Merge branch 'improvement/ARTESCA-14986-bump-fluent-bit' into q/130.0

bert-e · bert-e · commit 717b5a3b0718 · 2025-04-14T09:21:33.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,10 @@
   [v2.42.0](https://github.com/dexidp/dex/releases/tag/v2.42.0)
   (PR[#4558](https://github.com/scality/metalk8s/pull/4558))
 
+- Bump Fluent Bit image version to [3.2.8](https://github.com/fluent/fluent-bit/releases/tag/v3.2.8)
+  and Fluent Bit Helm chart version to [0.48.9](https://github.com/fluent/helm-charts/releases/tag/fluent-bit-0.48.9)
+  (PR[#4559](https://github.com/scality/metalk8s/pull/4559))
+
 ## Release 129.0.1 (in development)
 
 ### Enhancements
diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py
@@ -273,8 +273,8 @@ def _version_prefix(version: str, prefix: str = "v") -> str:
     ),
     Image(
         name="fluent-bit",
-        version="3.1.9",
-        digest="sha256:4af3920cc2ff976200e0fc09f23e7ca4ee7d4477a6d592cb496fc39378181b02",
+        version="3.2.8",
+        digest="sha256:14da4a52ecdbb9bd9cb7a16ff6b4c7f391a4006cb13f84b5957e4608cc613e2c",
     ),
     Image(
         name="cert-manager-controller",
diff --git a/charts/fluent-bit/Chart.yaml b/charts/fluent-bit/Chart.yaml
@@ -1,9 +1,9 @@
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: "Updated Fluent Bit OCI image to v3.1.9"
+      description: "Updated Fluent Bit OCI image to v3.2.8."
 apiVersion: v1
-appVersion: 3.1.9
+appVersion: 3.2.8
 description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD
   family operating systems.
 home: https://fluentbit.io/
@@ -24,4 +24,4 @@ maintainers:
 name: fluent-bit
 sources:
 - https://github.com/fluent/fluent-bit/
-version: 0.47.10
+version: 0.48.9
diff --git a/charts/fluent-bit/README.md b/charts/fluent-bit/README.md
@@ -27,7 +27,7 @@ Fluent Bit allows us to build filter to modify the incoming records using custom
 
