README.md

Apache Skywalking Helm Chart

Apache SkyWalking is application performance monitor tool for distributed systems, especially designed for microservices, cloud native and container-based (Docker, K8s, Mesos) architectures.

Introduction

This chart bootstraps a Apache SkyWalking deployment on a Kubernetes cluster using the Helm package manager.

Prerequisites

• Kubernetes 1.9.6+
• PV dynamic provisioning support on the underlying infrastructure (StorageClass)
• Helm 3

Installing the Chart

To install the chart with the release name my-release:

$ helm install my-release skywalking -n <namespace>

The command deploys Apache SkyWalking on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

Tip: List all releases using helm list

Uninstalling the Chart

To uninstall/delete the my-release deployment:

$ helm uninstall my-release -n <namespace>

The command removes all the Kubernetes components associated with the chart and deletes the release.

Configuration

The following table lists the configurable parameters of the Skywalking chart and their default values.

Parameter	Description	Default
nameOverride	Override name	nil
serviceAccounts.oap.create	Create of the OAP service account	true
serviceAccounts.oap.name	Name of the OAP service account to use custom service account when serviceAccounts.oap.create is set to false	``
imagePullSecrets	Image pull secrets	[]
oap.name	OAP deployment name	oap
oap.dynamicConfig.enabled	Enable oap dynamic configuration through k8s configmap	false
oap.dynamicConfig.period	Sync period in seconds	60
oap.dynamicConfig.config	Oap dynamic configuration documentation	{}
oap.image.repository	OAP container image name	skywalking.docker.scarf.sh/apache/skywalking-oap-server
oap.image.tag	OAP container image tag	6.1.0
oap.image.pullPolicy	OAP container image pull policy	IfNotPresent
oap.ports.grpc	OAP grpc port for tracing or metric	11800
oap.ports.rest	OAP http port for Web UI	12800
oap.ports.zipkinreceiver	OAP http port for Zipkin receiver(not exposed by default)	9411
oap.ports.zipkinquery	OAP http port for querying Zipkin traces and UI(not exposed by default)	9412
oap.replicas	OAP k8s deployment replicas	2
oap.service.type	OAP svc type	ClusterIP
oap.service.annotations	OAP svc annotations	{}
oap.javaOpts	Parameters to be added to JAVA_OPTSenvironment variable for OAP	-Xms2g -Xmx2g
oap.antiAffinity	OAP anti-affinity policy	soft
oap.nodeAffinity	OAP node affinity policy	{}
oap.nodeSelector	OAP labels for master pod assignment	{}
oap.tolerations	OAP tolerations	[]
oap.resources	OAP node resources requests & limits	{} - cpu limit must be an integer
oap.startupProbe	Configuration fields for the startupProbe	tcpSocket.port: 12800 failureThreshold: 9 periodSeconds: 10
oap.livenessProbe	Configuration fields for the livenessProbe	tcpSocket.port: 12800 initialDelaySeconds: 5 periodSeconds: 10
oap.readinessProbe	Configuration fields for the readinessProbe	tcpSocket.port: 12800 initialDelaySeconds: 5 periodSeconds: 10
oap.env	OAP environment variables	[]
oap.securityContext	Allows you to set the securityContext for the pod	fsGroup: 1000 runAsUser: 1000
ui.name	Web UI deployment name	ui
ui.replicas	Web UI k8s deployment replicas	1
ui.image.repository	Web UI container image name	skywalking.docker.scarf.sh/apache/skywalking-ui
ui.image.tag	Web UI container image tag	6.1.0
ui.image.pullPolicy	Web UI container image pull policy	IfNotPresent
ui.nodeAffinity	Web UI node affinity policy	{}
ui.nodeSelector	Web UI labels for pod assignment	{}
ui.tolerations	Web UI tolerations	[]
ui.ingress.enabled	Create Ingress for Web UI	false
ui.ingress.annotations	Associate annotations to the Ingress	{}
ui.ingress.path	Associate path with the Ingress	/
ui.ingress.hosts	Associate hosts with the Ingress	[]
ui.ingress.tls	Associate TLS with the Ingress	[]
ui.service.type	Web UI svc type	ClusterIP
ui.service.externalPort	external port for the service	80
ui.service.internalPort	internal port for the service	8080
ui.service.externalIPs	external IP addresses	nil
ui.service.loadBalancerIP	Load Balancer IP address	nil
ui.service.annotations	Kubernetes service annotations	{}
ui.service.loadBalancerSourceRanges	Limit load balancer source IPs to list of CIDRs (where available))	[]
ui.securityContext	Allows you to set the securityContext for the pod	fsGroup: 1000 runAsUser: 1000
oapInit.nodeAffinity	OAP init job node affinity policy	{}
oapInit.nodeSelector	OAP init job labels for master pod assignment	{}
oapInit.tolerations	OAP init job tolerations	[]
oapInit.extraPodLabels	OAP init job metadata labels	[]
elasticsearch.enabled	Spin up a new elasticsearch cluster for SkyWalking	true
elasticsearch.clusterName	This will be used as the Elasticsearch cluster.name and should be unique per cluster in the namespace	elasticsearch
