---
schema: armada/Chart/v1
metadata:
  schema: metadata/Document/v1
  name: elasticsearch-global
  labels:
    hosttype: elasticsearch-global
  layeringDefinition:
    abstract: true
    layer: global
  storagePolicy: cleartext
  substitutions:
    # Chart source
    - src:
        schema: pegleg/SoftwareVersions/v1
        name: software-versions
        path: .charts.osh_infra.elasticsearch
      dest:
        path: .source

    # Images
    - src:
        schema: pegleg/SoftwareVersions/v1
        name: software-versions
        path: .images.osh_infra.elasticsearch
      dest:
        path: .values.images.tags

    # Endpoints
    - src:
        schema: pegleg/EndpointCatalogue/v1
        name: osh_infra_endpoints
        path: .osh_infra.elasticsearch
      dest:
        path: .values.endpoints.elasticsearch
    - src:
        schema: pegleg/EndpointCatalogue/v1
        name: osh_infra_endpoints
        path: .osh_infra.prometheus_elasticsearch_exporter
      dest:
        path: .values.endpoints.prometheus_elasticsearch_exporter

    - src:
        schema: pegleg/EndpointCatalogue/v1
        name: osh_infra_endpoints
        path: .osh_infra.ldap
      dest:
        path: .values.endpoints.ldap

    # Accounts
    - src:
        schema: pegleg/AccountCatalogue/v1
        name: osh_infra_service_accounts
        path: .osh_infra.elasticsearch.admin
      dest:
        path: .values.endpoints.elasticsearch.auth.admin
    - src:
        schema: pegleg/AccountCatalogue/v1
        name: osh_infra_service_accounts
        path: .osh_infra.ceph_object_store.admin
      dest:
        path: .values.endpoints.ceph_object_store.auth.admin
    - src:
        schema: pegleg/AccountCatalogue/v1
        name: osh_infra_service_accounts
        path: .osh_infra.ceph_object_store.elasticsearch
      dest:
        path: .values.endpoints.ceph_object_store.auth.elasticsearch

    # Secrets
    - dest:
        path: .values.endpoints.elasticsearch.auth.admin.password
      src:
        schema: deckhand/Passphrase/v1
        name: osh_infra_elasticsearch_admin_password
        path: .
    - dest:
        path: .values.endpoints.ceph_object_store.auth.admin.access_key
      src:
        schema: deckhand/Passphrase/v1
        name: osh_infra_rgw_s3_admin_access_key
        path: .
    - dest:
        path: .values.endpoints.ceph_object_store.auth.admin.secret_key
      src:
        schema: deckhand/Passphrase/v1
        name: osh_infra_rgw_s3_admin_secret_key
        path: .
    - dest:
        path: .values.endpoints.ceph_object_store.auth.elasticsearch.access_key
      src:
        schema: deckhand/Passphrase/v1
        name: osh_infra_rgw_s3_elasticsearch_access_key
        path: .
    - dest:
        path: .values.endpoints.ceph_object_store.auth.elasticsearch.secret_key
      src:
        schema: deckhand/Passphrase/v1
        name: osh_infra_rgw_s3_elasticsearch_secret_key
        path: .

