Graylog2 · monrax · Aug 25, 2025 · Jun 25, 2025 · Jun 26, 2025 · Jun 27, 2025
diff --git a/README.md b/README.md
diff --git a/graylog/templates/_helpers.tpl b/graylog/templates/_helpers.tpl
@@ -257,4 +257,56 @@ Datanode configmap name
 */}}
 {{- define "graylog.datanode.configmapName" -}}
 {{- include "graylog.fullname" . | printf "%s-datanode-config" }}
-{{- end }}
+{{- end }}
+
+{{/*
+Custom enviroment variables
+usage: {{ include "graylog.custom.env" .Values.{graylog|datanode} | indent N }}
+*/}}
+{{- define "graylog.custom.env" }}
+{{- $explicit := list }}
+{{- range $_, $e := .custom.extraEnv }}
+{{- if $e.name }}{{ $explicit = append $explicit .name }}{{ end }}
+- {{ toYaml $e | nindent 2 | trim }}
+{{- end }}
+{{- range $k, $v := .custom.env }}
+{{- if has $k $explicit | not }}
+- name: {{ $k }}
+  value: {{ $v | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Graylog plugins
+*/}}
+{{- define "graylog.pluginURLs" }}
+{{- if and .Values.graylog.config.plugins.enabled .Values.graylog.config.init.assetFetch.enabled .Values.graylog.config.init.assetFetch.plugins.enabled .Values.graylog.plugins }}
+{{- $urls := list }}
+{{- $baseUrl := .Values.graylog.config.init.assetFetch.plugins.baseUrl | default "" }}
+{{- $skipChecksum := .Values.graylog.config.init.assetFetch.skipChecksum | default false }}
+{{- $allowHttp := .Values.graylog.config.init.assetFetch.allowHttp | default false }}
+{{- if not $allowHttp | and (hasPrefix "http://" $baseUrl) }}
+{{- printf "Validation error: plugin baseUrl is '%s'. Only HTTPS is allowed for plugin URLs." $baseUrl | fail }}
+{{- end }}
+{{- range .Values.graylog.plugins }}
+{{- $url := .url }}
+{{- if $url }}
+{{- if and (not $skipChecksum) (empty .checksum) }}
+{{- printf "Validation error: checksum verification is enabled but no checksum hash has been provided for plugin '%s'." .name | fail }}
+{{- end }}
+{{- if and (hasPrefix "http://" $url | not) (hasPrefix "https://" $url | not) }}
+{{- $url = printf "%s/%s" (trimSuffix "/" $baseUrl) (trimPrefix "/" $url) }}
+{{- end }}
+{{- if not $allowHttp | and (hasPrefix "http://" $url) }}
+{{- printf "Validation error: plugin '%s' is using URL '%s'. Only HTTPS is allowed for plugin URLs." .name $url | fail }}
+{{- end }}
+{{- if not $skipChecksum }}
+{{- $url = printf "%s|%s" $url .checksum }}
+{{- end }}
+{{- $urls = printf "%s|%s" .name $url | append $urls }}
+{{- end }}
+{{- end }}
+{{- $urls | join "^" | quote }}
+{{- end }}
+{{- end }}
diff --git a/graylog/templates/config/init-graylog.yaml b/graylog/templates/config/init-graylog.yaml
@@ -12,11 +12,38 @@ data:
     else
       cp -r /usr/share/graylog/data/* /mnt/data/
     fi
+    {{- if .Values.graylog.config.plugins.enabled }}
+    # copy plugins
+    [ -d /mnt/shared/plugins ] && find /mnt/shared/plugins/ -type f -name '*.jar' -exec cp {} /mnt/plugins/ \;
+
+    {{- if and .Values.graylog.config.init.assetFetch.enabled .Values.graylog.config.init.assetFetch.plugins.enabled }}
+    # retrieve plugins directly
+    for urlchecksum in $(echo "${GRAYLOG_PLUGIN_URLS}" | tr "^" "\n"); do
+      name=$(echo "$urlchecksum" | cut -d'|' -f1)
+      url=$(echo "$urlchecksum" | cut -d'|' -f2)
+      checksum=$(echo "$urlchecksum" | cut -d'|' -f3)
+      wget "$url" -O "$name.jar" || { echo "Failed to fetch plugin $name.jar at $url"; continue; }
+      if [ -n "$checksum" ]; then
+        actual=$(sha256sum "$name.jar" | awk '{print $1}')
+        if [ "$checksum" = "$actual" ]; then
+          echo "Plugin checksum matches for $name.jar"
+          cp "$name.jar" "/mnt/plugins/" && rm "$name.jar"
+        else
+          echo "Plugin checksum does NOT match for $name. Skipping plugin."