elasticsearch.nodeGroup	This is the name that will be used for each group of nodes in the cluster. The name will be clusterName-nodeGroup-X	master
elasticsearch.masterService	Optional. The service name used to connect to the masters. You only need to set this if your master nodeGroup is set to something other than master. See Clustering and Node Discovery for more information.	``
elasticsearch.roles	A hash map with the specific roles for the node group	master: true data: true ingest: true
elasticsearch.replicas	Kubernetes replica count for the statefulset (i.e. how many pods)	3
elasticsearch.minimumMasterNodes	The value for discovery.zen.minimum_master_nodes. Should be set to (master_eligible_nodes / 2) + 1. Ignored in Elasticsearch versions >= 7.	2
elasticsearch.esMajorVersion	Used to set major version specific configuration. If you are using a custom image and not running the default Elasticsearch version you will need to set this to the version you are running (e.g. esMajorVersion: 6)	""
elasticsearch.esConfig	Allows you to add any config files in /usr/share/elasticsearch/config/ such as elasticsearch.yml and log4j2.properties. See values.yaml for an example of the formatting.	{}
elasticsearch.extraEnvs	Extra environment variables which will be appended to the env: definition for the container	[]
elasticsearch.extraVolumes	Templatable string of additional volumes to be passed to the tpl function	""
elasticsearch.extraVolumeMounts	Templatable string of additional volumeMounts to be passed to the tpl function	""
elasticsearch.extraInitContainers	Templatable string of additional init containers to be passed to the tpl function	""
elasticsearch.secretMounts	Allows you easily mount a secret as a file inside the statefulset. Useful for mounting certificates and other secrets. See values.yaml for an example	[]
elasticsearch.image	The Elasticsearch docker image	docker.elastic.co/elasticsearch/elasticsearch
elasticsearch.imageTag	The Elasticsearch docker image tag	7.5.1
elasticsearch.imagePullPolicy	The Kubernetes imagePullPolicy value	IfNotPresent
elasticsearch.podAnnotations	Configurable annotations applied to all Elasticsearch pods	{}
elasticsearch.labels	Configurable label applied to all Elasticsearch pods	{}
elasticsearch.esJavaOpts	Java options for Elasticsearch. This is where you should configure the jvm heap size	-Xmx1g -Xms1g
elasticsearch.resources	Allows you to set the resources for the statefulset	requests.cpu: 100m requests.memory: 2Gi limits.cpu: 1000m limits.memory: 2Gi
elasticsearch.initResources	Allows you to set the resources for the initContainer in the statefulset	{}
elasticsearch.sidecarResources	Allows you to set the resources for the sidecar containers in the statefulset	{}
elasticsearch.networkHost	Value for the network.host Elasticsearch setting	0.0.0.0
elasticsearch.volumeClaimTemplate	Configuration for the volumeClaimTemplate for statefulsets. You will want to adjust the storage (default 30Gi) and the storageClassName if you are using a different storage class	accessModes: [ "ReadWriteOnce" ] resources.requests.storage: 30Gi
elasticsearch.persistence.annotations	Additional persistence annotations for the volumeClaimTemplate	{}
elasticsearch.persistence.enabled	Enables a persistent volume for Elasticsearch data. Can be disabled for nodes that only have roles which don't require persistent data.	true
elasticsearch.priorityClassName	The name of the PriorityClass. No default is supplied as the PriorityClass must be created first.	""
elasticsearch.antiAffinityTopologyKey	The anti-affinity topology key. By default this will prevent multiple Elasticsearch nodes from running on the same Kubernetes node	kubernetes.io/hostname
elasticsearch.antiAffinity	Setting this to hard enforces the anti-affinity rules. If it is set to soft it will be done "best effort". Other values will be ignored.	hard
elasticsearch.nodeAffinity	Value for the node affinity settings	{}
elasticsearch.podManagementPolicy	By default Kubernetes deploys statefulsets serially. This deploys them in parallel so that they can discover eachother	Parallel
elasticsearch.protocol	The protocol that will be used for the readinessProbe. Change this to https if you have xpack.security.http.ssl.enabled set	http
elasticsearch.httpPort	The http port that Kubernetes will use for the healthchecks and the service. If you change this you will also need to set http.port in extraEnvs	9200
elasticsearch.transportPort	The transport port that Kubernetes will use for the service. If you change this you will also need to set transport port configuration in extraEnvs	9300
elasticsearch.service.labels	Labels to be added to non-headless service	{}
