From 93630ac6e3477bfb6d9c507a8f1287b74047d740 Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Tue, 4 Sep 2018 10:51:13 -0500 Subject: [PATCH] MariaDB: Move chart to openstack-helm-infra This moves the mariadb chart to openstack-helm-infra as part of the effort to move charts to the appropriate repositories Change-Id: Ife56e28de46c536108cebb4f4cdf6bad2a415289 Story: 2002204 Task: 21725 --- .../install/developer/deploy-with-ceph.rst | 13 + .../install/developer/deploy-with-nfs.rst | 13 + doc/source/install/multinode.rst | 13 + mariadb/.helmignore | 21 + mariadb/Chart.yaml | 25 + mariadb/README.rst | 38 + mariadb/files/nginx.tmpl | 901 ++++++++++++++++++ mariadb/requirements.yaml | 18 + .../bin/_mariadb-ingress-controller.sh.tpl | 38 + .../bin/_mariadb-ingress-error-pages.sh.tpl | 26 + mariadb/templates/bin/_readiness.sh.tpl | 52 + mariadb/templates/bin/_start.sh.tpl | 188 ++++ mariadb/templates/bin/_stop.sh.tpl | 24 + mariadb/templates/configmap-bin.yaml | 39 + mariadb/templates/configmap-etc.yaml | 39 + mariadb/templates/configmap-services-tcp.yaml | 26 + mariadb/templates/deployment-error.yaml | 83 ++ mariadb/templates/deployment-ingress.yaml | 202 ++++ mariadb/templates/etc/_00-base.cnf.tpl | 107 +++ mariadb/templates/etc/_20-override.cnf.tpl | 17 + mariadb/templates/etc/_99-force.cnf.tpl | 19 + mariadb/templates/etc/_my.cnf.tpl | 22 + mariadb/templates/job-image-repo-sync.yaml | 20 + .../prometheus/bin/_create-mysql-user.sh.tpl | 24 + .../prometheus/bin/_mysqld-exporter.sh.tpl | 30 + .../prometheus/exporter-configmap-bin.yaml | 29 + .../prometheus/exporter-deployment.yaml | 91 ++ .../prometheus/exporter-job-create-user.yaml | 83 ++ .../prometheus/exporter-secrets-etc.yaml | 35 + .../prometheus/exporter-service.yaml | 37 + .../prometheus/secrets/_exporter_user.cnf.tpl | 21 + mariadb/templates/pdb-mariadb.yaml | 29 + .../templates/secret-db-root-password.yaml | 27 + mariadb/templates/secrets-etc.yaml | 27 + mariadb/templates/secrets/_admin_user.cnf.tpl | 21 + mariadb/templates/service-discovery.yaml | 35 + mariadb/templates/service-error.yaml | 34 + mariadb/templates/service-ingress.yaml | 33 + mariadb/templates/service.yaml | 30 + mariadb/templates/statefulset.yaml | 182 ++++ mariadb/values.yaml | 289 ++++++ playbooks/osh-infra-dev-deploy-ceph.yaml | 6 + playbooks/osh-infra-dev-deploy-nfs.yaml | 6 + playbooks/osh-infra-multinode-deploy.yaml | 6 + playbooks/osh-infra-openstack-support.yaml | 6 + .../deployment/developer/ceph/045-mariadb.sh | 1 + .../developer/common/045-mariadb.sh | 34 + .../developer/common/100-grafana.sh | 23 +- tools/deployment/developer/nfs/045-mariadb.sh | 1 + tools/deployment/multinode/045-mariadb.sh | 33 + tools/deployment/multinode/100-grafana.sh | 25 +- .../openstack-support/035-mariadb.sh | 34 + 52 files changed, 3130 insertions(+), 46 deletions(-) create mode 100644 mariadb/.helmignore create mode 100644 mariadb/Chart.yaml create mode 100644 mariadb/README.rst create mode 100644 mariadb/files/nginx.tmpl create mode 100644 mariadb/requirements.yaml create mode 100644 mariadb/templates/bin/_mariadb-ingress-controller.sh.tpl create mode 100644 mariadb/templates/bin/_mariadb-ingress-error-pages.sh.tpl create mode 100644 mariadb/templates/bin/_readiness.sh.tpl create mode 100644 mariadb/templates/bin/_start.sh.tpl create mode 100644 mariadb/templates/bin/_stop.sh.tpl create mode 100644 mariadb/templates/configmap-bin.yaml create mode 100644 mariadb/templates/configmap-etc.yaml create mode 100644 mariadb/templates/configmap-services-tcp.yaml create mode 100644 mariadb/templates/deployment-error.yaml create mode 100644 mariadb/templates/deployment-ingress.yaml create mode 100644 mariadb/templates/etc/_00-base.cnf.tpl create mode 100644 mariadb/templates/etc/_20-override.cnf.tpl create mode 100644 mariadb/templates/etc/_99-force.cnf.tpl create mode 100644 mariadb/templates/etc/_my.cnf.tpl create mode 100644 mariadb/templates/job-image-repo-sync.yaml create mode 100644 mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl create mode 100644 mariadb/templates/monitoring/prometheus/bin/_mysqld-exporter.sh.tpl create mode 100644 mariadb/templates/monitoring/prometheus/exporter-configmap-bin.yaml create mode 100644 mariadb/templates/monitoring/prometheus/exporter-deployment.yaml create mode 100644 mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml create mode 100644 mariadb/templates/monitoring/prometheus/exporter-secrets-etc.yaml create mode 100644 mariadb/templates/monitoring/prometheus/exporter-service.yaml create mode 100644 mariadb/templates/monitoring/prometheus/secrets/_exporter_user.cnf.tpl create mode 100644 mariadb/templates/pdb-mariadb.yaml create mode 100644 mariadb/templates/secret-db-root-password.yaml create mode 100644 mariadb/templates/secrets-etc.yaml create mode 100644 mariadb/templates/secrets/_admin_user.cnf.tpl create mode 100644 mariadb/templates/service-discovery.yaml create mode 100644 mariadb/templates/service-error.yaml create mode 100644 mariadb/templates/service-ingress.yaml create mode 100644 mariadb/templates/service.yaml create mode 100644 