: podlogs
+  - mountPath: /var/lib/docker/containers
+    name: dockercontainers
   - mountPath: /var/lib/kubelet/pods
     name: kubelet
-  - mountPath: /var/lib/docker
-    name: docker
-
 
 extraVolumes:
   - hostPath:
       path: /var/log/pods
       type: DirectoryOrCreate
     name: podlogs
+  - hostPath:
+      path: /var/lib/docker/containers
+      type: DirectoryOrCreate
+    name: dockercontainers
   - hostPath:
       path: /var/lib/kubelet/pods
       type: DirectoryOrCreate
     name: kubelet
-  - hostPath:
-      path: /var/lib/docker
-      type: DirectoryOrCreate
-    name: docker
 
+extraEnvs: {}
+timezone: Asia/Shanghai
 
 ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
 nodeSelector: {}
@@ -64,7 +64,7 @@ tolerations: []
 updateStrategy:
   type: RollingUpdate
 
-## Agent global config
+## Agent mode, ignored when aggregator.enabled is true
 config:
   loggie:
     reload:
@@ -75,48 +75,84 @@ config:
         period: 30s
         enabled: true
       listeners:
-        filesource: ~
-        filewatcher: ~
-        reload: ~
-        sink: ~
+        filesource:
+          period: 10s
+        filewatcher:
+          period: 5m
+        reload:
+          period: 10s
+        sink:
+          period: 10s
+        queue:
+          period: 10s
+        pipeline:
+          period: 10s
+
     discovery:
       enabled: true
       kubernetes:
+        # Choose: docker or containerd
         containerRuntime: containerd
-        fields:
-          container.name: containername
-          logConfig: logconfig
-          namespace: namespace
-          node.name: nodename
-          pod.name: podname
+        # Collect log files inside the container from the root filesystem of the container, no need to mount the volume
+        rootFsCollectionEnabled: false
+        # Automatically parse and convert the wrapped container standard output format into the original log content
+        parseStdout: false
+        # If set to true, it means that the pipeline configuration generated does not contain specific Pod paths and meta information,
+        # and these data will be dynamically obtained by the file source, thereby reducing the number of configuration changes and reloads.
+        dynamicContainerLog: false
+        # Automatically add fields when selector.type is pod in logconfig/clusterlogconfig
+        typePodFields:
+          logconfig: "${_k8s.logconfig}"
+          namespace: "${_k8s.pod.namespace}"
+          nodename: "${_k8s.node.name}"
+          podname: "${_k8s.pod.name}"
+          containername: "${_k8s.pod.container.name}"
+
     http:
       enabled: true
       port: 9196
 
-## Aggregator global config
-# config:
-#   loggie:
-#     reload:
-#       enabled: true
-#       period: 10s
-#     monitor:
-#       logger:
-#         period: 30s
-#         enabled: true
-#       listeners:
-#         reload: ~
-#         sink: ~
-#     discovery:
-#       enabled: true
-#       kubernetes:
-#         cluster: aggregator
-#     http:
-#       enabled: true
-#       port: 9196
+## Aggregator mode, by default is disabled
+aggregator:
+  enabled: false
+  replicas: 2
+  config:
+    loggie:
+      reload:
+        enabled: true
+        period: 10s
+      monitor:
+        logger:
+          period: 30s
+          enabled: true
+        listeners:
+          reload:
+            period: 10s
+          sink:
+            period: 10s
+      discovery:
+        enabled: true
+        kubernetes:
+          cluster: aggregator
+          containerRuntime: none
+      http:
+        enabled: true
+        port: 9196
 
 
 servicePorts:
   - name: monitor
     port: 9196
     targetPort: 9196
+#  - name: gprc
+#    port: 6066
+#    targetPort: 6066
+
+
+serviceMonitor:
+  enabled: false
+  ## Scrape interval. If not set, the Prometheus default scrape interval is used.
+  interval: 30s
+  relabelings: []
+  metricRelabelings: []
 