 ### How to use Lua scripts with this Chart
 
-First, you should add your Lua scripts to `luaScripts` in values.yaml, for example:
+First, you should add your Lua scripts to `luaScripts` in values.yaml, templating is supported.
 
 ```yaml
 luaScripts:
diff --git a/charts/fluent-bit/ci/ci-values.yaml b/charts/fluent-bit/ci/ci-values.yaml
@@ -3,6 +3,41 @@ testFramework:
 
 logLevel: debug
 
+extraVolumeMounts:
+  - name: extra-volume
+    mountPath: /extra-volume-path
+  - name: another-extra-volume
+    mountPath: /another-extra-volume-path
+
+extraVolumes:
+  - name: extra-volume
+    emptyDir: {}
+  - name: another-extra-volume
+    emptyDir: {}
+
 dashboards:
   enabled: true
   deterministicUid: true
+
+luaScripts:
+  filter_example.lua: |
+    function filter_name(tag, timestamp, record)
+        -- put your lua code here.
+    end
+  filter_with_templating_example.lua: |
+    local log_level = {{ .Values.logLevel | quote }}
+    function filter_with_templating_name(tag, timestamp, record)
+        -- put your lua code here.
+    end
+
+config:
+  outputs: |
+    [OUTPUT]
+        name   stdout
+        match  *
+
+hotReload:
+  enabled: true
+  extraWatchVolumes:
+    - extra-volume
+    - another-extra-volume
diff --git a/charts/fluent-bit/templates/_pod.tpl b/charts/fluent-bit/templates/_pod.tpl
@@ -108,11 +108,18 @@ containers:
       - {{ printf "-webhook-url=http://localhost:%s/api/v2/reload" (toString .Values.metricsPort) }}
       - -volume-dir=/watch/config
       - -volume-dir=/watch/scripts
+      {{- range $idx, $val := .Values.hotReload.extraWatchVolumes }}
+      - {{ printf "-volume-dir=/watch/extra-%d" (int $idx) }}
+      {{- end }}
     volumeMounts:
       - name: config
         mountPath: /watch/config
       - name: luascripts
         mountPath: /watch/scripts
+      {{- range $idx, $val := .Values.hotReload.extraWatchVolumes }}
+      - name: {{ $val }}
+        mountPath: {{ printf "/watch/extra-%d" (int $idx) }}
+      {{- end }}
     {{- with .Values.hotReload.resources }}
     resources:
       {{- toYaml . | nindent 12 }}
@@ -132,7 +139,7 @@ volumes:
 {{- if or .Values.luaScripts .Values.hotReload.enabled }}
   - name: luascripts
     configMap:
-      name: {{ include "fluent-bit.fullname" . }}-luascripts
+      name: {{ include "fluent-bit.fullname" . }}-luascripts 
 {{- end }}
 {{- if eq .Values.kind "DaemonSet" }}
   {{- toYaml .Values.daemonSetVolumes | nindent 2 }}
diff --git a/charts/fluent-bit/templates/configmap-luascripts.yaml b/charts/fluent-bit/templates/configmap-luascripts.yaml
@@ -8,6 +8,6 @@ metadata:
     {{- include "fluent-bit.labels" . | nindent 4 }}
 data:
   {{ range $key, $value := .Values.luaScripts }}
-  {{ $key }}: {{ $value | quote }}
+  {{ $key }}: {{ (tpl $value $) | quote }}
   {{ end }}
 {{- end -}}
diff --git a/charts/fluent-bit/templates/psp.yaml b/charts/fluent-bit/templates/psp.yaml
@@ -20,12 +20,15 @@ spec:
   hostNetwork: {{ .Values.hostNetwork }}
   hostIPC: false
   hostPID: false
+{{- with .Values.podSecurityPolicy.runAsUser }}
   runAsUser:
-    # TODO: Require the container to run without root privileges.
-    rule: 'RunAsAny'
+  {{- toYaml . | nindent 4 }}
+{{- end }}
+{{- with .Values.podSecurityPolicy.seLinux }}
   seLinux:
-    # This policy assumes the nodes are using AppArmor rather than SELinux.
-    rule: 'RunAsAny'
+  {{- toYaml . | nindent 4 }}
+{{- end }}
+
   supplementalGroups:
     rule: 'MustRunAs'
     ranges:
diff --git a/charts/fluent-bit/templates/scc.yaml b/charts/fluent-bit/templates/scc.yaml
@@ -24,10 +24,14 @@ forbiddenSysctls:
 readOnlyRootFilesystem: false
 requiredDropCapabilities:
   - MKNOD
+{{- with .Values.openShift.securityContextConstraints.runAsUser }}
 runAsUser:
-  type: RunAsAny
+  {{- toYaml . | nindent 4 }}
+{{- end }}
+{{- with .Values.openShift.securityContextConstraints.seLinuxContext }}
 seLinuxContext:
-  type: MustRunAs
+  {{- toYaml . | nindent 4 }}
+{{- end }}
 supplementalGroups:
   type: RunAsAny
 volumes:
diff --git a/charts/fluent-bit/templates/tests/test-connection.yaml b/charts/fluent-bit/templates/tests/test-connection.yaml
@@ -17,7 +17,7 @@ spec:
       image: {{ include "fluent-bit.image" .Values.testFramework.image | quote }}
       imagePullPolicy: {{ .Values.testFramework.image.pullPolicy }}
       command: ["sh"]
-      args: ["-c", "wget -O- {{ include "fluent-bit.fullname" . }}:{{ .Values.service.port }}"]
+      args: ["-c", "sleep 5s && wget -O- {{ include "fluent-bit.fullname" . }}:{{ .Values.service.port }}"]
   {{- with .Values.imagePullSecrets }}
   imagePullSecrets:
     {{- toYaml . | nindent 4 }}