    # LDAP Details
    - src:
        schema: pegleg/AccountCatalogue/v1
        name: osh_infra_service_accounts
        path: .osh_infra.ldap.admin
      dest:
        path: .values.endpoints.ldap.auth.admin
    - dest:
        path: .values.endpoints.ldap.auth.admin.password
      src:
        schema: deckhand/Passphrase/v1
        name: osh_keystone_ldap_password
        path: .
data:
  chart_name: elasticsearch
  release: elasticsearch
  namespace: osh-infra
  wait:
    timeout: 900
    labels:
      release_group: airship-elasticsearch
  install:
    no_hooks: false
  upgrade:
    no_hooks: false
    pre:
      delete:
        - type: job
          labels:
            release_group: airship-elasticsearch
      create: []
    post:
      create: []
  values:
    pod:
      replicas:
        client: 5
      resources:
        enabled: true
        apache_proxy:
          limits:
            memory: "1024Mi"
            cpu: "2000m"
          requests:
            memory: "0"
            cpu: "0"
        client:
          requests:
            memory: "8Gi"
            cpu: "1000m"
          limits:
            memory: "16Gi"
            cpu: "2000m"
        master:
          requests:
            memory: "8Gi"
            cpu: "1000m"
          limits:
            memory: "16Gi"
            cpu: "2000m"
        data:
          requests:
            memory: "8Gi"
            cpu: "1000m"
          limits:
            memory: "16Gi"
            cpu: "2000m"
        prometheus_elasticsearch_exporter:
          requests:
            memory: "0"
            cpu: "0"
          limits:
            memory: "1024Mi"
            cpu: "2000m"
        jobs:
          curator:
            requests:
              memory: "0"
              cpu: "0"
            limits:
              memory: "1024Mi"
              cpu: "2000m"
          image_repo_sync:
            requests:
              memory: "0"
              cpu: "0"
            limits:
              memory: "1024Mi"
              cpu: "2000m"
          snapshot_repository:
            requests:
              memory: "0"
              cpu: "0"
            limits:
              memory: "1024Mi"
              cpu: "2000m"
          tests:
            requests:
              memory: "0"
              cpu: "0"
            limits:
              memory: "1024Mi"
              cpu: "2000m"
    labels:
      elasticsearch:
        node_selector_key: openstack-control-plane
        node_selector_value: enabled
      job:
        node_selector_key: openstack-control-plane
        node_selector_value: enabled
      test:
        node_selector_key: openstack-control-plane
        node_selector_value: enabled
    monitoring:
      prometheus:
        enabled: true
    conf:
      httpd: |
        ServerRoot "/usr/local/apache2"
        Listen 80
        LoadModule mpm_event_module modules/mod_mpm_event.so
        LoadModule authn_file_module modules/mod_authn_file.so
        LoadModule authn_core_module modules/mod_authn_core.so
        LoadModule authz_host_module modules/mod_authz_host.so
        LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
        LoadModule authz_user_module modules/mod_authz_user.so
        LoadModule authz_core_module modules/mod_authz_core.so
        LoadModule access_compat_module modules/mod_access_compat.so
        LoadModule auth_basic_module modules/mod_auth_basic.so
        LoadModule ldap_module modules/mod_ldap.so
        LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
        LoadModule reqtimeout_module modules/mod_reqtimeout.so
        LoadModule filter_module modules/mod_filter.so
        LoadModule proxy_html_module modules/mod_proxy_html.so
        LoadModule log_config_module modules/mod_log_config.so
        LoadModule env_module modules/mod_env.so
        LoadModule headers_module modules/mod_headers.so
        LoadModule setenvif_module modules/mod_setenvif.so
        LoadModule version_module modules/mod_version.so
        LoadModule proxy_module modules/mod_proxy.so
        LoadModule proxy_connect_module modules/mod_proxy_connect.so
        LoadModule proxy_http_module modules/mod_proxy_http.so
        LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
        LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
        LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
        LoadModule unixd_module modules/mod_unixd.so
        LoadModule status_module modules/mod_status.so
        LoadModule autoindex_module modules/mod_autoindex.so
        <IfModule unixd_module>
        User daemon
        Group daemon
        </IfModule>
        <Directory />
            AllowOverride none
            Require all denied
        </Directory>
        <Files ".ht*">
            Require all denied
        </Files>
        ErrorLog /dev/stderr
        LogLevel warn
        <IfModule log_config_module>
            LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
            LogFormat "%h %l %u %t \"%r\" %>s %b" common
            <IfModule logio_module>
              LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
            </IfModule>
            CustomLog /dev/stdout common
            CustomLog /dev/stdout combined
        </IfModule>
        <Directory "/usr/local/apache2/cgi-bin">
            AllowOverride None
            Options None
            Require all granted
        </Directory>
        <IfModule headers_module>
            RequestHeader unset Proxy early
        </IfModule>
        <IfModule proxy_html_module>
        Include conf/extra/proxy-html.conf
        </IfModule>
        <VirtualHost *:80>
          <Location />
              ProxyPass http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
              ProxyPassReverse http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
          </Location>
          <Proxy *>
              AuthName "Elasticsearch"
              AuthType Basic
              AuthBasicProvider file ldap
              AuthUserFile /usr/local/apache2/conf/.htpasswd
              AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
              AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
              AuthLDAPURL {{ tuple "ldap" "public" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
              Require valid-user
          </Proxy>
        </VirtualHost>
      elasticsearch:
        config:
          http:
            max_content_length: 2gb
            pipelining: false
        env:
          java_opts: "-Xms8g -Xmx8g"
        snapshots:
          enabled: true
      curator:
        #run every 6th hour
        schedule:  "0 */6 * * *"
        action_file:
          # Remember, leave a key empty if there is no value.  None will be a string,
          # not a Python "NoneType"
          #
          # Also remember that all examples have 'disable_action' set to True.  If you
          # want to use this action as a template, be sure to set this to False after
          # copying it.
          actions:
            1:
              action: delete_indices
              description: >-
                "Delete indices older than 7 days"
              options:
                timeout_override:
                continue_if_exception: False
                ignore_empty_list: True
                disable_action: False
              filters:
              - filtertype: pattern
                kind: prefix
                value: logstash-
              - filtertype: age
                source: name
                direction: older
                timestring: '%Y.%m.%d'
                unit: days
                unit_count: 7
            2:
              action: delete_indices
              description: >-
                "Delete indices by age if available disk space is
                 less than 80% total disk"
              options:
                timeout_override: 600
                continue_if_exception: False
                ignore_empty_list: True
                disable_action: False
              filters:
              - filtertype: pattern
                kind: prefix
                value: logstash-
              - filtertype: space
                source: creation_date
                use_age: True
                disk_space: 1200
    storage:
      requests:
        storage: 500Gi
  dependencies:
    - osh-infra-helm-toolkit
...