elasticsearch.service.labelsHeadless	Labels to be added to headless service	{}
elasticsearch.service.type	Type of elasticsearch service. Service Types	ClusterIP
elasticsearch.service.nodePort	Custom nodePort port that can be set if you are using service.type: nodePort.	``
elasticsearch.service.annotations	Annotations that Kubernetes will use for the service. This will configure load balancer if service.type is LoadBalancer Annotations	{}
elasticsearch.service.httpPortName	The name of the http port within the service	http
elasticsearch.service.transportPortName	The name of the transport port within the service	transport
elasticsearch.updateStrategy	The updateStrategy for the statefulset. By default Kubernetes will wait for the cluster to be green after upgrading each pod. Setting this to OnDelete will allow you to manually delete each pod during upgrades	RollingUpdate
elasticsearch.maxUnavailable	The maxUnavailable value for the pod disruption budget. By default this will prevent Kubernetes from having more than 1 unhealthy pod in the node group	1
elasticsearch.fsGroup (DEPRECATED)	The Group ID (GID) for securityContext.fsGroup so that the Elasticsearch user can read from the persistent volume	``
elasticsearch.podSecurityContext	Allows you to set the securityContext for the pod	fsGroup: 1000 runAsUser: 1000
elasticsearch.securityContext	Allows you to set the securityContext for the container	capabilities.drop:[ALL] runAsNonRoot: true runAsUser: 1000
elasticsearch.terminationGracePeriod	The terminationGracePeriod in seconds used when trying to stop the pod	120
elasticsearch.sysctlInitContainer.enabled	Allows you to disable the sysctlInitContainer if you are setting vm.max_map_count with another method	true
elasticsearch.sysctlVmMaxMapCount	Sets the sysctl vm.max_map_count needed for Elasticsearch	262144
elasticsearch.readinessProbe	Configuration fields for the readinessProbe	failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 3 timeoutSeconds: 5
elasticsearch.clusterHealthCheckParams	The Elasticsearch cluster health status params that will be used by readinessProbe command	wait_for_status=green&timeout=1s
elasticsearch.imagePullSecrets	Configuration for imagePullSecrets so that you can use a private registry for your image	[]
elasticsearch.nodeSelector	Configurable nodeSelector so that you can target specific nodes for your Elasticsearch cluster	{}
elasticsearch.tolerations	Configurable tolerations	[]
elasticsearch.ingress	Configurable ingress to expose the Elasticsearch service. See values.yaml for an example	enabled: false
elasticsearch.schedulerName	Name of the alternate scheduler	nil
elasticsearch.masterTerminationFix	A workaround needed for Elasticsearch < 7.2 to prevent master status being lost during restarts #63	false
elasticsearch.lifecycle	Allows you to add lifecycle configuration. See values.yaml for an example of the formatting.	{}
elasticsearch.keystore	Allows you map Kubernetes secrets into the keystore. See the config example and how to use the keystore	[]
elasticsearch.rbac	Configuration for creating a role, role binding and service account as part of this helm chart with create: true. Also can be used to reference an external service account with serviceAccountName: "externalServiceAccountName".	create: false serviceAccountName: ""
elasticsearch.podSecurityPolicy	Configuration for create a pod security policy with minimal permissions to run this Helm chart with create: true. Also can be used to reference an external pod security policy with name: "externalPodSecurityPolicy"	create: false name: ""
satellite.name	Satellite deployment name	satellite
satellite.replicas	Satellite k8s deployment replicas	1
satellite.enabled	Is enable Satellite	false
satellite.image.repository	Satellite container image name	skywalking.docker.scarf.sh/apache/skywalking-satellite
satellite.image.tag	Satellite container image tag	v0.4.0
satellite.image.pullPolicy	Satellite container image pull policy	IfNotPresent
satellite.antiAffinity	Satellite anti-affinity policy	soft
satellite.nodeAffinity	Satellite node affinity policy	{}
satellite.nodeSelector	Satellite labels for pod assignment	{}
satellite.tolerations	Satellite tolerations	[]
satellite.service.type	Satellite svc type	ClusterIP
satellite.ports.grpc	Satellite grpc port for tracing, metrics, logs, events	11800
satellite.ports.prometheus	Satellite http port for Prometheus monitoring	1234
satellite.resources	Satellite node resources requests & limits	{} - cpu limit must be an integer
satellite.podAnnotations	Configurable annotations applied to all Satellite pods	{}
satellite.env	Satellite environment variables	[]
satellite.securityContext	Allows you to set the securityContext for the pod	fsGroup: 1000 runAsUser: 1000

