---
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: kube-system
  labels:
    k8s-app: filebeat
data:
  filebeat.yml: |-
    filebeat.inputs:
    # To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this:
    filebeat.autodiscover:
      providers:
        - type: kubernetes
          node: ${NODE_NAME}
          hints.enabled: true
          hints.default_config:
            type: container
            paths:
              - /var/log/containers/*${data.kubernetes.container.id}.log

    processors:
      - add_host_metadata:

    output.logstash:
      hosts: ['dev-elastic-stack-logstash-01:5044']
      ssl:
        certificate_authorities:
          - /usr/share/filebeat/config/certificates/filebeat.ca
        certificate: /usr/share/filebeat/config/certificates/filebeat.crt
        key: /usr/share/filebeat/config/certificates/filebeat.key
  filebeat.ca: |-
    -----BEGIN CERTIFICATE-----
    MIIDSjCCAjKgAwIBAgIVALoaO+vyeJc6elKN4SMIOb9AKm8HMA0GCSqGSIb3DQEB
    CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
    ZXJhdGVkIENBMB4XDTIxMDkwMzEyMTIwNFoXDTIyMDkwMzEyMTIwNFowNDEyMDAG
    A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew
    ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSkIH2QlzcEncmAAwtkVw7
    Nsr7WEBO7eIIST3mY9XJwlqP4IsR9C9UnSXUSpWSJEcv1I6mrZE38Hyq/rvcEFZK
    ZSgHYDsJiVglkUZFdv5S84vgVSROoy+8r10fokHfpbidtJmXabP5T6VD+LE+Mg7y
    RddhHZCoM4wHveo/q55c3RCoVc0PEELrk0vVqvYK99LO+yAprBPzRuXDZx5oJkxD
    +Uc4rTyNCcTTo8CkK1BfccXktBHTQvOzOYxuwyGxb/GCaKwcGG+XQ4TRt3o7r3GR
    TOKCNO+sM6c0g7W0OoL38v7/IKAufTcmU7QO/tb9NBz/G9N57EOqhPdp/46ih1XX
    AgMBAAGjUzBRMB0GA1UdDgQWBBQTPREWSx37K1IpHecIquNdDE7ztDAfBgNVHSME
    GDAWgBQTPREWSx37K1IpHecIquNdDE7ztDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
    SIb3DQEBCwUAA4IBAQAGVoeS1hfVOrDnnLYzPSrF9IfHEzt/eSr3ymEiNUK8ZaRS
    9gpvRgX8n0pS197wVyK8hd2iXzH58H6KMkhcWZH2uNLEB8aOFOCkQxnU4NsMYRjT
    RaS+qf29YbH6LkyO1kxCtGxldKybj8I8MFf8X0mBLN4Nk+w+KqKVFsl63AMtsJkq
    WOgjoYZcY+FQW0HqS2AzDVkDZiXAtjwtXXjONAJOylRHDieA3UByukNHI0OtIurX
    ePsDUoEakawtgXZmD8/RCt8Jpqm5UDwAioa18KJv3u5yqtX+whUnFSI7u5+Mzlay
    2aOT5tIpOXQPV3tuUSvC6CYpoJOrLjgJSJhcP8Uo
    -----END CERTIFICATE-----
  filebeat.crt: |-
    -----BEGIN CERTIFICATE-----
    MIIDZzCCAk+gAwIBAgIVAKbp3mlGRUBO1LWPiw4sN4JDbWSYMA0GCSqGSIb3DQEB
    CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
    ZXJhdGVkIENBMB4XDTIxMDkwMzEyMTIwNVoXDTIyMDkwMzEyMTIwNVowJTEjMCEG
    A1UEAxMaZGV2LWVsYXN0aWMtc3RhY2stZmlsZWJlYXQwggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQCbup6feN0+yArmD011sPRFSaY+goTLU112ojwwkkPN
    bqZNIhik3+SZT325qCgFZ4mI3A1+h4t0rUl4WO9uJMiUbRGdnwrn5043UoaL5+Vr
    UiEkb3nv1LMhLHbMrnfCU8uXEbTFNiXe6VWaDuD/tHx2UCBUmt9d+6HpK/VsID1L
    yFVOahoKjtTAXIGBxho/lnfcePu1OIq3PhzBO3iEcgVTl1si0+4ASKrL5ZKXTrRy
    ftBCAXg7wpBrpJc7yfH7GgUAqURMwZeg4Uc6chtIDzb87OEAfosjT72rGSaSb87G
    u80FyPGle7bP9RWngXbqUyvXyb94iC274ihmbHSAfvFtAgMBAAGjfzB9MB0GA1Ud
    DgQWBBSVuXSfZVJtPjcyXama0Pu2mL3VtDAfBgNVHSMEGDAWgBQTPREWSx37K1Ip
    HecIquNdDE7ztDAwBgNVHREEKTAngglsb2NhbGhvc3SCGmRldi1lbGFzdGljLXN0
