Apache SkyWalking is application performance monitor tool for distributed systems, especially designed for microservices, cloud native and container-based (Docker, K8s, Mesos) architectures.
This chart bootstraps a Apache SkyWalking deployment on a Kubernetes cluster using the Helm package manager.
To install the chart with the release name my-release:
$ helm install my-release skywalking -n <namespace>
The command deploys Apache SkyWalking on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.
Tip: List all releases using
helm list
To uninstall/delete the my-release deployment:
$ helm uninstall my-release -n <namespace>
The command removes all the Kubernetes components associated with the chart and deletes the release.
The following table lists the configurable parameters of the Skywalking chart and their default values.
| Parameter | Description | Default |
|---|---|---|
nameOverride | Override name | nil |
serviceAccounts.oap.create | Create of the OAP service account | true |
serviceAccounts.oap.name | Name of the OAP service account to use custom service account when serviceAccounts.oap.create is set to false | `` |
imagePullSecrets | Image pull secrets | [] |
oap.name | OAP deployment name | oap |
oap.dynamicConfig.enabled | Enable oap dynamic configuration through k8s configmap | false |
oap.dynamicConfig.period | Sync period in seconds | 60 |
oap.dynamicConfig.config | Oap dynamic configuration documentation | {} |
oap.image.repository | OAP container image name | skywalking.docker.scarf.sh/apache/skywalking-oap-server |
oap.image.tag | OAP container image tag | 6.1.0 |
oap.image.pullPolicy | OAP container image pull policy | IfNotPresent |
oap.ports.grpc | OAP grpc port for tracing or metric | 11800 |
oap.ports.rest | OAP http port for Web UI | 12800 |
oap.ports.zipkinreceiver | OAP http port for Zipkin receiver(not exposed by default) | 9411 |
oap.ports.zipkinquery | OAP http port for querying Zipkin traces and UI(not exposed by default) | 9412 |
oap.replicas | OAP k8s deployment replicas | 2 |
oap.service.type | OAP svc type | ClusterIP |
oap.service.annotations | OAP svc annotations | {} |
oap.javaOpts | Parameters to be added to JAVA_OPTSenvironment variable for OAP | -Xms2g -Xmx2g |
oap.antiAffinity | OAP anti-affinity policy | soft |
oap.nodeAffinity | OAP node affinity policy | {} |
oap.nodeSelector | OAP labels for master pod assignment | {} |
oap.tolerations | OAP tolerations | [] |
oap.resources | OAP node resources requests & limits | {} - cpu limit must be an integer |
oap.startupProbe | Configuration fields for the startupProbe | tcpSocket.port: 12800 failureThreshold: 9 periodSeconds: 10 |
oap.livenessProbe | Configuration fields for the livenessProbe | tcpSocket.port: 12800 initialDelaySeconds: 5 periodSeconds: 10 |
oap.readinessProbe | Configuration fields for the readinessProbe | tcpSocket.port: 12800 initialDelaySeconds: 5 periodSeconds: 10 |
oap.env | OAP environment variables | [] |
oap.securityContext | Allows you to set the securityContext for the pod | fsGroup: 1000runAsUser: 1000 |
ui.name | Web UI deployment name | ui |
ui.replicas | Web UI k8s deployment replicas | 1 |
ui.image.repository | Web UI container image name | skywalking.docker.scarf.sh/apache/skywalking-ui |
ui.image.tag | Web UI container image tag | 6.1.0 |
ui.image.pullPolicy | Web UI container image pull policy | IfNotPresent |
ui.nodeAffinity | Web UI node affinity policy | {} |
ui.nodeSelector | Web UI labels for pod assignment | {} |
ui.tolerations | Web UI tolerations | [] |
ui.ingress.enabled | Create Ingress for Web UI | false |
ui.ingress.annotations | Associate annotations to the Ingress | {} |
ui.ingress.path | Associate path with the Ingress | / |
ui.ingress.hosts | Associate hosts with the Ingress | [] |
ui.ingress.tls | Associate TLS with the Ingress | [] |
ui.service.type | Web UI svc type | ClusterIP |
ui.service.externalPort | external port for the service | 80 |
ui.service.internalPort | internal port for the service | 8080 |
ui.service.externalIPs | external IP addresses | nil |
ui.service.loadBalancerIP | Load Balancer IP address | nil |
