From 4b0a99409c21e7b7369083c79bbe8013b8d474f2 Mon Sep 17 00:00:00 2001 From: Wu Sheng Date: Mon, 30 Mar 2026 15:31:20 +0800 Subject: [PATCH 1/5] Tie eck-operator dependency to elasticsearch.enabled The eck-operator was always installed regardless of the chosen storage backend because it had an independent `eckOperator.enabled` condition that defaulted to true. This change removes the standalone flag and ties the operator's condition to `elasticsearch.enabled`, so it is only deployed when Elasticsearch is actually in use. --- CLAUDE.md | 5 ++--- README.md | 6 +----- chart/skywalking/Chart.yaml | 2 +- chart/skywalking/README.md | 5 ++--- chart/skywalking/values-my-es.yaml | 3 --- chart/skywalking/values.yaml | 6 +----- test/e2e/e2e-elasticsearch.yaml | 9 ++------- 7 files changed, 9 insertions(+), 27 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 764f0f5..84ce3ce 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -32,7 +32,7 @@ test/e2e/ # E2E test configs (skywalking-infra-e2e format) ## Chart Dependencies Defined in `chart/skywalking/Chart.yaml`: -- **eck-operator** (3.3.1) — ECK operator, condition: `eckOperator.enabled` +- **eck-operator** (3.3.1) — ECK operator, condition: `elasticsearch.enabled` - **eck-elasticsearch** (0.18.1, alias: `elasticsearch`) — ECK-managed ES, condition: `elasticsearch.enabled` - **postgresql** (12.1.2) — Bitnami PostgreSQL, condition: `postgresql.enabled` - **skywalking-banyandb-helm** (alias: `banyandb`) — BanyanDB, condition: `banyandb.enabled` @@ -74,8 +74,7 @@ helm template test chart/skywalking \ --set oap.image.tag=10.3.0 \ --set oap.storageType=elasticsearch \ --set ui.image.tag=10.3.0 \ - --set elasticsearch.enabled=false \ - --set eckOperator.enabled=false + --set elasticsearch.enabled=false # Package chart make package diff --git a/README.md b/README.md index d1519dc..a248162 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,6 @@ helm install "${SKYWALKING_RELEASE_NAME}" \ --set oap.image.tag=10.3.0 \ --set oap.storageType=banyandb \ --set ui.image.tag=10.3.0 \ - --set eckOperator.enabled=false \ --set elasticsearch.enabled=false \ --set banyandb.enabled=true \ --set banyandb.image.tag=0.9.0 @@ -141,14 +140,11 @@ helm install "${SKYWALKING_RELEASE_NAME}" ${REPO}/skywalking -n "${SKYWALKING_RE Elasticsearch is now deployed via [ECK (Elastic Cloud on Kubernetes)](https://github.com/elastic/cloud-on-k8s). By default, the chart deploys the ECK operator and an Elasticsearch 8.18.8 cluster. -If you already have the ECK operator installed, set `eckOperator.enabled=false`. +The ECK operator is automatically installed when `elasticsearch.enabled=true` and skipped otherwise. To use an existing external Elasticsearch instead, disable the embedded deployment: ```yaml -eckOperator: - enabled: false - elasticsearch: enabled: false config: diff --git a/chart/skywalking/Chart.yaml b/chart/skywalking/Chart.yaml index 3bf53c3..5517117 100644 --- a/chart/skywalking/Chart.yaml +++ b/chart/skywalking/Chart.yaml @@ -33,7 +33,7 @@ dependencies: - name: eck-operator version: 3.3.1 repository: https://helm.elastic.co/ - condition: eckOperator.enabled + condition: elasticsearch.enabled - name: eck-elasticsearch alias: elasticsearch version: 0.18.1 diff --git a/chart/skywalking/README.md b/chart/skywalking/README.md index 27b0053..cc3dffd 100644 --- a/chart/skywalking/README.md +++ b/chart/skywalking/README.md @@ -118,14 +118,13 @@ The following table lists the configurable parameters of the Skywalking chart an ### Elasticsearch (ECK) Elasticsearch is deployed via [ECK (Elastic Cloud on Kubernetes)](https://github.com/elastic/cloud-on-k8s). -The chart includes the ECK operator and an `eck-elasticsearch` subchart. Set `eckOperator.enabled=false` if the ECK operator is already installed in your cluster. +The chart includes the ECK operator and an `eck-elasticsearch` subchart. The ECK operator is automatically installed when `elasticsearch.enabled=true` and skipped otherwise. #### Top-level parameters | Parameter | Description | Default | |---|---|---| -| `eckOperator.enabled` | Deploy the ECK operator | `true` | -| `elasticsearch.enabled` | Deploy