operator-helm-chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+

operator-helm-chart/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+description: A Helm chart for Loggie Operator
+name: loggie-operator
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: v0.1.0-rc.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
+appVersion: v0.1.0-rc.0

operator-helm-chart/templates/_helpers.tpl

@@ -0,0 +1,16 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "operator.name" -}}
+{{- default .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "operator.fullname" -}}
+{{- $name := default .Release.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

operator-helm-chart/templates/cert/cert-gen-configmap.yaml

@@ -0,0 +1,147 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: loggie-operator-cert-gen-{{ template "operator.name" . }}
+  namespace: {{ .Release.Namespace }}
+data:
+  generate_cert.sh: |
+    #!/bin/bash
+    
+    set -e
+    
+    CERT_DIR="/tmp/cert"
+    SERVER_PORT=9443
+    SECRET=loggie-operator-webhook
+    NAMESPACE=loggie
+    
+    usage() {
+      cat <<EOF
+    usage: ${0} [OPTIONS]
+    The following flags are required.
+        --hostname         To deploy in Kubernetes, please use {serviceName}.{namespace}.svc;
+                              locally, please use the IP address where the Loggie operator is running locally.
+    
+    The following flags are optional.
+        --namespace        Namespace where webhook service and secret reside. defaults: loggie
+        --secret           Secret name for CA certificate and server certificate/key pair. defaults: loggie-webhook
+        --cert-dir         The directory where the certificate is stored. defaults: "/tmp/cert"
+        --server-port      Server Port. defaults: 9443
+    EOF
+      exit 1
+    }
+    
+    while [ $# -gt 0 ]; do
+      case ${1} in
+          --hostname)
+              HOST_NAME="$2"
+              shift
+              ;;
+          --namespace)
+              NAMESPACE="$2"
+              shift
+              ;;
+          --secret)
+              SECRET="$2"
+              shift
+              ;;
+          --cert-dir)
+              CERT_DIR="$2"
+              shift
+              ;;
+          --server-port)
+              SERVER_PORT="$2"
+              shift
+              ;;
+
+          *)
+              usage
+              ;;
+      esac
+      shift
+    done
+    
+    [ -z "${HOST_NAME}" ] && echo "ERROR: --hostname flag is required" && exit 1
+    
+    
+    mkdir -p ${CERT_DIR}
+    cd ${CERT_DIR}
+    cat > ca-config.json <<EOF
+    {
+      "signing": {
+        "default": {
+          "expiry": "87600h"
+        },
+        "profiles": {
+          "server": {
+            "usages": ["signing", "key encipherment", "server auth", "client auth"],
+            "expiry": "87600h"
+          }
+        }
+      }
+    }
+    EOF
+    
+    cat > ca-csr.json <<EOF
+    {
+      "CN": "Kubernetes",
+      "key": {
+        "algo": "rsa",
+        "size": 2048
+      },
+      "names": [
+        {
+          "C": "China",
+          "L": "Hangzhou",
+          "O": "Kubernetes",
+          "OU": "Kubernetes",
+          "ST": "Oregon"
+        }
+      ]
+    }
+    EOF
+    
+    cfssl gencert -initca ca-csr.json | cfssljson -bare ca
+    
+    cat > server-csr.json <<EOF
+    {
+      "CN": "admission",
+      "key": {
+        "algo": "rsa",
+        "size": 2048
+      },
+      "names": [
+        {
+          "C": "China",
+          "L": "Hangzhou",
+          "O": "Kubernetes",
+          "OU": "Kubernetes",
+          "ST": "Oregon"
+        }
+      ]
+    }
+    EOF
+    
+    cfssl gencert \
+      -ca=ca.pem \
+      -ca-key=ca-key.pem \
+      -config=ca-config.json \
+      -hostname=${HOST_NAME} \
+      -profile=server \
+      server-csr.json | cfssljson -bare server
+        
+    # create the secret with CA cert and server cert/key
+    kubectl create secret tls "${SECRET}" \
+          --key="${CERT_DIR}/server-key.pem" \
+          --cert="${CERT_DIR}/server.pem" \
+          --dry-run=client -o yaml |
+      kubectl -n "${NAMESPACE}" apply -f -
+
+    while true; do
+      echo "INFO: Trying to patch webhook adding the caBundle."
+      if kubectl patch "${kind:-mutatingwebhookconfiguration}" 'loggie-operator-webhook-{{ template "operator.name" . }}' --type='json' -p "[{'op': 'add', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'$(cat ca.pem | base64 -w0)'}]"; then
+        break
+      fi
+      echo "INFO: webhook not patched. Retrying in 5s..."
+      sleep 5
+    done