+          rm "$name.jar"
+        fi
+      else
+        echo "Warning: no checksum validation has been performed for plugin $name.jar"
+        cp "$name.jar" "/mnt/plugins/" && rm "$name.jar"
+      fi
+    done
+    {{- end }}
+    {{- end }}
     # check mongo credentials
     if env | grep GRAYLOG_MONGODB_URI | grep -q "@"; then
       echo "MongoDB credentials set. We're good to go!"
     else
       echo "Error: MongoDB credentials not set in MongoDB URI. Make sure secrets are up to date."
       exit 1
     fi
-{{- end }}
+    {{- end }}
diff --git a/graylog/templates/workload/statefulsets/datanode.yaml b/graylog/templates/workload/statefulsets/datanode.yaml
@@ -87,6 +87,7 @@ spec:
                 secretKeyRef:
                   name: {{ include "graylog.secretsName" . }}
                   key: GRAYLOG_S3_CLIENT_DEFAULT_ACCESS_KEY
+            {{- include "graylog.custom.env" .Values.datanode | indent 12 }}
           ports:
             - name: api
               containerPort: {{ .Values.datanode.custom.service.ports.api | default 8999 | int }}

diff --git a/graylog/templates/workload/statefulsets/graylog.yaml b/graylog/templates/workload/statefulsets/graylog.yaml
@@ -61,6 +61,11 @@ spec:
           image: {{ include "graylog.image" . }}
           imagePullPolicy: {{ .Values.graylog.custom.image.imagePullPolicy }}
           command: [ "/bin/sh", "/scripts/init-script.sh" ]
+          {{- if and .Values.graylog.config.plugins.enabled .Values.graylog.config.init.assetFetch.enabled .Values.graylog.config.init.assetFetch.plugins.enabled .Values.graylog.plugins }}
+          env:
+            - name: GRAYLOG_PLUGIN_URLS
+              value: {{ include "graylog.pluginURLs" . }}
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ include "graylog.configmapName" . }}
@@ -71,10 +76,34 @@ spec:
               mountPath: /mnt/data
             - name: init-script
               mountPath: /scripts
+        {{- if .Values.graylog.config.plugins.enabled }}
+            - name: init-plugins
+              mountPath: /mnt/plugins
+            {{- range .Values.graylog.plugins }}
+            {{- if empty .image | and .existingClaim }}
+            - name: {{ .name }}
+              mountPath: {{ printf "/mnt/shared/plugins/%s" .name }}
+            {{- end }}
+            {{- end }}
+        {{- range .Values.graylog.plugins }}
+        {{- if empty .existingClaim | and .image }}
+        - name: {{ printf "copy-plugin-%s" .name }}
+          image: {{ .image }}
+          command: [ "/bin/sh", "-c", "cp *.jar /mnt/plugins/" ]
+          volumeMounts:
+            - name: init-plugins
+              mountPath: /mnt/plugins
+        {{- end }}
+        {{- end }}
+        {{- end }}
       containers:
         - name: graylog-app
           image: {{ include "graylog.image" . }}
           imagePullPolicy: {{ .Values.graylog.custom.image.imagePullPolicy }}
+          {{- if or .Values.graylog.custom.env .Values.graylog.custom.extraEnv }}
+          env:
+            {{- include "graylog.custom.env" .Values.graylog | indent 12 }}
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ include "graylog.configmapName" . }}
@@ -89,7 +118,7 @@ spec:
               protocol: TCP
             {{- range .Values.graylog.inputs }}
             - name: {{ .name }}
-              containerPort: {{ .targetPort | int }}
+              containerPort: {{ .targetPort | default .port | int }}
               protocol: {{ .protocol }}
             {{- end }}
             - name: input-fwd-conf
@@ -126,6 +155,10 @@ spec:
             - name: tls-creds
               mountPath: /usr/share/graylog/tls