an ECK-managed Elasticsearch cluster | `true` | +| `elasticsearch.enabled` | Deploy the ECK operator and an ECK-managed Elasticsearch cluster | `true` | | `elasticsearch.version` | Elasticsearch version to deploy | `8.18.8` | | `elasticsearch.fullnameOverride` | Override the Elasticsearch resource name. The ECK service will be `{name}-es-http` | `""` | | `elasticsearch.labels` | Labels applied to the Elasticsearch resource | `{}` | diff --git a/chart/skywalking/values-my-es.yaml b/chart/skywalking/values-my-es.yaml index 3bd18a6..aea448c 100644 --- a/chart/skywalking/values-my-es.yaml +++ b/chart/skywalking/values-my-es.yaml @@ -26,9 +26,6 @@ ui: image: tag: 10.0.0 -eckOperator: - enabled: false - elasticsearch: enabled: false config: # For users of an existing elasticsearch cluster, takes effect when `elasticsearch.enabled` is false diff --git a/chart/skywalking/values.yaml b/chart/skywalking/values.yaml index 497b34f..13837ef 100644 --- a/chart/skywalking/values.yaml +++ b/chart/skywalking/values.yaml @@ -194,12 +194,8 @@ oapInit: extraPodLabels: {} # sidecar.istio.io/inject: false -# ECK Operator settings -# Set eckOperator.enabled to false if the ECK operator is already installed in your cluster -eckOperator: - enabled: true - # Elasticsearch managed by ECK (eck-elasticsearch chart) +# When enabled, the ECK operator is also installed as a dependency. # ref: https://github.com/elastic/cloud-on-k8s elasticsearch: enabled: true diff --git a/test/e2e/e2e-elasticsearch.yaml b/test/e2e/e2e-elasticsearch.yaml index 26e8cfe..35a2509 100644 --- a/test/e2e/e2e-elasticsearch.yaml +++ b/test/e2e/e2e-elasticsearch.yaml @@ -40,17 +40,12 @@ setup: kubectl label namespace default istio-injection=enabled - name: Install helm command: bash test/e2e/setup-e2e-shell/install.sh helm - - name: Install ECK operator - command: | - helm dep up chart/skywalking - helm -n istio-system install eck-operator chart/skywalking/charts/eck-operator-3.3.1.tgz \ - --create-namespace - kubectl -n istio-system rollout status --watch --timeout=120s statefulset/elastic-operator - name: Install SkyWalking command: | + helm dep up chart/skywalking helm -n istio-system install skywalking chart/skywalking \ + --create-namespace \ --set fullnameOverride=skywalking \ - --set eckOperator.enabled=false \ --set oap.env.SW_ENVOY_METRIC_ALS_HTTP_ANALYSIS=k8s-mesh \ --set oap.env.SW_ENVOY_METRIC_ALS_TCP_ANALYSIS=k8s-mesh \ --set oap.env.K8S_SERVICE_NAME_RULE='e2e::${service.metadata.name}' \ From e951587e946b82ba9c24561308fb0da22347a7ec Mon Sep 17 00:00:00 2001 From: Wu Sheng Date: Mon, 30 Mar 2026 15:43:37 +0800 Subject: [PATCH 2/5] Pin docker/login-action to approved SHA for Apache CI Apache enforces an allow list for third-party GitHub Actions. Pin docker/login-action to the approved v4.0.0 SHA in both e2e and publish workflows. --- .github/workflows/e2e.ci.yaml | 2 +- .github/workflows/publish-helm.yaml | 2 +- CLAUDE.md | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e.ci.yaml b/.github/workflows/e2e.ci.yaml index 0869c4f..4b81d0e 100644 --- a/.github/workflows/e2e.ci.yaml +++ b/.github/workflows/e2e.ci.yaml @@ -55,7 +55,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Login to ghcr - uses: docker/login-action@v1 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ghcr.io username: ${{ github.repository_owner }} diff --git a/.github/workflows/publish-helm.yaml b/.github/workflows/publish-helm.yaml index 1ae5c96..df2e051 100644 --- a/.github/workflows/publish-helm.yaml +++ b/.github/workflows/publish-helm.yaml @@ -45,7 +45,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Log in to the Container registry - uses: docker/login-action@v1.10.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ${{ env.HUB }} username: ${{ github.actor }} diff --git a/CLAUDE.md b/CLAUDE.md index 84ce3ce..f92d3f7 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -103,6 +103,11 @@ When modifying chart configuration, update all of: 4. `chart/skywalking/values-my-es.yaml` — external ES example (if ES-related) 5. `test/e2e/values.yaml` — test overrides (if defaults change) +## GitHub Actions Allow List + +Apache enforces an allow list for third-party GitHub Actions. All third-party actions must be pinned to an approved SHA from: +https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml + ## Git Workflow - **Do not push directly to master.