add opensearch to dev worker cluster

add a test opensearch instance to run on dev worker cluster to test collecting k8s logs

Author: anish-mudaraddi

clusters/dev/worker/apps.yaml

@@ -0,0 +1,88 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cloud-deployed-apps
+  namespace: argocd
+spec:
+  destination:
+    namespace: argocd
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    repoURL: https://github.com/stfc/cloud-deployed-apps.git
+    targetRevision: main
+    path: clusters/dev/worker
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: true
+      allowEmpty: true
+    syncOptions:
+      - CreateNamespace=true
+
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: worker-apps
+  namespace: argocd
+spec:
+  generators:
+    - list:
+        elements:
+          - name: "argocd"
+            chartName: argocd
+
+            # NOTE: each chart needs a valuesFile for this to work
+            # so create one for each chart - even if its empty
+
+            # argocd and all dependencies use the same file "argocd-setup-values.yaml"
+            valuesFile: ../../../clusters/dev/worker/argocd-setup-values.yaml
+            namespace: argocd
+
+          - name: "cert-manager"
+            chartName: cert-manager
+            namespace: cert-manager
+            valuesFile: ../../../clusters/dev/worker/argocd-setup-values.yaml
+
+          - name: longhorn
+            chartName: longhorn
+            namespace: longhorn-system
+            valuesFile: ../../../clusters/dev/worker/argocd-setup-values.yaml
+
+          - name: opensearch
+            chartName: opensearch
+            namespace: opensearch
+            valuesFile: ../../../clusters/dev/worker/opensearch-values.yaml
+            secretsFile: ../../../secrets/dev/worker/opensearch.yaml
+
+  syncPolicy:
+    # Don't remove everything if we remove the appset
+    preserveResourcesOnDeletion: true
+
+  template:
+    metadata:
+      name: "{{name}}"
+      namespace: argocd
+    spec:
+      project: default
+      source:
+        repoURL: "https://github.com/stfc/cloud-deployed-apps.git"
+        targetRevision: main
+        path: "charts/dev/{{chartName}}"
+        helm:
+          valueFiles:
+            - "{{valuesFile}}"
+            - secrets://{{ .secretsFile | default "../../../secrets/dummy-secret.yaml"}}
+
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: "{{namespace}}"
+
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+          allowEmpty: true
+        syncOptions:
+          - CreateNamespace=true

clusters/dev/worker/argocd-setup-values.yaml

@@ -0,0 +1,7 @@
+argo-cd:
+  global:
+    domain: argocd-worker.dev.nubes.stfc.ac.uk
+
+longhorn:
+  ingress:
+    host: "longhorn-worker.dev.nubes.stfc.ac.uk"

clusters/dev/worker/infra-values.yaml

@@ -9,6 +9,10 @@ openstack-cluster:
 
   nodeGroupDefaults:
     machineFlavor: l3.nano
+    nodeLabels:	
+      # we're running longhorn on this cluster
+      # set label so worker nodes can host longhorn volumes
+      longhorn.store.nodeselect/longhorn-storage-node: true
 
   addons:
     ingress:

clusters/dev/worker/opensearch-values.yaml

@@ -0,0 +1,52 @@
+
+dashboards:
+  ingress:
+    hosts:
+      - host: dashboards.dev.nubes.stfc.ac.uk
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+    tls:
+      - secretName: opensearch-tls
+        hosts:
+          - dashboards.dev.nubes.stfc.ac.uk
+
+ingress:
+  hosts:
+    - host: nodes.dev.nubes.stfc.ac.uk
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+    - secretName: opensearch-tls
+      hosts:
+        - nodes.dev.nubes.stfc.ac.uk
+
+users:
+# for ingesting k8s container logs
+- name: fluentbit
+  passwordFrom:
+    name: fluentbit-credentials-secret
+    key: password
+  backendRoles:
+    - kibana_user
+
+roles:
+# for ingesting k8s container logs
+- name: fluentbit
+  clusterPermissions:
+    - cluster_composite_ops
+    - cluster_monitor
+  indexPermissions:
+    - indexPatterns:
+        - audit-*
+        - container-*
+        - access-*
+      allowedActions:
+        - create_index
+        - index
+        - write
+
+roleMappings:
+  - roleName: fluentbit
+    user: fluentbit