ui.service.annotations | Kubernetes service annotations | {} |
ui.service.loadBalancerSourceRanges | Limit load balancer source IPs to list of CIDRs (where available)) | [] |
ui.securityContext | Allows you to set the securityContext for the pod | fsGroup: 1000runAsUser: 1000 |
oapInit.nodeAffinity | OAP init job node affinity policy | {} |
oapInit.nodeSelector | OAP init job labels for master pod assignment | {} |
oapInit.tolerations | OAP init job tolerations | [] |
oapInit.extraPodLabels | OAP init job metadata labels | [] |
elasticsearch.enabled | Spin up a new elasticsearch cluster for SkyWalking | true |
elasticsearch.clusterName | This will be used as the Elasticsearch cluster.name and should be unique per cluster in the namespace | elasticsearch |
elasticsearch.nodeGroup | This is the name that will be used for each group of nodes in the cluster. The name will be clusterName-nodeGroup-X | master |
elasticsearch.masterService | Optional. The service name used to connect to the masters. You only need to set this if your master nodeGroup is set to something other than master. See Clustering and Node Discovery for more information. | `` |
elasticsearch.roles | A hash map with the specific roles for the node group | master: truedata: trueingest: true |
elasticsearch.replicas | Kubernetes replica count for the statefulset (i.e. how many pods) | 3 |
elasticsearch.minimumMasterNodes | The value for discovery.zen.minimum_master_nodes. Should be set to (master_eligible_nodes / 2) + 1. Ignored in Elasticsearch versions >= 7. | 2 |
elasticsearch.esMajorVersion | Used to set major version specific configuration. If you are using a custom image and not running the default Elasticsearch version you will need to set this to the version you are running (e.g. esMajorVersion: 6) | "" |
elasticsearch.esConfig | Allows you to add any config files in /usr/share/elasticsearch/config/ such as elasticsearch.yml and log4j2.properties. See values.yaml for an example of the formatting. | {} |
elasticsearch.extraEnvs | Extra environment variables which will be appended to the env: definition for the container | [] |
elasticsearch.extraVolumes | Templatable string of additional volumes to be passed to the tpl function | "" |
elasticsearch.extraVolumeMounts | Templatable string of additional volumeMounts to be passed to the tpl function | "" |
elasticsearch.extraInitContainers | Templatable string of additional init containers to be passed to the tpl function | "" |
elasticsearch.secretMounts | Allows you easily mount a secret as a file inside the statefulset. Useful for mounting certificates and other secrets. See values.yaml for an example | [] |
elasticsearch.image | The Elasticsearch docker image | docker.elastic.co/elasticsearch/elasticsearch |
elasticsearch.imageTag | The Elasticsearch docker image tag | 7.5.1 |
elasticsearch.imagePullPolicy | The Kubernetes imagePullPolicy value | IfNotPresent |
elasticsearch.podAnnotations | Configurable annotations applied to all Elasticsearch pods | {} |
elasticsearch.labels | Configurable label applied to all Elasticsearch pods | {} |
elasticsearch.esJavaOpts | Java options for Elasticsearch. This is where you should configure the jvm heap size | -Xmx1g -Xms1g |
elasticsearch.resources | Allows you to set the resources for the statefulset | requests.cpu: 100mrequests.memory: 2Gilimits.cpu: 1000mlimits.memory: 2Gi |
elasticsearch.initResources | Allows you to set the resources for the initContainer in the statefulset | {} |
elasticsearch.sidecarResources | Allows you to set the resources for the sidecar containers in the statefulset | {} |
elasticsearch.networkHost | Value for the network.host Elasticsearch setting | 0.0.0.0 |
elasticsearch.volumeClaimTemplate | Configuration for the volumeClaimTemplate for statefulsets. You will want to adjust the storage (default 30Gi) and the storageClassName if you are using a different storage class | accessModes: [ "ReadWriteOnce" ]resources.requests.storage: 30Gi |
elasticsearch.persistence.annotations | Additional persistence annotations for the volumeClaimTemplate | {} |