** Always create a feature branch and open a PR. From ec336e47acd4bc4f41a53dae4eb6ed278dea031c Mon Sep 17 00:00:00 2001 From: Wu Sheng Date: Mon, 30 Mar 2026 16:00:25 +0800 Subject: [PATCH 3/5] Fix e2e: install ECK operator separately to ensure CRDs exist The ECK operator deploys CRDs via templates (not the crds/ folder), so a single helm install fails because the Elasticsearch CR is submitted before the CRD exists. Restore the separate ECK operator install step and use eck-operator subchart values to skip its duplicate deployment in the main chart install. --- chart/skywalking/README.md | 1 + test/e2e/e2e-elasticsearch.yaml | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/chart/skywalking/README.md b/chart/skywalking/README.md index cc3dffd..cd85362 100644 --- a/chart/skywalking/README.md +++ b/chart/skywalking/README.md @@ -119,6 +119,7 @@ The following table lists the configurable parameters of the Skywalking chart an Elasticsearch is deployed via [ECK (Elastic Cloud on Kubernetes)](https://github.com/elastic/cloud-on-k8s). The chart includes the ECK operator and an `eck-elasticsearch` subchart. The ECK operator is automatically installed when `elasticsearch.enabled=true` and skipped otherwise. +If the ECK operator is already installed in your cluster, you can skip its duplicate deployment by setting `eck-operator.replicaCount=0` and `eck-operator.installCRDs=false`. #### Top-level parameters diff --git a/test/e2e/e2e-elasticsearch.yaml b/test/e2e/e2e-elasticsearch.yaml index 35a2509..5f100a1 100644 --- a/test/e2e/e2e-elasticsearch.yaml +++ b/test/e2e/e2e-elasticsearch.yaml @@ -40,12 +40,18 @@ setup: kubectl label namespace default istio-injection=enabled - name: Install helm command: bash test/e2e/setup-e2e-shell/install.sh helm - - name: Install SkyWalking + - name: Install ECK operator command: | helm dep up chart/skywalking + helm -n istio-system install eck-operator chart/skywalking/charts/eck-operator-3.3.1.tgz \ + --create-namespace + kubectl -n istio-system rollout status --watch --timeout=120s statefulset/elastic-operator + - name: Install SkyWalking + command: | helm -n istio-system install skywalking chart/skywalking \ - --create-namespace \ --set fullnameOverride=skywalking \ + --set eck-operator.replicaCount=0 \ + --set eck-operator.installCRDs=false \ --set oap.env.SW_ENVOY_METRIC_ALS_HTTP_ANALYSIS=k8s-mesh \ --set oap.env.SW_ENVOY_METRIC_ALS_TCP_ANALYSIS=k8s-mesh \ --set oap.env.K8S_SERVICE_NAME_RULE='e2e::${service.metadata.name}' \ From a8a16f82a9522e76f03800b7e55d5707006ca160 Mon Sep 17 00:00:00 2001 From: Wu Sheng Date: Mon, 30 Mar 2026 16:24:52 +0800 Subject: [PATCH 4/5] Fix e2e: install ECK CRDs separately to avoid ownership conflict Install only the eck-operator-crds subchart first to register the Elasticsearch CRD, then install the full SkyWalking chart (including the ECK operator) with installCRDs=false to avoid duplicate CRDs. This avoids both the CRD-not-found error and the Helm release ownership conflict. --- test/e2e/e2e-elasticsearch.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/test/e2e/e2e-elasticsearch.yaml b/test/e2e/e2e-elasticsearch.yaml index 5f100a1..81a5d98 100644 --- a/test/e2e/e2e-elasticsearch.yaml +++ b/test/e2e/e2e-elasticsearch.yaml @@ -40,17 +40,16 @@ setup: kubectl label namespace default istio-injection=enabled - name: Install helm command: bash test/e2e/setup-e2e-shell/install.sh helm - - name: Install ECK operator + - name: Install ECK CRDs command: | helm dep up chart/skywalking - helm -n istio-system install eck-operator chart/skywalking/charts/eck-operator-3.3.1.tgz \ + tar xzf chart/skywalking/charts/eck-operator-3.3.1.tgz -C /tmp eck-operator/charts/eck-operator-crds + helm -n istio-system install eck-crds /tmp/eck-operator/charts/eck-operator-crds \ --create-namespace - kubectl -n istio-system rollout status --watch --timeout=120s statefulset/elastic-operator - name: Install SkyWalking