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm install myrelease skywalking --set nameOverride=newSkywalking

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

$ helm install my-release skywalking -f values.yaml

Tip: You can use the default values.yaml

RBAC Configuration

Roles and RoleBindings resources will be created automatically for OAP .

Tip: You can refer to the default oap-role.yaml file in templates to customize your own.

Ingress TLS

If your cluster allows automatic create/retrieve of TLS certificates ( e.g. kube-lego), please refer to the documentation for that mechanism.

To manually configure TLS, first create/retrieve a key & certificate pair for the address(skywalking ui) you wish to protect. Then create a TLS secret in the namespace:

kubectl create secret tls skywalking-tls --cert=path/to/tls.cert --key=path/to/tls.key

Include the secret's name, along with the desired hostnames, in the skywalking-ui Ingress TLS section of your custom values.yaml file:

ui:
  ingress:
    ## If true, Skywalking ui server Ingress will be created
    ##
    enabled: true

    ## Skywalking ui server Ingress hostnames
    ## Must be provided if Ingress is enabled
    ##
    hosts:
      - skywalking

    ## Skywalking ui server Ingress TLS configuration
    ## Secrets must be manually created in the namespace
    ##
    tls:
      - secretName: skywalking
        hosts:
          - skywalking

Envoy ALS

Envoy ALS(access log service) provides fully logs about RPC routed, including HTTP and TCP.

If you want to open envoy ALS, you can do this by modifying values.yaml. default open.

serviceAccounts:
  oap:
    create: true

When envoy als ,will give ServiceAccount clusterrole permission. More envoy als ,please refer to https://github.com/apache/skywalking/blob/master/docs/en/setup/envoy/als_setting.md#observe-service-mesh-through-als