mariadb/templates/statefulset.yaml create mode 100644 mariadb/values.yaml create mode 120000 tools/deployment/developer/ceph/045-mariadb.sh create mode 100755 tools/deployment/developer/common/045-mariadb.sh create mode 120000 tools/deployment/developer/nfs/045-mariadb.sh create mode 100755 tools/deployment/multinode/045-mariadb.sh create mode 100755 tools/deployment/openstack-support/035-mariadb.sh diff --git a/doc/source/install/developer/deploy-with-ceph.rst b/doc/source/install/developer/deploy-with-ceph.rst index 1658ea16f..915a8f549 100644 --- a/doc/source/install/developer/deploy-with-ceph.rst +++ b/doc/source/install/developer/deploy-with-ceph.rst @@ -67,6 +67,19 @@ Alternatively, this step can be performed by running the script directly: ./tools/deployment/developer/ceph/040-ldap.sh +Deploy MariaDB +^^^^^^^^^^^^^^ + +.. literalinclude:: ../../../../tools/deployment/developer/ceph/045-mariadb.sh + :language: shell + :lines: 1,17- + +Alternatively, this step can be performed by running the script directly: + +.. code-block:: shell + + ./tools/deployment/developer/ceph/045-mariadb.sh + Deploy Prometheus ^^^^^^^^^^^^^^^^^ diff --git a/doc/source/install/developer/deploy-with-nfs.rst b/doc/source/install/developer/deploy-with-nfs.rst index c6b9bc023..90ba42223 100644 --- a/doc/source/install/developer/deploy-with-nfs.rst +++ b/doc/source/install/developer/deploy-with-nfs.rst @@ -54,6 +54,19 @@ Alternatively, this step can be performed by running the script directly: ./tools/deployment/developer/nfs/040-ldap.sh +Deploy MariaDB +^^^^^^^^^^^^^^ + +.. literalinclude:: ../../../../tools/deployment/developer/nfs/045-mariadb.sh + :language: shell + :lines: 1,17- + +Alternatively, this step can be performed by running the script directly: + +.. code-block:: shell + + ./tools/deployment/developer/nfs/045-mariadb.sh + Deploy Prometheus ^^^^^^^^^^^^^^^^^ diff --git a/doc/source/install/multinode.rst b/doc/source/install/multinode.rst index 80930f7b3..257db44a9 100644 --- a/doc/source/install/multinode.rst +++ b/doc/source/install/multinode.rst @@ -67,6 +67,19 @@ Alternatively, this step can be performed by running the script directly: ./tools/deployment/multinode/040-ldap.sh +Deploy MariaDB +^^^^^^^^^^^^^^ + +.. literalinclude:: ../../../tools/deployment/multinode/045-mariadb.sh + :language: shell + :lines: 1,17- + +Alternatively, this step can be performed by running the script directly: + +.. code-block:: shell + + ./tools/deployment/multinode/045-mariadb.sh + Deploy Prometheus ^^^^^^^^^^^^^^^^^ diff --git a/mariadb/.helmignore b/mariadb/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/mariadb/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/mariadb/Chart.yaml b/mariadb/Chart.yaml new file mode 100644 index 000000000..8f6d1a2a4 --- /dev/null +++ b/mariadb/Chart.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: OpenStack-Helm MariaDB +name: mariadb +version: 0.1.0 +home: https://mariadb.com/kb/en/ +icon: http://badges.mariadb.org/mariadb-badge-180x60.png +sources: + - https://github.com/MariaDB/server + - https://git.openstack.org/cgit/openstack/openstack-helm +maintainers: + - name: OpenStack-Helm Authors diff --git a/mariadb/README.rst b/mariadb/README.rst new file mode 100644 index 000000000..93af0868a --- /dev/null +++ b/mariadb/README.rst @@ -0,0 +1,38 @@ +openstack-helm/mariadb +====================== + +By default, this chart creates a 3-member mariadb galera cluster. + +This chart leverages StatefulSets, with persistent storage. + +It creates a job that acts as a temporary standalone galera cluster. +This host is bootstrapped with authentication and then the WSREP +bindings are exposed publicly. The cluster members being StatefulSets +are provisioned one at a time. The first host must be marked as +``Ready`` before the next host will be provisioned. This is determined +by the readinessProbes which actually validate that MySQL is up and +responsive. + +The configuration leverages xtrabackup-v2 for synchronization. This may +later be augmented to leverage rsync which has some benefits. + +Once the seed job completes, which completes only when galera reports +that it is Synced and all cluster members are reporting in thus matching +the cluster count according to the job to the replica count in the helm +values configuration, the job is terminated. When the job is no longer +active, future StatefulSets provisioned will leverage the existing +cluster members as gcomm endpoints. It is only when the job is running +that the cluster members leverage the seed job as their gcomm endpoint. +This ensures you can restart members and scale the cluster. + +The StatefulSets all leverage PVCs to provide stateful storage to +``/var/lib/mysql``. + +You must ensure that your control nodes that should receive mariadb +instances are labeled with ``openstack-control-plane=enabled``, or +whatever you have configured in values.yaml for the label +configuration: + +:: + + kubectl label nodes openstack-control-plane=enabled --all diff --git a/mariadb/files/nginx.tmpl b/mariadb/files/nginx.tmpl new file mode 100644 