Fluent watcher

[newcarlis]

New Image Pull Request Template

Image Size

• The Image is smaller in size than its common public counterpart.
• The Image is larger in size than its common public counterpart (please explain in the notes).

Notes:

Image Vulnerabilities

• The Grype vulnerability scan returned 0 CVE(s).
• The Grype vulnerability scan returned > 0 CVE(s) (please explain in the notes).

Notes:

Image Tagging

• The image is not tagged with version tags.
• The image is tagged with :latest
• The image is not tagged with :latest (please explain in the notes).

Notes:

Basic Testing - K8s cluster

• The container image was successfully loaded into a kind cluster.
• The container image could not be loaded into a kind cluster (please explain in the notes).

Notes:

Basic Testing - Package/Application

• The application is accessible to the user/cluster/etc. after start-up.
• The application is not accessible to the user/cluster/etc. after start-up. (please explain in the notes).

Notes:

Helm

• A Helm chart has been provided and the container image can be used with the chart. If needed, please add a -compat package to close any gaps with the public helm chart.
• A Helm chart has been provided and the container image is not working with the chart (please explain in the notes).
• A Helm chart was not provided.

Notes:

Processor Architectures

• The image was built and tested for x86_64.
• The image could not be built for x86_64 (please explain in the notes).
• The image was built and tested for aarch64.
• The image could not be built for aarch64. (please explain in the notes).

Notes:

Functional Testing + Documentation

• Functional tests have been included and the tests are passing. All tests have been documnted in the notes section.

Notes:

Environment Testing + Documentation

• There has not been a request and/or there is no indication that this image needs tested on a public cloud provider.
• The container image has been tested successfully on a public cloud provider (AWS, GCP, Azure).
• The container image has not been tested successfully on a public cloud provider (AWS, GCP, Azure) (please explain in the notes).

Notes:

Version

• The package version is the latest version of the package. The latest tag points to this version.
• The package version is the not the latest version of the package (please explain in the notes).

Notes:

Dev Tag Availability

• There is a dev tag available that includes a shell and apk tools (by depending on 'wolfi-base')
• There is not a dev tag available that includes a shell and apk tools (by depending on 'wolfi-base') (please explain in the notes).

Notes:

Access Control + Authentication

• The image runs as nonroot and GID/UID are set to 65532 or upstream default
• Alternatively the username and GID/UID may be a commonly used one from the ecosystem e.g: postgres
• The image requires a non-standard username or non-standard GID/UID (please explain in the notes).

ENTRYPOINT

• applications/servers/utilities set to call main program with no arguments e.g. [redis-server]
• applications/servers/utilities not set to call main program with no arguments e.g. [redis-server] (please explain in the notes)
• base images leave empty.
• base image and not empty (please explain in the notes).
• dev variants is set to entrypoint script that falls back to system.
• dev variants is not set to entrypoint script that falls back to system (please explain in the notes).

CMD

• For server applications give arguments to start in daemon mode (may be empty)
• For utilities/tooling bring up help e.g. –help
• For base images with a shell, call it e.g. [/bin/sh]

Environment Variables

• Environment variables added.
• Environment variables not added and not required.

SIGTERM

• The image responds to SIGTERM (e.g., docker kill $(docker run -d --rm cgr.dev/chainguard/nginx))

Logs

• Error logs write to stderr and normal logs to stdout. Logs DO NOT write to file.

Documentation - README

• A README file has been provided and it follows the README template.

[developer-guy]

@newcarlis I don't think that we should depend on the fluent-operator's tests here because fluent-watcher is kind of a different project than fluent-operator 🫠

[developer-guy]

also here, we should create our own config for fluent-watcher according to the Dockerfile for the project:

• https://github.com/fluent/fluent-operator/blob/v2.9.0/cmd/fluent-watcher/fluentbit/Dockerfile

[max-allan-cgr]

So the whole idea of the watcher is that it can detect changes to the fluent-bit config.
So, maybe a test like : https://github.com/chainguard-images/images/blob/main/images/fluent-bit/tests/main.tf

That deploys fluent-bit but with an overriden entrypoint which won't run the watcher. So edit the values:

image:
  repository: <as needed>
  tag: <as needed>
  digest: <as needed>
command:
  - /fluent-bit/bin/fluent-bit-watcher 
args:
  - -c=/fluent-bit/etc/conf/fluent-bit.conf  
  - -watch-path=/fluent-bit/etc/conf

That creates a ConfigMap called <chart name>-fluent-bit with a fluent-bit.conf section. Replace that section with something a bit different and monitor the log file for the message when it changes:

level=info time=2024-06-21T10:23:03Z msg="Config file changed, reloading..."                                                                                                                                                                                                                    

I'd recommend not using the "default" config because it tries to connect to elastic and fails and there is a lot of noise in the log from that and it's really slow. eg in values.yaml:

config:
  outputs: []

You can't change the configmap by changing the values and rerunning helm because that restarts the pod! You have to change the CM direct. (For example of a change to make, remove the whole "FILTERS" section.)

[developer-guy]

We should not be creating public images anymore, and the public images should be created automatically by an automation, so, we should move this into the private images 🙏

cc @mamccorm