             {{- end }}
+            {{- if .Values.graylog.config.plugins.enabled }}
+            - name: init-plugins
+              mountPath: /usr/share/graylog/plugin
+            {{- end }}
       tolerations:
       {{- with .Values.graylog.custom.tolerations }}
         {{- toYaml . | nindent 8 }}
@@ -138,12 +171,23 @@ spec:
       - name: init-script
         configMap:
           name: init-script-cm
-          defaultMode: 0755  # Make script executable
+          defaultMode: 0755
       {{- if .Values.graylog.config.tls.byoc.enabled }}
       - name: tls-creds
         secret:
           secretName: {{ .Values.graylog.config.tls.byoc.secretName | quote }}
       {{- end }}
+      {{- if .Values.graylog.config.plugins.enabled }}
+      - name: init-plugins
+        emptyDir: {}
+      {{- range .Values.graylog.plugins }}
+      {{- if empty .url | and .existingClaim }}
+      - name: {{ .name }}
+        persistentVolumeClaim:
+          claimName: {{ .existingClaim }}
+      {{- end }}
+      {{- end }}
+      {{- end }}
       {{- if not .Values.graylog.custom.persistence.enabled | or .Values.graylog.custom.persistence.existingClaim }}
       - name: {{ include "graylog.volumeName" . }}
         {{- if .Values.graylog.custom.persistence.existingClaim }}

diff --git a/graylog/values.schema.json b/graylog/values.schema.json
@@ -137,6 +137,18 @@
             "affinity": {
               "type": "object"
             },
+            "env": {
+              "type": "object",
+              "additionalProperties": {
+                "type": ["string","number","boolean"]
+              },
+              "description": "Key/value env vars rendered as literals"
+            },
+            "extraEnv": {
+              "type": "array",
+              "items": { "type": "object" },
+              "description": "Full EnvVar objects (supports valueFrom)"
+            },
             "inputs": {
               "type": "object",
               "properties": {
@@ -293,6 +305,18 @@
             "affinity": {
               "type": "object"
             },
+            "env": {
+              "type": "object",
+              "additionalProperties": {
+                "type": ["string","number","boolean"]
+              },
+              "description": "Key/value env vars rendered as literals"
+            },
+            "extraEnv": {
+              "type": "array",
+              "items": { "type": "object" },
+              "description": "Full EnvVar objects (supports valueFrom)"
+            },
             "image": {
               "type": "object",
               "properties": {

diff --git a/graylog/values.yaml b/graylog/values.yaml
@@ -37,6 +37,7 @@ graylog:
       port: 13301
       targetPort: 13301
       protocol: TCP
+  plugins:
   # Graylog server configuration (server.conf)
   config:
     rootUsername: "admin"
@@ -94,12 +95,27 @@ graylog:
       useSsl: "false"
       useTls: "true"
       webInterfaceUrl: "https://graylog.example.com"
+    plugins:
+      enabled: false
+    init:
+      assetFetch:
+        enabled: false
+        skipChecksum: false
+        allowHttp: false
+        plugins:
+          enabled: false
+          baseUrl:
+        geolocation:
+          enabled: false
+          baseUrl:
   # Custom Kubernetes-specific parameters
   custom:
     podAnnotations: {}
     nodeSelector: {}
     tolerations: {}
     affinity: {}
+    env: {}
+    extraEnv: []
     inputs:
       enabled: true
     metrics:
@@ -180,6 +196,8 @@ datanode:
     nodeSelector: {}
     tolerations: {}
     affinity: {}
+    env: {}
+    extraEnv: []
     image:
       repository: ""
       tag: ""