    YWNrLWZpbGViZWF0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAEiG2a66
    lHAsNGiNY2jqTXN2MnO6bBzu3wioU4W0pQMjx5YKlBTDMvludnesgHQxwp/z9/d4
    4Bs2k3ebOBiGsj9GiEscx7kkBtUJf9MXHPF4xC6uKlI8RaGMxP+ik91FGPSMN3ei
    s/AP4n/MWbrWPpFtbyQgWEmw3kHGKrlht47fo8hdNI17w3T56PalWBOzXJJu/uR3
    LDabVIeWFr7Mj8y/MyurssyX2srAJyEJRy2u0gBc04vGo6jNrbFjx8AzwbMGw6x0
    /DtxzIZ+o77z+bKVno/TcAju2rVAQhoz6PL7QqXkLjOjEJFWlJzryEuMk3ljJ0eT
    adcgOervdNNzt8E=
    -----END CERTIFICATE-----
  filebeat.key: |-
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEAm7qen3jdPsgK5g9NdbD0RUmmPoKEy1NddqI8MJJDzW6mTSIY
    pN/kmU99uagoBWeJiNwNfoeLdK1JeFjvbiTIlG0RnZ8K5+dON1KGi+fla1IhJG95
    79SzISx2zK53wlPLlxG0xTYl3ulVmg7g/7R8dlAgVJrfXfuh6Sv1bCA9S8hVTmoa
    Co7UwFyBgcYaP5Z33Hj7tTiKtz4cwTt4hHIFU5dbItPuAEiqy+WSl060cn7QQgF4
    O8KQa6SXO8nx+xoFAKlETMGXoOFHOnIbSA82/OzhAH6LI0+9qxkmkm/OxrvNBcjx
    pXu2z/UVp4F26lMr18m/eIgtu+IoZmx0gH7xbQIDAQABAoIBAAFGqTATVHTEPNqf
    u3nAZm/+537RoPbtivGC6M1ZFXckdfZh1iPbtcrPzO7tgs5wh774Vp/3ylu9Y8G5
    sNSNNpuIvUE2YWd/DLQFWBbjYozbkmvzAePGMWWPMLYCo/aSqzNksL+A7xSBgvMN
    NijCONbbVzh6QGRLwIrhklQ9e2MYkNrCWChm5cUCi1ja5t5SB4NlAASM4YoXbHwZ
    bES5ZK76Xp4iFQrtwvfr+KJuqREVSyb9MdOxEsQ5CG58W6h8F8BLf1ePwhY5ieTQ
    u+vQ8O+U+JULcBXnC8yGMXuY3zxwGfJ4c8guRxnzcfbZXONtHhdom69VtctozLn/
    /9vNnGECgYEA1cj2csqocpXECBIiUM/FDyek6KWs91POr9n7RnLJd62Y1D162l7n
    XvFsqYB5vHz/3mZvAxTqVXHQupGTQy49JHhEdndwZxzRJxRtyoqik38GnEHfGBZA
    s0chZmxjlv6M/KfdgstNOlS0Y5nNbT0RoE6bNA3zChex0xGdtj5kCPkCgYEAunre
    eo8Cbabe2+1gOVxSNBCXVYocdOQq+refXWFurO9iWsw5h3f/ngApgmbH2/Re5F/v
    gZnIR7TMZjC/6QkMb9dpRIJR1XhSz2njjBFkpw5kC4fKStgUbUbkM52JMt3zhEud
    IVJJhmIz3UuFcbPtZSWwpS/B47QdMxpNJF72HRUCgYBX7OE/cQ46olIPp7WpWuqH
    QxzV+l3bEwLs3FA2NzuZFzLGB8shSOsL52tzgz2OQjLR+3so309JeRgJw5m3harr
    9vLhbloybm2vDv3g0Yfv9cx4M7dXpr9RfK3F/Eoxbdv6hefaxVar6O6QEE+m3/kB
    35KBpEMTIY+naZVdwOdPsQKBgQCTk9Nn2K+KSapLEHO7UWW40HyDdJaKp1ugKRtU
    0lu9PoFu6/qHTB8eUnCHQ4Hdf2ptf8LSpPpMTTgJk4D9Em0mQaqMTjonH18hyGIN
    ImKuloP0YBVm39RimtzUQFMoz1/9jb2fdji7whHbiv3jewpfptFCGSZvZsZJAAKW
    yxQo9QKBgGpY7QMXbFWrqr/xKsBW9wYIYCboYjoNl15Yetk588u/v7WdTMxtfzCn
    S3KZCSYxXJoiHCe9hTfI5Oe2fFM+X9cwjBCdtwDjVYGrDfmgPmj0lve4hkgfEGuk
    gMOobA3L+bAT9eEINBUmvZap3kjOngqfVDgpPOWkj4FGlhWARRdX
    -----END RSA PRIVATE KEY-----
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: filebeat
  namespace: kube-system
  labels:
    k8s-app: filebeat
spec:
  selector:
    matchLabels:
      k8s-app: filebeat
  template:
    metadata:
      labels:
        k8s-app: filebeat
    spec:
      tolerations:
       - key: node-role.kubernetes.io/master
         effect: NoSchedule
      serviceAccountName: filebeat
      terminationGracePeriodSeconds: 30
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      containers:
      - name: filebeat
        image: docker.elastic.co/beats/filebeat:7.17.3
        args: [
          "-c", "/etc/filebeat.yml",
          "-e",
        ]
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        securityContext:
          runAsUser: 0