operator-helm-chart/templates/cert/cert-job.yaml

@@ -0,0 +1,55 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: loggie-operator-webhook-cert-setup-{{ template "operator.name" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-delete-policy": before-hook-creation
+
+spec:
+  template:
+    spec:
+      serviceAccountName: loggie-operator-cert-{{ template "operator.name" . }}
+      containers:
+      - name: webhook-cert-setup
+        env:
+        - name: TZ
+          value: {{ .Values.timezone }}
+        image: {{ .Values.image.certSetup }}
+        command: ["./opt/generate_cert.sh"]
+        args:
+          - "--hostname"
+          - {{ template "operator.name" . }}.{{ .Release.Namespace }}.svc
+          - "--namespace"
+          - {{ .Release.Namespace }}
+          - "--secret"
+          - loggie-operator-webhook-{{ template "operator.name" . }}
+        volumeMounts:
+        - name: gen-cert
+          mountPath: /opt/generate_cert.sh
+          subPath: generate_cert.sh
+        resources:
+          limits:
+            cpu: 1
+            memory: 100Mi
+          requests:
+            cpu: 0.5
+            memory: 50Mi
+      restartPolicy: OnFailure
+      volumes:
+      - name: gen-cert
+        configMap:
+          name: loggie-operator-cert-gen-{{ template "operator.name" . }}
+          items:
+          - key: generate_cert.sh
+            path: generate_cert.sh
+            mode: 0755
+
+      nodeSelector:
+        {{- toYaml .Values.nodeSelector | nindent 8 }}
+      affinity:
+        {{- toYaml .Values.affinity | nindent 8 }}
+      tolerations:
+        {{- toYaml .Values.tolerations | nindent 8 }}
+  backoffLimit: 3

operator-helm-chart/templates/cert/cert-mutatingwebhookconfiguration.yaml

@@ -0,0 +1,37 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: loggie-operator-webhook-{{ template "operator.name" . }}
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        namespace: {{ .Release.Namespace }}
+        name: {{ template "operator.name" . }}
+        path: /mutate-inject-sidecar
+        port: 9443
+    failurePolicy: Ignore
+    matchPolicy: Equivalent
+    name: sidecar-injector-webhook.loggie.io
+    namespaceSelector: {}
+    objectSelector:
+      matchExpressions:
+      - key: sidecar.loggie.io/inject
+        operator: NotIn
+        values:
+        - "false"
+
+    rules:
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - pods
+        scope: '*'
+    sideEffects: None
+    timeoutSeconds: 3

operator-helm-chart/templates/cert/cert-rbac.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: loggie-operator-cert-role-{{ template "operator.name" . }}
+rules:
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["create", "update", "get", "list", "patch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create", "update", "get", "list", "patch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: loggie-operator-cert-rolebinding-{{ template "operator.name" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: loggie-operator-cert-role-{{ template "operator.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: loggie-operator-cert-{{ template "operator.name" . }}
+    namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: loggie-operator-cert-{{ template "operator.name" . }}
+  namespace: {{ .Release.Namespace }}

operator-helm-chart/templates/operator/loggie-operator-configmap.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+data:
+  config.yml: |
+    {{- toYaml .Values.config | nindent 4 }}
+kind: ConfigMap
+metadata:
+  name: loggie-operator-config-{{ template "operator.name" . }}
+  namespace: {{ .Release.Namespace }}