secrets/dev/worker/opensearch.yaml

@@ -0,0 +1,68 @@
+admin:
+    #ENC[AES256_GCM,data:QDwUx9kyi7vi5HPNVEQhuwGQOT+eW5phHcR8UdB5+UNwqglGUH9vE+KNODDx7sFiY9qNCKY+uGyeMYizRoYV+YyERwe4HD37q9zJgZhn/4xIX6+7ckJvbp1VCdAlqMFJvzWCXg==,iv:uB9tqBLPjyImmEjf5FsnR+y1+JJjMwWIhJJQcaAxJ2s=,tag:BRVlYoT8f/rv1fPEe5Jafg==,type:comment]
+    #ENC[AES256_GCM,data:alsLLQvOohiKKaN43KC2HCrgq5T6NLV8f30+jMXSOgBKY5tsVFe+UFT1ytf6BwtE8GjmKvaCNa3XQwpocEscwW0=,iv:lP2I9Z6Mcqqdoa2QxFVShiWiCBBxsPsHa7+IHe6TjTU=,tag:Aeq1r6FE0IlOXJ0xd/5XHQ==,type:comment]
+    username: ENC[AES256_GCM,data:+3N6gQk=,iv:QACkhN3EdWdoX8xMaZhBiJAR7A6KmXYkdC6ofzHoDPc=,tag:QxG2MOG80IbGQieotfRXwA==,type:str]
+    password: ENC[AES256_GCM,data:GSBu4wvPNJtyqRn2fxlzkyFaI6k=,iv:bx5HKPN966C37Bn50MberMSghgagxHZmBwbCoqbVIVo=,tag:h8UrCU1txVeqMwEqpS2Ueg==,type:str]
+    #ENC[AES256_GCM,data:gZlCxtaB0j+TphQu32xtaQd1SW2sYI/CEl6C9voAOAzIV+y1kuFR3RVF+m5iTnj/YDuuv3YCaFcaIUazOyU/2QahtO8e2eIqS7k=,iv:2pJpNb1Ch75NT9p8CNucFaQIvdILfsqv7QJ0WPNc05c=,tag:S0pcMZ/JFdxC6TZ/WkgElw==,type:comment]
+    #ENC[AES256_GCM,data:L/ADRhy7+OMOc28MR/33YfNugpt08WBSsInwIYN0AyUPpOK911ovWGNqnD7GA0rq,iv:Ulbyq/kEN4kGxme87QqLz8OUstF8CvvYCZvn0t7Y2Yk=,tag:rOIWsjVJpFZoP/JRbRznYg==,type:comment]
+    hash: ENC[AES256_GCM,data:QgIEtPdyIllxZe5crric/5cO5X9gBTxgiXrof5QGmuSXM6mdv80qs4hvxz/6RlBG4INtSFrVLF4MARSO,iv:iQVTEpl6UZu9ka2qOK6RtYTpbBnBYzUdO2AVrU4dX4Q=,tag:GdpuPtevB7O44SdjlRbqWA==,type:str]
+#ENC[AES256_GCM,data:iv/FAimh8SfFVqzzM7U4rsbpCNzxcyMFEgM7sA==,iv:bPpGgV0VwJjgqD8jaxu0/q2AXijvtipojtImk43W75g=,tag:PERZkKFgWhPKf9d9Jfjw7A==,type:comment]
+openid:
+    clientID: ENC[AES256_GCM,data:uMvsOIjTttBfy/BKplxEGhmuNLhKddQH1MlBicQ+UbStPiko,iv:H8+om/9YGfh2vxf8Xh+E90tNLyrKTpXPQjybgt62Ou0=,tag:eqjGOGyi/va5Bs1vDSQQ/g==,type:str]
+    clientSecret: ENC[AES256_GCM,data:3qhDQuypewAKxtR5p488hv5Q/+4qIBFvvEAZZSOEyS4icCEaZSd2Viwr7oWdts95R9cqLM7ruoQlI5s+XzNbQiG9BUkc0mjEOuuR92CRCa6GIuaXwvg=,iv:5UJuqz2JkJAqtYRglzrC3U8eZzkSv3nT0WMhhg+yN5c=,tag:alMz/tPl1d7RAQZCeIyLFg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1acqcungzwkt807d3jt94ngtdt0vhk9kec4ps4a22cpaah57jw4xsl7q4xc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUmYzbWxlL3A2clpPR1BW
+            N1Awb1dxQ2t6MlBUWmlXUEtzaHR6Y1FYR0NrCjRnVXJmWFpNdHNXNllUd0kyTk02
+            ZmlWYzFESWl0NzkydjFkYkk4MXdYQTAKLS0tIHN1Nk1DWTBxcmtCTTFVN0ZQM01z
+            d1Z2eTdjVy8zZ29PbURXa0s1ZUtiYVkKDKTSsZIB50U7tURMzl7WcqOy5aLqaQOL