index 000000000..b74b2b633 --- /dev/null +++ b/mariadb/files/nginx.tmpl @@ -0,0 +1,901 @@ +{{ $all := . }} +{{ $servers := .Servers }} +{{ $cfg := .Cfg }} +{{ $IsIPV6Enabled := .IsIPV6Enabled }} +{{ $healthzURI := .HealthzURI }} +{{ $backends := .Backends }} +{{ $proxyHeaders := .ProxySetHeaders }} +{{ $addHeaders := .AddHeaders }} + +{{ if $cfg.EnableModsecurity }} +load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; +{{ end }} + +{{ if $cfg.EnableOpentracing }} +load_module /etc/nginx/modules/ngx_http_opentracing_module.so; +{{ end }} + +{{ if (and $cfg.EnableOpentracing (ne $cfg.ZipkinCollectorHost "")) }} +load_module /etc/nginx/modules/ngx_http_zipkin_module.so; +{{ end }} + +daemon off; + +worker_processes {{ $cfg.WorkerProcesses }}; +pid /run/nginx.pid; +{{ if ne .MaxOpenFiles 0 }} +worker_rlimit_nofile {{ .MaxOpenFiles }}; +{{ end}} + +{{/* http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout */}} +{{/* avoid waiting too long during a reload */}} +worker_shutdown_timeout {{ $cfg.WorkerShutdownTimeout }} ; + +events { + multi_accept on; + worker_connections {{ $cfg.MaxWorkerConnections }}; + use epoll; +} + +http { + {{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}} + {{ if $cfg.UseProxyProtocol }} + real_ip_header proxy_protocol; + {{ else }} + real_ip_header {{ $cfg.ForwardedForHeader }}; + {{ end }} + + real_ip_recursive on; + {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }} + set_real_ip_from {{ $trusted_ip }}; + {{ end }} + + {{/* databases used to determine the country depending on the client IP address */}} + {{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}} + {{/* this is require to calculate traffic for individual country using GeoIP in the status page */}} + geoip_country /etc/nginx/GeoIP.dat; + geoip_city /etc/nginx/GeoLiteCity.dat; + geoip_proxy_recursive on; + + {{ if $cfg.EnableVtsStatus }} + vhost_traffic_status_zone shared:vhost_traffic_status:{{ $cfg.VtsStatusZoneSize }}; + vhost_traffic_status_filter_by_set_key {{ $cfg.VtsDefaultFilterKey }}; + {{ end }} + + sendfile on; + + aio threads; + aio_write on; + + tcp_nopush on; + tcp_nodelay on; + + log_subrequest on; + + reset_timedout_connection on; + + keepalive_timeout {{ $cfg.KeepAlive }}s; + keepalive_requests {{ $cfg.KeepAliveRequests }}; + + client_header_buffer_size {{ $cfg.ClientHeaderBufferSize }}; + client_header_timeout {{ $cfg.ClientHeaderTimeout }}s; + large_client_header_buffers {{ $cfg.LargeClientHeaderBuffers }}; + client_body_buffer_size {{ $cfg.ClientBodyBufferSize }}; + client_body_timeout {{ $cfg.ClientBodyTimeout }}s; + + http2_max_field_size {{ $cfg.HTTP2MaxFieldSize }}; + http2_max_header_size {{ $cfg.HTTP2MaxHeaderSize }}; + + types_hash_max_size 2048; + server_names_hash_max_size {{ $cfg.ServerNameHashMaxSize }}; + server_names_hash_bucket_size {{ $cfg.ServerNameHashBucketSize }}; + map_hash_bucket_size {{ $cfg.MapHashBucketSize }}; + + proxy_headers_hash_max_size {{ $cfg.ProxyHeadersHashMaxSize }}; + proxy_headers_hash_bucket_size {{ $cfg.ProxyHeadersHashBucketSize }}; + + variables_hash_bucket_size {{ $cfg.VariablesHashBucketSize }}; + variables_hash_max_size {{ $cfg.VariablesHashMaxSize }}; + + underscores_in_headers {{ if $cfg.EnableUnderscoresInHeaders }}on{{ else }}off{{ end }}; + ignore_invalid_headers {{ if $cfg.IgnoreInvalidHeaders }}on{{ else }}off{{ end }}; + + {{ if $cfg.EnableOpentracing }} + opentracing on; + {{ end }} + + {{ if (and $cfg.EnableOpentracing (ne $cfg.ZipkinCollectorHost "")) }} + zipkin_collector_host {{ $cfg.ZipkinCollectorHost }}; + zipkin_collector_port {{ $cfg.ZipkinCollectorPort }}; + zipkin_service_name {{ $cfg.ZipkinServiceName }}; + {{ end }} + + include /etc/nginx/mime.types; + default_type text/html; + + {{ if $cfg.EnableBrotli }} + brotli on; + brotli_comp_level {{ $cfg.BrotliLevel }}; + brotli_types {{ $cfg.BrotliTypes }}; + {{ end }} + + {{ if $cfg.UseGzip }} + gzip on; + gzip_comp_level 5; + gzip_http_version 1.1; + gzip_min_length 256; + gzip_types {{ $cfg.GzipTypes }}; + gzip_proxied any; + gzip_vary on; + {{ end }} + + # Custom headers for response + {{ range $k, $v := $addHeaders }} + add_header {{ $k }} "{{ $v }}"; + {{ end }} + + server_tokens {{ if $cfg.ShowServerTokens }}on{{ else }}off{{ end }}; + + # disable warnings + uninitialized_variable_warn off; + + # Additional available variables: + # $namespace + # $ingress_name + # $service_name + log_format upstreaminfo {{ if $cfg.LogFormatEscapeJSON }}escape=json {{ end }}'{{ buildLogFormatUpstream $cfg }}'; + + {{/* map urls that should not appear in access.log */}} + {{/* http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log */}} + map $request_uri $loggable { + {{ range $reqUri := $cfg.SkipAccessLogURLs }} + {{ $reqUri }} 0;{{ end }} + default 1; + } + + {{ if $cfg.DisableAccessLog }} + access_log off; + {{ else }} + access_log {{ $cfg.AccessLogPath }} upstreaminfo if=$loggable; + {{ end }} + error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }}; + + {{ buildResolvers $cfg.Resolver }} + + {{/* Whenever nginx proxies a request without a "Connection" header, the "Connection" header is set to "close" */}} + {{/* when making the target request. This means that you cannot simply use */}} + {{/* "proxy_set_header Connection $http_connection" for WebSocket support because in this case, the */}} + {{/* "Connection" header would be set to "" whenever the original request did not have a "Connection" header, */}} + {{/* which would mean no "Connection" header would be in the target request. Since this would deviate from */}} + {{/* normal nginx behavior we have to use this approach. */}} + # Retain the default nginx handling of requests without a "Connection" header + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip { + {{ if $cfg.UseProxyProtocol }} + # Get IP address from Proxy Protocol + default $proxy_protocol_addr; + {{ else }} + default $remote_addr; + {{ end }} + } + + # trust http_x_forwarded_proto headers correctly indicate ssl offloading + map $http_x_forwarded_proto $pass_access_scheme { + default $http_x_forwarded_proto; + '' $scheme; + } + + map $http_x_forwarded_port $pass_server_port { + default $http_x_forwarded_port; + '' $server_port; + } + + map $http_x_forwarded_host $best_http_host { + default $http_x_forwarded_host; + '' $this_host; + } + + {{ if $all.IsSSLPassthroughEnabled }} + # map port {{ $all.ListenPorts.SSLProxy }} to 443 for header X-Forwarded-Port + map $pass_server_port $pass_port { + {{ $all.ListenPorts.SSLProxy }} 443; + default $pass_server_port; + } + {{ else }} + map $pass_server_port $pass_port { + 443 443; + default $pass_server_port; + } + {{ end }} + + # Obtain best http host + map $http_host $this_host { + default $http_host; + '' $host; + } + + {{ if $cfg.ComputeFullForwardedFor }} + # We can't use $proxy_add_x_forwarded_for because the realip module + # replaces the remote_addr too soon + map $http_x_forwarded_for $full_x_forwarded_for { + {{ if $all.Cfg.UseProxyProtocol }} + default "$http_x_forwarded_for, $proxy_protocol_addr"; + '' "$proxy_protocol_addr"; + {{ else }} + default "$http_x_forwarded_for, $realip_remote_addr"; + '' "$realip_remote_addr"; + {{ end}} + } + {{ end }} + + server_name_in_redirect off; + port_in_redirect off; + + ssl_protocols {{ $cfg.SSLProtocols }}; + + # turn on session caching to drastically improve performance + {{ if $cfg.SSLSessionCache }} + ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.SSLSessionCacheSize }}; + ssl_session_timeout {{ $cfg.SSLSessionTimeout }}; + {{ end }} + + # allow configuring ssl session tickets + ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }}; + + {{ if not (empty $cfg.SSLSessionTicketKey ) }} + ssl_session_ticket_key /etc/nginx/tickets.key; + {{ end }} + + # slightly reduce the time-to-first-byte + ssl_buffer_size {{ $cfg.SSLBufferSize }}; + + {{ if not (empty $cfg.SSLCiphers) }} + # allow configuring custom ssl ciphers + ssl_ciphers '{{ $cfg.SSLCiphers }}'; + ssl_prefer_server_ciphers on; + {{ end }} + + {{ if not (empty $cfg.SSLDHParam) }} + # allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam + ssl_dhparam {{ $cfg.SSLDHParam }}; + {{ end }} + + {{ if not $cfg.EnableDynamicTLSRecords }} + ssl_dyn_rec_size_lo 0; + {{ end }} + + ssl_ecdh_curve {{ $cfg.SSLECDHCurve }}; + + {{ if .CustomErrors }} + # Custom error pages + proxy_intercept_errors on; + {{ end }} + + {{ range $errCode := $cfg.CustomHTTPErrors }} + error_page {{ $errCode }} = @custom_{{ $errCode }};{{ end }} + + proxy_ssl_session_reuse on; + + {{ if $cfg.AllowBackendServerHeader }} + proxy_pass_header Server; + {{ end }} + + {{ if not (empty $cfg.HTTPSnippet) }} + # Custom code snippet configured in the configuration configmap + {{ $cfg.HTTPSnippet }} + {{ end }} + + {{ range $name, $upstream := $backends }} + {{ if eq $upstream.SessionAffinity.AffinityType "cookie" }} + upstream sticky-{{ $upstream.Name }} { + sticky hash={{ $upstream.SessionAffinity.CookieSessionAffinity.Hash }} name={{ $upstream.SessionAffinity.CookieSessionAffinity.Name }} httponly; + + {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }} + keepalive {{ $cfg.UpstreamKeepaliveConnections }}; + {{ end }} + + {{ range $server := $upstream.Endpoints }}server {{ $server.Address | formatIP }}:{{ $server.Port }} max_fails={{ $server.MaxFails }} fail_timeout={{ $server.FailTimeout }}; + {{ end }} + + } + + {{ end }} + + + upstream {{ $upstream.Name }} { + # Load balance algorithm; empty for round robin, which is the default + {{ if ne $cfg.LoadBalanceAlgorithm "round_robin" }} + {{ $cfg.LoadBalanceAlgorithm }}; + {{ end }} + + {{ if $upstream.UpstreamHashBy }} + hash {{ $upstream.UpstreamHashBy }} consistent; + {{ end }} + + {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }} + keepalive {{ $cfg.UpstreamKeepaliveConnections }}; + {{ end }} + + {{ range $server := $upstream.Endpoints }}server {{ $server.Address | formatIP }}:{{ $server.Port }} max_fails={{ $server.MaxFails }} fail_timeout={{ $server.FailTimeout }}; + {{ end }} + } + + {{ end }} + + {{/* build the maps that will be use to validate the Whitelist */}} + {{ range $index, $server := $servers }} + {{ range $location := $server.Locations }} + {{ $path := buildLocation $location }} + + {{ if isLocationAllowed $location }} + {{ if gt (len $location.Whitelist.CIDR) 0 }} + + # Deny for {{ print $server.Hostname $path }} + geo $the_real_ip {{ buildDenyVariable (print $server.Hostname "_" $path) }} { + default 1; + + {{ range $ip := $location.Whitelist.CIDR }} + {{ $ip }} 0;{{ end }} + } + {{ end }} + {{ end }} + {{ end }} + {{ end }} + + {{ range $rl := (filterRateLimits $servers ) }} + # Ratelimit {{ $rl.Name }} + geo $the_real_ip $whitelist_{{ $rl.ID }} { + default 0; + {{ range $ip := $rl.Whitelist }} + {{ $ip }} 1;{{ end }} + } + + # Ratelimit {{ $rl.Name }} + map $whitelist_{{ $rl.ID }} $limit_{{ $rl.ID }} { + 0 {{ $cfg.LimitConnZoneVariable }}; + 1 ""; + } + {{ end }} + + {{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}} + {{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}} + {{ range $zone := (buildRateLimitZones $servers) }} + {{ $zone }} + {{ end }} + + {{/* Build server redirects (from/to www) */}} + {{ range $hostname, $to := .RedirectServers }} + server { + {{ range $address := $all.Cfg.BindAddressIpv4 }} + listen {{ $address }}:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}; + listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} ssl; + {{ else }} + listen {{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}; + listen {{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} ssl; + {{ end }} + {{ if $IsIPV6Enabled }} + {{ range $address := $all.Cfg.BindAddressIpv6 }} + listen {{ $address }}:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}; + listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}; + {{ else }} + listen [::]:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}; + listen [::]:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}; + {{ end }} + {{ end }} + server_name {{ $hostname }}; + + {{ if ne $all.ListenPorts.HTTPS 443 }} + {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }} + return {{ $all.Cfg.HTTPRedirectCode }} $scheme://{{ $to }}{{ $redirect_port }}$request_uri; + {{ else }} + return {{ $all.Cfg.HTTPRedirectCode }} $scheme://{{ $to }}$request_uri; + {{ end }} + } + {{ end }} + + {{ range $index, $server := $servers }} + + ## start server {{ $server.Hostname }} + server { + server_name {{ $server.Hostname }} {{ $server.Alias }}; + {{ template "SERVER" serverConfig $all $server }} + + {{ if not (empty $cfg.ServerSnippet) }} + # Custom code snippet configured in the configuration configmap + {{ $cfg.ServerSnippet }} + {{ end }} + + {{ template "CUSTOM_ERRORS" $all }} + } + ## end server {{ $server.Hostname }} + + {{ end }} + + # default server, used for NGINX healthcheck and access to nginx stats + server { + # Use the port {{ $all.ListenPorts.Status }} (random value just to avoid known ports) as default port for nginx. + # Changing this value requires a change in: + # https://github.com/kubernetes/ingress-nginx/blob/master/controllers/nginx/pkg/cmd/controller/nginx.go + listen {{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }}; + {{ if $IsIPV6Enabled }}listen [::]:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};{{ end }} + set $proxy_upstream_name "-"; + + location {{ $healthzURI }} { + access_log off; + return 200; + } + + location /nginx_status { + set $proxy_upstream_name "internal"; + + {{ if $cfg.EnableVtsStatus }} + vhost_traffic_status_display; + vhost_traffic_status_display_format html; + {{ else }} + access_log off; + stub_status on; + {{ end }} + } + + location / { + {{ if .CustomErrors }} + proxy_set_header X-Code 404; + {{ end }} + set $proxy_upstream_name "upstream-default-backend"; + proxy_pass http://upstream-default-backend; + } + + {{ template "CUSTOM_ERRORS" $all }} + } +} + +stream { + log_format log_stream {{ $cfg.LogFormatStream }}; + + {{ if $cfg.DisableAccessLog }} + access_log off; + {{ else }} + access_log {{ $cfg.AccessLogPath }} log_stream; + {{ end }} + + error_log {{ $cfg.ErrorLogPath }}; + + # TCP services + {{ range $i, $tcpServer := .TCPBackends }} + upstream tcp-{{ $tcpServer.Port }}-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }} { + # NOTE(portdirect): mark the 1st server as up, the 2nd as backup, and all others as down. + # The ingress controller will manage this list, based on the health checks in the backend pods, + # which approximates the pattern commonly used by Haproxy's httpchk. + {{ range $j, $endpoint := $tcpServer.Endpoints }} + {{ if eq $j 0 }} + # NOTE(portdirect): see https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-health-check/#passive-tcp-health-checks to tune passive healthchecks + server {{ $endpoint.Address }}:{{ $endpoint.Port }}; + {{ else if eq $j 1 }} + server {{ $endpoint.Address }}:{{ $endpoint.Port }} backup; + {{ else }} + server {{ $endpoint.Address }}:{{ $endpoint.Port }} down; + {{ end }} + {{ end }} + } + server { + {{ range $address := $all.Cfg.BindAddressIpv4 }} + listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }}; + {{ else }} + listen {{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }}; + {{ end }} + {{ if $IsIPV6Enabled }} + {{ range $address := $all.Cfg.BindAddressIpv6 }} + listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }}; + {{ else }} + listen [::]:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }}; + {{ end }} + {{ end }} + proxy_timeout {{ $cfg.ProxyStreamTimeout }}; + proxy_pass tcp-{{ $tcpServer.Port }}-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }}; + {{ if $tcpServer.Backend.ProxyProtocol.Encode }} + proxy_protocol on; + {{ end }} + } + + {{ end }} + + # UDP services + {{ range $i, $udpServer := .UDPBackends }} + upstream udp-{{ $udpServer.Port }}-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }} { + {{ range $j, $endpoint := $udpServer.Endpoints }} + server {{ $endpoint.Address }}:{{ $endpoint.Port }}; + {{ end }} + } + + server { + {{ range $address := $all.Cfg.BindAddressIpv4 }} + listen {{ $address }}:{{ $udpServer.Port }} udp; + {{ else }} + listen {{ $udpServer.Port }} udp; + {{ end }} + {{ if $IsIPV6Enabled }} + {{ range $address := $all.Cfg.BindAddressIpv6 }} + listen {{ $address }}:{{ $udpServer.Port }} udp; + {{ else }} + listen [::]:{{ $udpServer.Port }} udp; + {{ end }} + {{ end }} + proxy_responses {{ $cfg.ProxyStreamResponses }}; + proxy_timeout {{ $cfg.ProxyStreamTimeout }}; + proxy_pass udp-{{ $udpServer.Port }}-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }}; + } + + {{ end }} +} + +{{/* definition of templates to avoid repetitions */}} +{{ define "CUSTOM_ERRORS" }} + {{ $proxySetHeaders := .ProxySetHeaders }} + {{ range $errCode := .Cfg.CustomHTTPErrors }} + location @custom_{{ $errCode }} { + internal; + + proxy_intercept_errors off; + + proxy_set_header X-Code {{ $errCode }}; + proxy_set_header X-Format $http_accept; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Namespace $namespace; + proxy_set_header X-Ingress-Name $ingress_name; + proxy_set_header X-Service-Name $service_name; + + rewrite (.*) / break; + proxy_pass http://upstream-default-backend; + } + {{ end }} +{{ end }} + +{{/* CORS support from https://michielkalkman.com/snippets/nginx-cors-open-configuration.html */}} +{{ define "CORS" }} + {{ $cors := .CorsConfig }} + # Cors Preflight methods needs additional options and different Return Code + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '{{ $cors.CorsAllowOrigin }}' always; + {{ if $cors.CorsAllowCredentials }} add_header 'Access-Control-Allow-Credentials' '{{ $cors.CorsAllowCredentials }}' always; {{ end }} + add_header 'Access-Control-Allow-Methods' '{{ $cors.CorsAllowMethods }}' always; + add_header 'Access-Control-Allow-Headers' '{{ $cors.CorsAllowHeaders }}' always; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } + + add_header 'Access-Control-Allow-Origin' '{{ $cors.CorsAllowOrigin }}' always; + {{ if $cors.CorsAllowCredentials }} add_header 'Access-Control-Allow-Credentials' '{{ $cors.CorsAllowCredentials }}' always; {{ end }} + add_header 'Access-Control-Allow-Methods' '{{ $cors.CorsAllowMethods }}' always; + add_header 'Access-Control-Allow-Headers' '{{ $cors.CorsAllowHeaders }}' always; + +{{ end }} + +{{/* definition of server-template to avoid repetitions with server-alias */}} +{{ define "SERVER" }} + {{ $all := .First }} + {{ $server := .Second }} + {{ range $address := $all.Cfg.BindAddressIpv4 }} + listen {{ $address }}:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}}; + {{ else }} + listen {{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}}; + {{ end }} + {{ if $all.IsIPV6Enabled }} + {{ range $address := $all.Cfg.BindAddressIpv6 }} + listen {{ $address }}:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{ end }}; + {{ else }} + listen [::]:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{ end }}; + {{ end }} + {{ end }} + set $proxy_upstream_name "-"; + + {{/* Listen on {{ $all.ListenPorts.SSLProxy }} because port {{ $all.ListenPorts.HTTPS }} is used in the TLS sni server */}} + {{/* This listener must always have proxy_protocol enabled, because the SNI listener forwards on source IP info in it. */}} + {{ if not (empty $server.SSLCertificate) }} + {{ range $address := $all.Cfg.BindAddressIpv4 }} + listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol {{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }}; + {{ else }} + listen {{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol {{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }}; + {{ end }} + {{ if $all.IsIPV6Enabled }} + {{ range $address := $all.Cfg.BindAddressIpv6 }} + {{ if not (empty $server.SSLCertificate) }}listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }}; + {{ else }} + {{ if not (empty $server.SSLCertificate) }}listen [::]:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }}; + {{ end }} + {{ end }} + {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}} + # PEM sha: {{ $server.SSLPemChecksum }} + ssl_certificate {{ $server.SSLCertificate }}; + ssl_certificate_key {{ $server.SSLCertificate }}; + {{ if not (empty $server.SSLFullChainCertificate)}} + ssl_trusted_certificate {{ $server.SSLFullChainCertificate }}; + ssl_stapling on; + ssl_stapling_verify on; + {{ end }} + {{ end }} + + {{ if (and (not (empty $server.SSLCertificate)) $all.Cfg.HSTS) }} + more_set_headers "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }};{{ if $all.Cfg.HSTSPreload }} preload{{ end }}"; + {{ end }} + + + {{ if not (empty $server.CertificateAuth.CAFileName) }} + # PEM sha: {{ $server.CertificateAuth.PemSHA }} + ssl_client_certificate {{ $server.CertificateAuth.CAFileName }}; + ssl_verify_client {{ $server.CertificateAuth.VerifyClient }}; + ssl_verify_depth {{ $server.CertificateAuth.ValidationDepth }}; + {{ if not (empty $server.CertificateAuth.ErrorPage)}} + error_page 495 496 = {{ $server.CertificateAuth.ErrorPage }}; + {{ end }} + {{ end }} + + {{ if not (empty $server.ServerSnippet) }} + {{ $server.ServerSnippet }} + {{ end }} + + {{ range $location := $server.Locations }} + {{ $path := buildLocation $location }} + {{ $authPath := buildAuthLocation $location }} + + {{ if not (empty $location.Rewrite.AppRoot)}} + if ($uri = /) { + return 302 {{ $location.Rewrite.AppRoot }}; + } + {{ end }} + + {{ if not (empty $authPath) }} + location = {{ $authPath }} { + internal; + set $proxy_upstream_name "external-authentication"; + + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + + {{ if not (empty $location.ExternalAuth.Method) }} + proxy_method {{ $location.ExternalAuth.Method }}; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Scheme $pass_access_scheme; + {{ end }} + + proxy_set_header Host {{ $location.ExternalAuth.Host }}; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Auth-Request-Redirect $request_uri; + proxy_set_header X-Sent-From "nginx-ingress-controller"; + + proxy_http_version 1.1; + proxy_ssl_server_name on; + proxy_pass_request_headers on; + client_max_body_size "{{ $location.Proxy.BodySize }}"; + {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }} + client_body_buffer_size {{ $location.ClientBodyBufferSize }}; + {{ end }} + + set $target {{ $location.ExternalAuth.URL }}; + proxy_pass $target; + } + {{ end }} + + location {{ $path }} { + {{ if $all.Cfg.EnableVtsStatus }}{{ if $location.VtsFilterKey }} vhost_traffic_status_filter_by_set_key {{ $location.VtsFilterKey }};{{ end }}{{ end }} + + set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location }}"; + + {{ $ing := (getIngressInformation $location.Ingress $path) }} + {{/* $ing.Metadata contains the Ingress metadata */}} + set $namespace "{{ $ing.Namespace }}"; + set $ingress_name "{{ $ing.Rule }}"; + set $service_name "{{ $ing.Service }}"; + + {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }} + # enforce ssl on server side + if ($pass_access_scheme = http) { + {{ if ne $all.ListenPorts.HTTPS 443 }} + {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }} + return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host{{ $redirect_port }}$request_uri; + {{ else }} + return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host$request_uri; + {{ end }} + } + {{ end }} + + {{ if $all.Cfg.EnableModsecurity }} + modsecurity on; + + modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf; + {{ if $all.Cfg.EnableOWASPCoreRules }} + modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf; + {{ end }} + {{ end }} + + {{ if isLocationAllowed $location }} + {{ if gt (len $location.Whitelist.CIDR) 0 }} + if ({{ buildDenyVariable (print $server.Hostname "_" $path) }}) { + return 403; + } + {{ end }} + + port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }}; + + {{ if not (empty $authPath) }} + # this location requires authentication + auth_request {{ $authPath }}; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + {{- range $idx, $line := buildAuthResponseHeaders $location }} + {{ $line }} + {{- end }} + {{ end }} + + {{ if not (empty $location.ExternalAuth.SigninURL) }} + error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }}; + {{ end }} + + {{/* if the location contains a rate limit annotation, create one */}} + {{ $limits := buildRateLimit $location }} + {{ range $limit := $limits }} + {{ $limit }}{{ end }} + + {{ if $location.BasicDigestAuth.Secured }} + {{ if eq $location.BasicDigestAuth.Type "basic" }} + auth_basic "{{ $location.BasicDigestAuth.Realm }}"; + auth_basic_user_file {{ $location.BasicDigestAuth.File }}; + {{ else }} + auth_digest "{{ $location.BasicDigestAuth.Realm }}"; + auth_digest_user_file {{ $location.BasicDigestAuth.File }}; + {{ end }} + proxy_set_header Authorization ""; + {{ end }} + + {{ if $location.CorsConfig.CorsEnabled }} + {{ template "CORS" $location }} + {{ end }} + + {{ if not (empty $location.Redirect.URL) }} + if ($uri ~* {{ $path }}) { + return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }}; + } + {{ end }} + + client_max_body_size "{{ $location.Proxy.BodySize }}"; + {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }} + client_body_buffer_size {{ $location.ClientBodyBufferSize }}; + {{ end }} + + {{/* By default use vhost as Host to upstream, but allow overrides */}} + {{ if not (empty $location.UpstreamVhost) }} + proxy_set_header Host "{{ $location.UpstreamVhost }}"; + {{ else }} + proxy_set_header Host $best_http_host; + {{ end }} + + + # Pass the extracted client