operator-helm-chart/templates/operator/loggie-operator-deployment.yaml

@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: loggie-operator
+  name: {{ template "operator.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: loggie-operator
+  template:
+    metadata:
+      labels:
+        app: loggie-operator
+    spec:
+      containers:
+      - args:
+        - -cert-dir=/tmp/cert
+        - -config-path=/etc/config.yml
+        - -leader-elect=true
+        {{- range $key, $value := .Values.extraArgs }}
+          - -{{ $key }}={{ $value }}
+        {{- end }}
+        image: {{ .Values.image.operator }}
+        env:
+        - name: TZ
+          value: {{ .Values.timezone }}
+        name: operator
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+        volumeMounts:
+        - mountPath: /etc/config.yml
+          name: config
+          subPath: config.yml
+        - name: cert
+          mountPath: "/tmp/cert"
+
+      nodeSelector:
+        {{- toYaml .Values.nodeSelector | nindent 8 }}
+      affinity:
+        {{- toYaml .Values.affinity | nindent 8 }}
+      tolerations:
+        {{- toYaml .Values.tolerations | nindent 8 }}
+      serviceAccountName: loggie-operator-{{ template "operator.name" . }}
+      volumes:
+      - name: config
+        configMap:
+          name: loggie-operator-config-{{ template "operator.name" . }}
+      - name: cert
+        secret:
+         secretName: loggie-operator-webhook-{{ template "operator.name" . }}

operator-helm-chart/templates/operator/loggie-operator-rbac.yaml

@@ -0,0 +1,80 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: loggie-operator-role-{{ template "operator.name" . }}
+rules:
+  - apiGroups:
+    - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+    - ""
+    resources:
+      - events
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - create
+      - patch
+  - apiGroups:
+    - extensions
+    - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+  - apiGroups:
+    - loggie.io
+    resources:
+      - logconfigs
+      - logconfigs/status
+      - clusterlogconfigs
+      - clusterlogconfigs/status
+      - sinks
+      - interceptors
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+  - apiGroups:
+    - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - list
+      - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: loggie-operator-rolebinding-{{ template "operator.name" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: loggie-operator-role-{{ template "operator.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: loggie-operator-{{ template "operator.name" . }}
+    namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: loggie-operator-{{ template "operator.name" . }}
+  namespace: {{ .Release.Namespace }}

operator-helm-chart/templates/operator/loggie-operator-service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: loggie-operator
+  name: {{ template "operator.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - name: operator
+    port: 9443
+    targetPort: 9443
+  selector:
+    app: loggie-operator
+  type: ClusterIP

operator-helm-chart/values.yaml

@@ -0,0 +1,58 @@
+image: 
+  certSetup: loggieio/operator-webhook-cert-setup:v1.0.0
+  operator: docker.io/loggieio/loggie-operator:main-0af197d
+
+resources:
+  limits:
+    cpu: 2
+    memory: 2Gi
+  requests:
+    cpu: 100m
+    memory: 100Mi
+
+extraArgs: {}
+
+timezone: Asia/Shanghai
+
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+nodeSelector: {}
+
+## Affinity for pod assignment
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+affinity: {}
+# podAntiAffinity:
+#   requiredDuringSchedulingIgnoredDuringExecution:
+#   - labelSelector:
+#       matchExpressions:
+#       - key: app
+#         operator: In
+#         values:
+#         - loggie
+#     topologyKey: "kubernetes.io/hostname"
+
+## Tolerations for pod assignment
+## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+tolerations: []
+# - effect: NoExecute
+#   operator: Exists
+# - effect: NoSchedule
+#   operator: Exists
+
+## operator config content
+config:
+  sidecar:
+    enabled: true
+    image: loggieio/loggie:main-1a321f3
+    systemConfig: |
+      loggie:
+        monitor:
+          logger:
+            period: 30s
+            enabled: true
+          listeners:
+            filesource: ~
+            reload: ~
+            sink: ~
+            queue: ~
+        http:
+          enabled: true