command: | helm -n istio-system install skywalking chart/skywalking \ --set fullnameOverride=skywalking \ - --set eck-operator.replicaCount=0 \ --set eck-operator.installCRDs=false \ --set oap.env.SW_ENVOY_METRIC_ALS_HTTP_ANALYSIS=k8s-mesh \ --set oap.env.SW_ENVOY_METRIC_ALS_TCP_ANALYSIS=k8s-mesh \ From 6dae9c34df255363b59fa4d55a9c5326c99d2722 Mon Sep 17 00:00:00 2001 From: Wu Sheng Date: Mon, 30 Mar 2026 16:29:24 +0800 Subject: [PATCH 5/5] Fix docs: ECK CRDs must be installed before the chart The ECK Elasticsearch CRDs must exist before helm install because Helm validates custom resources against the API server. Update docs with the CRD pre-install step and rename e2e step back to Install ECK operator. --- README.md | 19 ++++++++++++++----- chart/skywalking/README.md | 4 ++-- test/e2e/e2e-elasticsearch.yaml | 2 +- 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index a248162..213cbaa 100644 --- a/README.md +++ b/README.md @@ -135,14 +135,23 @@ here are some examples. helm install "${SKYWALKING_RELEASE_NAME}" ${REPO}/skywalking -n "${SKYWALKING_RELEASE_NAMESPACE}" \ --set oap.image.tag=10.3.0 \ --set oap.storageType=elasticsearch \ - --set ui.image.tag=10.3.0 + --set ui.image.tag=10.3.0 \ + --set eck-operator.installCRDs=false +``` + +Elasticsearch is deployed via [ECK (Elastic Cloud on Kubernetes)](https://github.com/elastic/cloud-on-k8s). +When `elasticsearch.enabled=true` (the default), the chart deploys both the ECK operator and an Elasticsearch 8.18.8 cluster. +Because Elasticsearch CRDs must exist before the chart can be installed, you need to install them first: + +```shell +helm dep up chart/skywalking +tar xzf chart/skywalking/charts/eck-operator-3.3.1.tgz -C /tmp eck-operator/charts/eck-operator-crds +helm install eck-crds /tmp/eck-operator/charts/eck-operator-crds -n "${SKYWALKING_RELEASE_NAMESPACE}" --create-namespace ``` -Elasticsearch is now deployed via [ECK (Elastic Cloud on Kubernetes)](https://github.com/elastic/cloud-on-k8s). -By default, the chart deploys the ECK operator and an Elasticsearch 8.18.8 cluster. -The ECK operator is automatically installed when `elasticsearch.enabled=true` and skipped otherwise. +Then install the chart with `--set eck-operator.installCRDs=false` to avoid duplicating the CRDs. -To use an existing external Elasticsearch instead, disable the embedded deployment: +To use an existing external Elasticsearch instead, disable the embedded deployment (no CRD pre-install needed): ```yaml elasticsearch: diff --git a/chart/skywalking/README.md b/chart/skywalking/README.md index cd85362..418b05c 100644 --- a/chart/skywalking/README.md +++ b/chart/skywalking/README.md @@ -118,8 +118,8 @@ The following table lists the configurable parameters of the Skywalking chart an ### Elasticsearch (ECK) Elasticsearch is deployed via [ECK (Elastic Cloud on Kubernetes)](https://github.com/elastic/cloud-on-k8s). -The chart includes the ECK operator and an `eck-elasticsearch` subchart. The ECK operator is automatically installed when `elasticsearch.enabled=true` and skipped otherwise. -If the ECK operator is already installed in your cluster, you can skip its duplicate deployment by setting `eck-operator.replicaCount=0` and `eck-operator.installCRDs=false`. +The chart includes the ECK operator and an `eck-elasticsearch` subchart, both controlled by `elasticsearch.enabled`. +Because Elasticsearch CRDs must exist before the ES custom resource can be created, the ECK operator CRDs need to be installed separately before deploying the chart. See the main [README](../../README.md) for installation steps. #### Top-level parameters diff --git a/test/e2e/e2e-elasticsearch.yaml b/test/e2e/e2e-elasticsearch.yaml index 81a5d98..4afe7e7 100644 --- a/test/e2e/e2e-elasticsearch.yaml +++ b/test/e2e/e2e-elasticsearch.yaml @@ -40,7 +40,7 @@ setup: kubectl label namespace default istio-injection=enabled - name: Install helm command: bash test/e2e/setup-e2e-shell/install.sh helm - - name: Install ECK CRDs + - name: Install ECK operator command: | helm dep up chart/skywalking tar xzf chart/skywalking/charts/eck-operator-3.3.1.tgz -C /tmp eck-operator/charts/eck-operator-crds