+            dfU7AKQveF0j4v0Udw9e2tC4ex7+yefCpT+TT/eC0h5onA8graW+cg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1h3dmygqf4v6jg3nxk5sr9jkp27w3q83sqnqxdd5n92xf3w6fs5kshakrxn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4ZXBid2t5cloreTFUSlF5
+            UEZwWVZJakVCQnU5VC9qcVh0UzBpaUhiSmxZCmVOY1VqUVRCMXdQMTg0c0VhM1J5
+            bnBOSk1WSGdPb0tyRzNqUHRUeEFjWDgKLS0tIG1KUHJVVCt1QkhZdUpUaU9xSWF1
+            dmdhUUxiWVVrTTJUcklQbDNHdk44UzAKukZvY0krD44pVmW4EibbG9ml5gDFqcxF
+            SLcWhivgbesvULqJMAo5azicIFxDvRgIhIr5oUypGD1EaRpUXmVZgg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xr298hh8ammzethfcdeh72c25wnrk3u2zlzxx78k4nfcq2rwpgqs9hljq8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJb21qS1h2Q3pBcXFWbHJ5
+            UVE5dHNRME1QaEFjcGQwS1hVa2J1TElzcFNrClBZQ1MyeHA3UFBaaDVCS0p3NEFQ
+            TEsydTUxYUpHTjhoRHZuTEMwQTRqNlUKLS0tIFhhMGcxWk9KN0xqUE40R3RseWRs
+            dDFWczQ4QUlTaW1qZWphT1dFYTJMTDAK52sxrj8CwRrJWuFiu8qaRpaCtQGoY8om
+            EGwC0Ue+IK2KWMdofrZpgfIgpEm/eNVbCAVTWtZM77xqmleYc6MANQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12khufkd7z25eqgpjjyy0zcrq6kpjxzekmff5zhq7q54tajm4e58qul35x0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZkJYMzlqbVNRMWhUdWJq
+            Vk9WWWd0ZHpIcWJPWFZNdmFZN014QUNqZkhZCkl4aC9xZGFSam9SL0ZKWFN2K3VU
+            MG1VZGxkbmJhLzZ6Skp0TVhwcWw1cHMKLS0tIGsvR3d1WE81TGxLWWhjb2Q0OVBQ
+            eCtYeGh3cnQvUFRDdHBmaXp3YVcxWXMKT9EoHeWQIlAfHIkEoxVG5Ggjwp2zYyhW
+            /Zlonduy6rzTvtUXbeYsKjTluFOn9m6GEC4hdgISKzGW8Zvc/wRGDw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16fufeddr0arrns268526gxethxgkh3g0euf8cn37kuwfmq3h23psutz4q8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJbXEvSzNqeTZpR1F2bEI3
+            Szl5dmxtaC9LNWdlTE9BWWZKWTVOUGNCUVhvCjNhUGE1MG1GSkpLZ09md1krY1BZ
+            Y1VEYWEydC9lYjZKbzlySVg1WnZZbEkKLS0tIDRTM2ZocHpQTzFUUkYvbTBSZWVN
+            UG9MN0lCWElaUVNLQ0pJTEJKMHVFa2cKgetiuhLepPcjva1pR2hEQLrwc67ygux+
+            jqHXJ+BVReG0Sq7HZoCDv6iMQM5DrL0DwmGAZy+5S83zQeTUE1kwaA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-15T21:13:56Z"
+    mac: ENC[AES256_GCM,data:Im6TOCdWj6XBgC9HO/nHbfdg68dRmYwIz+FQw5hmBmsTjQPFl/zNNiBcS/UbwpxuOoIMfrsdhKa0A/DaU+0D+HucFGD7QMGcflTguN/k+gTxBI/BQIQEfAlSJUzhwFbJUJ075KcrmgKQOX9a8GmRyv44uhZwm4be8NYUIapEhnQ=,iv:N2ABX3eovw/Swc8mmppaNC6h8oHH1KKxuLFN16ol66g=,tag:8YhncBZ2MZLELl8uvpb6MQ==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

secrets/dummy-secret.yaml

@@ -0,0 +1,2 @@
+# This file is left purposefully empty to act as a "dummy" secrets file to 
+# get argocd appsets to function properly