diff --git a/charts/fluent-bit/values.yaml b/charts/fluent-bit/values.yaml
@@ -45,6 +45,11 @@ rbac:
 podSecurityPolicy:
   create: false
   annotations: {}
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: RunAsAny
 
 # OpenShift-specific configuration
 openShift:
@@ -54,6 +59,10 @@ openShift:
     create: true
     name: ""
     annotations: {}
+    runAsUser:
+      type: RunAsAny
+    seLinuxContext:
+      type: MustRunAs
     # Use existing SCC in cluster, rather then create new one
     existingName: ""
 
@@ -98,14 +107,13 @@ service:
   # nodePort: 30020
   # clusterIP: 172.16.10.1
   annotations: {}
-#   prometheus.io/path: "/api/v1/metrics/prometheus"
-#   prometheus.io/port: "2020"
-#   prometheus.io/scrape: "true"
+  #   prometheus.io/path: "/api/v1/metrics/prometheus"
+  #   prometheus.io/port: "2020"
+  #   prometheus.io/scrape: "true"
   externalIPs: []
   # externalIPs:
   #  - 2.2.2.2
 
-
 serviceMonitor:
   enabled: false
   #   namespace: monitoring
@@ -362,6 +370,7 @@ networkPolicy:
 #   ingress:
 #     from: []
 
+# See Lua script configuration example in README.md
 luaScripts: {}
 
 ## https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file
@@ -506,7 +515,8 @@ hotReload:
   enabled: false
   image:
     repository: ghcr.io/jimmidyson/configmap-reload
-    tag: v0.11.1
+    tag: v0.14.0
     digest:
     pullPolicy: IfNotPresent
   resources: {}
+  extraWatchVolumes: []
diff --git a/salt/metalk8s/addons/logging/fluent-bit/deployed/chart.sls b/salt/metalk8s/addons/logging/fluent-bit/deployed/chart.sls
@@ -15,8 +15,8 @@ metadata:
     app.kubernetes.io/managed-by: salt
     app.kubernetes.io/name: fluent-bit
     app.kubernetes.io/part-of: metalk8s
-    app.kubernetes.io/version: 3.1.9
-    helm.sh/chart: fluent-bit-0.47.10
+    app.kubernetes.io/version: 3.2.8
+    helm.sh/chart: fluent-bit-0.48.9
     heritage: metalk8s
   name: fluent-bit
   namespace: metalk8s-logging
@@ -1596,9 +1596,9 @@ metadata:
     app.kubernetes.io/managed-by: salt
     app.kubernetes.io/name: fluent-bit
     app.kubernetes.io/part-of: metalk8s
-    app.kubernetes.io/version: 3.1.9
+    app.kubernetes.io/version: 3.2.8
     grafana_dashboard: '1'
-    helm.sh/chart: fluent-bit-0.47.10
+    helm.sh/chart: fluent-bit-0.48.9
     heritage: metalk8s
   name: fluent-bit-dashboard-fluent-bit
   namespace: metalk8s-logging
@@ -1611,8 +1611,8 @@ metadata:
     app.kubernetes.io/managed-by: salt
     app.kubernetes.io/name: fluent-bit
     app.kubernetes.io/part-of: metalk8s
-    app.kubernetes.io/version: 3.1.9
-    helm.sh/chart: fluent-bit-0.47.10
+    app.kubernetes.io/version: 3.2.8
+    helm.sh/chart: fluent-bit-0.48.9
     heritage: metalk8s
   name: fluent-bit
   namespace: metalk8s-logging
@@ -1635,8 +1635,8 @@ metadata:
     app.kubernetes.io/managed-by: salt
     app.kubernetes.io/name: fluent-bit
     app.kubernetes.io/part-of: metalk8s
-    app.kubernetes.io/version: 3.1.9
-    helm.sh/chart: fluent-bit-0.47.10
+    app.kubernetes.io/version: 3.2.8
+    helm.sh/chart: fluent-bit-0.48.9
     heritage: metalk8s
   name: fluent-bit
   namespace: metalk8s-logging
@@ -1657,8 +1657,8 @@ metadata:
     app.kubernetes.io/managed-by: salt
     app.kubernetes.io/name: fluent-bit
     app.kubernetes.io/part-of: metalk8s
-    app.kubernetes.io/version: 3.1.9
-    helm.sh/chart: fluent-bit-0.47.10
+    app.kubernetes.io/version: 3.2.8
+    helm.sh/chart: fluent-bit-0.48.9
     heritage: metalk8s
   name: fluent-bit
   namespace: metalk8s-logging
@@ -1681,8 +1681,8 @@ metadata:
     app.kubernetes.io/managed-by: salt
     app.kubernetes.io/name: fluent-bit
     app.kubernetes.io/part-of: metalk8s
-    app.kubernetes.io/version: 3.1.9
-    helm.sh/chart: fluent-bit-0.47.10
+    app.kubernetes.io/version: 3.2.8
+    helm.sh/chart: fluent-bit-0.48.9
     heritage: metalk8s
   name: fluent-bit
   namespace: metalk8s-logging
@@ -1708,7 +1708,7 @@ spec:
         - --config=/fluent-bit/etc/conf/fluent-bit.conf
         command:
         - /fluent-bit/bin/fluent-bit
-        image: {% endraw -%}{{ build_image_name("fluent-bit", False) }}{%- raw %}:3.1.9
+        image: {% endraw -%}{{ build_image_name("fluent-bit", False) }}{%- raw %}:3.2.8
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
@@ -1773,8 +1773,8 @@ metadata:
     app.kubernetes.io/managed-by: salt
     app.kubernetes.io/name: fluent-bit
     app.kubernetes.io/part-of: metalk8s
-    app.kubernetes.io/version: 3.1.9
-    helm.sh/chart: fluent-bit-0.47.10
+    app.kubernetes.io/version: 3.2.8
+    helm.sh/chart: fluent-bit-0.48.9
     heritage: metalk8s
     metalk8s.scality.com/monitor: ''
   name: fluent-bit