elasticsearch.persistence.enabled | Enables a persistent volume for Elasticsearch data. Can be disabled for nodes that only have roles which don't require persistent data. | true |
elasticsearch.priorityClassName | The name of the PriorityClass. No default is supplied as the PriorityClass must be created first. | "" |
elasticsearch.antiAffinityTopologyKey | The anti-affinity topology key. By default this will prevent multiple Elasticsearch nodes from running on the same Kubernetes node | kubernetes.io/hostname |
elasticsearch.antiAffinity | Setting this to hard enforces the anti-affinity rules. If it is set to soft it will be done “best effort”. Other values will be ignored. | hard |
elasticsearch.nodeAffinity | Value for the node affinity settings | {} |
elasticsearch.podManagementPolicy | By default Kubernetes deploys statefulsets serially. This deploys them in parallel so that they can discover eachother | Parallel |
elasticsearch.protocol | The protocol that will be used for the readinessProbe. Change this to https if you have xpack.security.http.ssl.enabled set | http |
elasticsearch.httpPort | The http port that Kubernetes will use for the healthchecks and the service. If you change this you will also need to set http.port in extraEnvs | 9200 |
elasticsearch.transportPort | The transport port that Kubernetes will use for the service. If you change this you will also need to set transport port configuration in extraEnvs | 9300 |
elasticsearch.service.labels | Labels to be added to non-headless service | {} |
elasticsearch.service.labelsHeadless | Labels to be added to headless service | {} |
elasticsearch.service.type | Type of elasticsearch service. Service Types | ClusterIP |
elasticsearch.service.nodePort | Custom nodePort port that can be set if you are using service.type: nodePort. | `` |
elasticsearch.service.annotations | Annotations that Kubernetes will use for the service. This will configure load balancer if service.type is LoadBalancer Annotations | {} |
elasticsearch.service.httpPortName | The name of the http port within the service | http |
elasticsearch.service.transportPortName | The name of the transport port within the service | transport |
elasticsearch.updateStrategy | The updateStrategy for the statefulset. By default Kubernetes will wait for the cluster to be green after upgrading each pod. Setting this to OnDelete will allow you to manually delete each pod during upgrades | RollingUpdate |
elasticsearch.maxUnavailable | The maxUnavailable value for the pod disruption budget. By default this will prevent Kubernetes from having more than 1 unhealthy pod in the node group | 1 |
elasticsearch.fsGroup (DEPRECATED) | The Group ID (GID) for securityContext.fsGroup so that the Elasticsearch user can read from the persistent volume | `` |
elasticsearch.podSecurityContext | Allows you to set the securityContext for the pod | fsGroup: 1000runAsUser: 1000 |
elasticsearch.securityContext | Allows you to set the securityContext for the container | capabilities.drop:[ALL]runAsNonRoot: truerunAsUser: 1000 |
elasticsearch.terminationGracePeriod | The terminationGracePeriod in seconds used when trying to stop the pod | 120 |
elasticsearch.sysctlInitContainer.enabled | Allows you to disable the sysctlInitContainer if you are setting vm.max_map_count with another method | true |
elasticsearch.sysctlVmMaxMapCount | Sets the sysctl vm.max_map_count needed for Elasticsearch | 262144 |
elasticsearch.readinessProbe | Configuration fields for the readinessProbe | failureThreshold: 3initialDelaySeconds: 10periodSeconds: 10successThreshold: 3timeoutSeconds: 5 |
elasticsearch.clusterHealthCheckParams | The Elasticsearch cluster health status params that will be used by readinessProbe command | wait_for_status=green&timeout=1s |
elasticsearch.imagePullSecrets | Configuration for imagePullSecrets so that you can use a private registry for your image | [] |
elasticsearch.nodeSelector | Configurable nodeSelector so that you can target specific nodes for your Elasticsearch cluster | {} |
elasticsearch.tolerations | Configurable tolerations | [] |