          # If using Red Hat OpenShift uncomment this:
          #privileged: true
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: config
          mountPath: /etc/filebeat.yml
          readOnly: true
          subPath: filebeat.yml
        - name: config
          mountPath: /usr/share/filebeat/config/certificates/filebeat.ca
          readOnly: true
          subPath: filebeat.ca
        - name: config
          mountPath: /usr/share/filebeat/config/certificates/filebeat.crt
          readOnly: true
          subPath: filebeat.crt
        - name: config
          mountPath: /usr/share/filebeat/config/certificates/filebeat.key
          readOnly: true
          subPath: filebeat.key
        - name: data
          mountPath: /usr/share/filebeat/data
        - name: varlibdockercontainers
          mountPath: /var/lib/docker/containers
          readOnly: true
        - name: varlog
          mountPath: /var/log
          readOnly: true
      volumes:
      - name: config
        configMap:
          defaultMode: 0640
          name: filebeat-config
      - name: varlibdockercontainers
        hostPath:
          path: /var/lib/docker/containers
      - name: varlog
        hostPath:
          path: /var/log
      # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
      - name: data
        hostPath:
          # When filebeat runs as non-root user, this directory needs to be writable by group (g+w).
          path: /var/lib/filebeat-data
          type: DirectoryOrCreate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: filebeat
subjects:
- kind: ServiceAccount
  name: filebeat
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: filebeat
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: filebeat
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: filebeat
    namespace: kube-system
roleRef:
  kind: Role
  name: filebeat
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: filebeat-kubeadm-config
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: filebeat
    namespace: kube-system
roleRef:
  kind: Role
  name: filebeat-kubeadm-config
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: filebeat
  labels:
    k8s-app: filebeat
rules:
- apiGroups: [""] # "" indicates the core API group
  resources:
  - namespaces
  - pods
  - nodes
  verbs:
  - get
  - watch
  - list
- apiGroups: ["apps"]
  resources:
    - replicasets
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: filebeat
  # should be the namespace where filebeat is running
  namespace: kube-system
  labels:
    k8s-app: filebeat
rules:
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs: ["get", "create", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: filebeat-kubeadm-config
  namespace: kube-system
  labels:
    k8s-app: filebeat
rules:
  - apiGroups: [""]
    resources:
      - configmaps
    resourceNames:
      - kubeadm-config
    verbs: ["get"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: filebeat
  namespace: kube-system
  labels:
    k8s-app: filebeat
---