davidlu1001 · March 19, 2026 21:31
diff --git a/es-qa.yaml b/es-qa.yaml
 ---
 ## QA Elasticsearch cluster configuration
 ##
 ## Overrides default.yaml for the QA environment.
 ## nodeSets is an array — this block REPLACES the default entirely.
 ## All security context, init containers, scheduling must be repeated here.

 # ============================================================================
 # Node sets — QA
 # ============================================================================
 nodeSets:
 - name: default
  count: 1
  config:
    node.roles:
      - master
      - data
      - ingest
    node.store.allow_mmap: false
    bootstrap.memory_lock: true

  podTemplate:
    spec:
      # ----------------------------------------------------------------
      # Init containers — repeated for AKS Gatekeeper compliance
      # ----------------------------------------------------------------
      initContainers:
      - name: elastic-internal-init-filesystem
        image: asbacr01immuta01.azurecr.io/elasticsearch/elasticsearch:8.19.9
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsUser: 1000
          runAsGroup: 1000
          seccompProfile:
            type: RuntimeDefault
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
        resources:
          limits:
            cpu: 100m
            memory: 50Mi
          requests:
            cpu: 100m
            memory: 50Mi

      # ----------------------------------------------------------------
      # Pod-level security context
      # ----------------------------------------------------------------
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault

      # ----------------------------------------------------------------
      # Containers — QA sizing
      # ----------------------------------------------------------------
      containers:
      - name: elasticsearch
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsUser: 1000
          runAsGroup: 1000
          capabilities:
            drop:
              - ALL
          seccompProfile:
            type: RuntimeDefault
        resources:
          requests:
            cpu: 1000m
            memory: 2Gi
          limits:
            memory: 4Gi
        env:
        - name: ES_JAVA_OPTS
          value: "-Xms2g -Xmx2g"

      # ----------------------------------------------------------------
      # Scheduling — QA
      # ----------------------------------------------------------------
      nodeSelector:
        agentpool: espool

      tolerations:
      - key: "elasticsearch"
        operator: "Equal"
        value: "true"
        effect: "NoSchedule"

      topologySpreadConstraints: []

      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: elasticsearch.k8s.elastic.co/cluster-name
                  operator: In
                  values:
                    - immuta-es
              topologyKey: kubernetes.io/hostname

  # ----------------------------------------------------------------
  # Storage — QA
  # ----------------------------------------------------------------
  volumeClaimTemplates:
  - metadata:
      name: elasticsearch-data
    spec:
      accessModes:
        - ReadWriteOnce
      storageClassName: managed-csi-premium-zrs-with-privatelink
      resources:
        requests:
          storage: 50Gi

 # ============================================================================
 # ILM — QA: shorter retention to save cost
 # ============================================================================
 ilm:
  enabled: false
  policyName: immuta-audit-policy
  # image: asbacr01immuta01.azurecr.io/curlimages/curl:8.1.2
  policy:
    hot:
      rollover:
        max_age: "7d"
        max_primary_shard_size: "50gb"
    warm:
      min_age: "30d"
      shrink:
        number_of_shards: 1
      forcemerge:
        max_num_segments: 1
    delete:
      min_age: "90d"
	---
	## QA Elasticsearch cluster configuration
	##
	## Overrides default.yaml for the QA environment.
	## nodeSets is an array — this block REPLACES the default entirely.
	## All security context, init containers, scheduling must be repeated here.

	# ============================================================================
	# Node sets — QA
	# ============================================================================
	nodeSets:
	- name: default
	count: 1
	config:
	node.roles:
	- master
	- data
	- ingest
	node.store.allow_mmap: false
	bootstrap.memory_lock: true

	podTemplate:
	spec:
	# ----------------------------------------------------------------
	# Init containers — repeated for AKS Gatekeeper compliance
	# ----------------------------------------------------------------
	initContainers:
	- name: elastic-internal-init-filesystem
	image: asbacr01immuta01.azurecr.io/elasticsearch/elasticsearch:8.19.9
	imagePullPolicy: IfNotPresent
	securityContext:
	runAsUser: 1000
	runAsGroup: 1000
	seccompProfile:
	type: RuntimeDefault
	allowPrivilegeEscalation: false
	capabilities:
	drop:
	- ALL
	resources:
	limits:
	cpu: 100m
	memory: 50Mi
	requests:
	cpu: 100m
	memory: 50Mi

	# ----------------------------------------------------------------
	# Pod-level security context
	# ----------------------------------------------------------------
	securityContext:
	runAsNonRoot: true
	runAsUser: 1000
	runAsGroup: 1000
	fsGroup: 1000
	seccompProfile:
	type: RuntimeDefault

	# ----------------------------------------------------------------
	# Containers — QA sizing
	# ----------------------------------------------------------------
	containers:
	- name: elasticsearch
	securityContext:
	allowPrivilegeEscalation: false
	readOnlyRootFilesystem: true
	runAsUser: 1000
	runAsGroup: 1000
	capabilities:
	drop:
	- ALL
	seccompProfile:
	type: RuntimeDefault
	resources:
	requests:
	cpu: 1000m
	memory: 2Gi
	limits:
	memory: 4Gi
	env:
	- name: ES_JAVA_OPTS
	value: "-Xms2g -Xmx2g"

	# ----------------------------------------------------------------
	# Scheduling — QA
	# ----------------------------------------------------------------
	nodeSelector:
	agentpool: espool

	tolerations:
	- key: "elasticsearch"
	operator: "Equal"
	value: "true"
	effect: "NoSchedule"

	topologySpreadConstraints: []

	affinity:
	podAntiAffinity:
	preferredDuringSchedulingIgnoredDuringExecution:
	- weight: 100
	podAffinityTerm:
	labelSelector:
	matchExpressions:
	- key: elasticsearch.k8s.elastic.co/cluster-name
	operator: In
	values:
	- immuta-es
	topologyKey: kubernetes.io/hostname

	# ----------------------------------------------------------------
	# Storage — QA
	# ----------------------------------------------------------------
	volumeClaimTemplates:
	- metadata:
	name: elasticsearch-data
	spec:
	accessModes:
	- ReadWriteOnce
	storageClassName: managed-csi-premium-zrs-with-privatelink
	resources:
	requests:
	storage: 50Gi

	# ============================================================================
	# ILM — QA: shorter retention to save cost
	# ============================================================================
	ilm:
	enabled: false
	policyName: immuta-audit-policy
	# image: asbacr01immuta01.azurecr.io/curlimages/curl:8.1.2
	policy:
	hot:
	rollover:
	max_age: "7d"
	max_primary_shard_size: "50gb"
	warm:
	min_age: "30d"
	shrink:
	number_of_shards: 1
	forcemerge:
	max_num_segments: 1
	delete:
	min_age: "90d"
No results found