elasticsearch.ingress | Configurable ingress to expose the Elasticsearch service. See values.yaml for an example | enabled: false |
elasticsearch.schedulerName | Name of the alternate scheduler | nil |
elasticsearch.masterTerminationFix | A workaround needed for Elasticsearch < 7.2 to prevent master status being lost during restarts #63 | false |
elasticsearch.lifecycle | Allows you to add lifecycle configuration. See values.yaml for an example of the formatting. | {} |
elasticsearch.keystore | Allows you map Kubernetes secrets into the keystore. See the config example and how to use the keystore | [] |
elasticsearch.rbac | Configuration for creating a role, role binding and service account as part of this helm chart with create: true. Also can be used to reference an external service account with serviceAccountName: "externalServiceAccountName". | create: falseserviceAccountName: "" |
elasticsearch.podSecurityPolicy | Configuration for create a pod security policy with minimal permissions to run this Helm chart with create: true. Also can be used to reference an external pod security policy with name: "externalPodSecurityPolicy" | create: falsename: "" |
satellite.name | Satellite deployment name | satellite |
satellite.replicas | Satellite k8s deployment replicas | 1 |
satellite.enabled | Is enable Satellite | false |
satellite.image.repository | Satellite container image name | skywalking.docker.scarf.sh/apache/skywalking-satellite |
satellite.image.tag | Satellite container image tag | v0.4.0 |
satellite.image.pullPolicy | Satellite container image pull policy | IfNotPresent |
satellite.antiAffinity | Satellite anti-affinity policy | soft |
satellite.nodeAffinity | Satellite node affinity policy | {} |
satellite.nodeSelector | Satellite labels for pod assignment | {} |
satellite.tolerations | Satellite tolerations | [] |
satellite.service.type | Satellite svc type | ClusterIP |
satellite.ports.grpc | Satellite grpc port for tracing, metrics, logs, events | 11800 |
satellite.ports.prometheus | Satellite http port for Prometheus monitoring | 1234 |
satellite.resources | Satellite node resources requests & limits | {} - cpu limit must be an integer |
satellite.podAnnotations | Configurable annotations applied to all Satellite pods | {} |
satellite.env | Satellite environment variables | [] |
satellite.securityContext | Allows you to set the securityContext for the pod | fsGroup: 1000runAsUser: 1000 |
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
$ helm install myrelease skywalking --set nameOverride=newSkywalking
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
$ helm install my-release skywalking -f values.yaml
Tip: You can use the default values.yaml
Roles and RoleBindings resources will be created automatically for OAP .
Tip: You can refer to the default
oap-role.yamlfile in templates to customize your own.
If your cluster allows automatic create/retrieve of TLS certificates ( e.g. kube-lego), please refer to the documentation for that mechanism.
To manually configure TLS, first create/retrieve a key & certificate pair for the address(skywalking ui) you wish to protect. Then create a TLS secret in the namespace:
kubectl create secret tls skywalking-tls --cert=path/to/tls.cert --key=path/to/tls.key
Include the secret's name, along with the desired hostnames, in the skywalking-ui Ingress TLS section of your custom values.yaml file:
ui: ingress: ## If true, Skywalking ui server Ingress will be created ## enabled: true ## Skywalking ui server Ingress hostnames ## Must be provided if Ingress is enabled ## hosts: - skywalking ## Skywalking ui server Ingress TLS configuration ## Secrets must be manually created in the namespace ## tls: - secretName: skywalking hosts: - skywalking
Envoy ALS(access log service) provides fully logs about RPC routed, including HTTP and TCP.
If you want to open envoy ALS, you can do this by modifying values.yaml. default open.
serviceAccounts: oap: create: true
When envoy als ,will give ServiceAccount clusterrole permission. More envoy als ,please refer to https://github.com/apache/skywalking/blob/master/docs/en/setup/envoy/als_setting.md#observe-service-mesh-through-als