certificate to the backend + {{ if not (empty $server.CertificateAuth.CAFileName) }} + {{ if $server.CertificateAuth.PassCertToUpstream }} + proxy_set_header ssl-client-cert $ssl_client_escaped_cert; + {{ else }} + proxy_set_header ssl-client-cert ""; + {{ end }} + proxy_set_header ssl-client-verify $ssl_client_verify; + proxy_set_header ssl-client-dn $ssl_client_s_dn; + {{ else }} + proxy_set_header ssl-client-cert ""; + proxy_set_header ssl-client-verify ""; + proxy_set_header ssl-client-dn ""; + {{ end }} + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Real-IP $the_real_ip; + {{ if $all.Cfg.ComputeFullForwardedFor }} + proxy_set_header X-Forwarded-For $full_x_forwarded_for; + {{ else }} + proxy_set_header X-Forwarded-For $the_real_ip; + {{ end }} + proxy_set_header X-Forwarded-Host $best_http_host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Scheme $pass_access_scheme; + + # Pass the original X-Forwarded-For + proxy_set_header X-Original-Forwarded-For {{ buildForwardedFor $all.Cfg.ForwardedForHeader }}; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers to proxied server + {{ range $k, $v := $all.ProxySetHeaders }} + proxy_set_header {{ $k }} "{{ $v }}"; + {{ end }} + + proxy_connect_timeout {{ $location.Proxy.ConnectTimeout }}s; + proxy_send_timeout {{ $location.Proxy.SendTimeout }}s; + proxy_read_timeout {{ $location.Proxy.ReadTimeout }}s; + + {{ if (or (eq $location.Proxy.ProxyRedirectFrom "default") (eq $location.Proxy.ProxyRedirectFrom "off")) }} + proxy_redirect {{ $location.Proxy.ProxyRedirectFrom }}; + {{ else }} + proxy_redirect {{ $location.Proxy.ProxyRedirectFrom }} {{ $location.Proxy.ProxyRedirectTo }}; + {{ end }} + proxy_buffering off; + proxy_buffer_size "{{ $location.Proxy.BufferSize }}"; + proxy_buffers 4 "{{ $location.Proxy.BufferSize }}"; + proxy_request_buffering "{{ $location.Proxy.RequestBuffering }}"; + + proxy_http_version 1.1; + + proxy_cookie_domain {{ $location.Proxy.CookieDomain }}; + proxy_cookie_path {{ $location.Proxy.CookiePath }}; + + # In case of errors try the next upstream server before returning an error + proxy_next_upstream {{ buildNextUpstream $location.Proxy.NextUpstream $all.Cfg.RetryNonIdempotent }}; + + {{/* rewrite only works if the content is not compressed */}} + {{ if $location.Rewrite.AddBaseURL }} + proxy_set_header Accept-Encoding ""; + {{ end }} + + {{/* Add any additional configuration defined */}} + {{ $location.ConfigurationSnippet }} + + {{ if not (empty $all.Cfg.LocationSnippet) }} + # Custom code snippet configured in the configuration configmap + {{ $all.Cfg.LocationSnippet }} + {{ end }} + + {{/* if we are sending the request to a custom default backend, we add the required headers */}} + {{ if (hasPrefix $location.Backend "custom-default-backend-") }} + proxy_set_header X-Code 503; + proxy_set_header X-Format $http_accept; + proxy_set_header X-Namespace $namespace; + proxy_set_header X-Ingress-Name $ingress_name; + proxy_set_header X-Service-Name $service_name; + {{ end }} + + + {{ if not (empty $location.Backend) }} + {{ buildProxyPass $server.Hostname $all.Backends $location }} + {{ else }} + # No endpoints available for the request + return 503; + {{ end }} + {{ else }} + # Location denied. Reason: {{ $location.Denied }} + return 503; + {{ end }} + } + + {{ end }} + + {{ if eq $server.Hostname "_" }} + # health checks in cloud providers require the use of port {{ $all.ListenPorts.HTTP }} + location {{ $all.HealthzURI }} { + access_log off; + return 200; + } + + # this is required to avoid error if nginx is being monitored + # with an external software (like sysdig) + location /nginx_status { + allow 127.0.0.1; + {{ if $all.IsIPV6Enabled }}allow ::1;{{ end }} + deny all; + + access_log off; + stub_status on; + } + + {{ end }} + +{{ end }} diff --git a/mariadb/requirements.yaml b/mariadb/requirements.yaml new file mode 100644 index 000000000..53782e69b --- /dev/null +++ b/mariadb/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/mariadb/templates/bin/_mariadb-ingress-controller.sh.tpl b/mariadb/templates/bin/_mariadb-ingress-controller.sh.tpl new file mode 100644 index 000000000..af6e0c0c7 --- /dev/null +++ b/mariadb/templates/bin/_mariadb-ingress-controller.sh.tpl @@ -0,0 +1,38 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +COMMAND="${@:-start}" + +function start () { + exec /usr/bin/dumb-init \ + /nginx-ingress-controller \ + --force-namespace-isolation \ + --watch-namespace ${POD_NAMESPACE} \ + --election-id=${RELEASE_NAME} \ + --ingress-class=${INGRESS_CLASS} \ + --default-backend-service=${POD_NAMESPACE}/${ERROR_PAGE_SERVICE} \ + --tcp-services-configmap=${POD_NAMESPACE}/mariadb-services-tcp +} + + +function stop () { + kill -TERM 1 +} + +$COMMAND diff --git a/mariadb/templates/bin/_mariadb-ingress-error-pages.sh.tpl b/mariadb/templates/bin/_mariadb-ingress-error-pages.sh.tpl new file mode 100644 index 000000000..cf62c33f4 --- /dev/null +++ b/mariadb/templates/bin/_mariadb-ingress-error-pages.sh.tpl @@ -0,0 +1,26 @@ +#!/bin/sh + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +COMMAND="${@:-start}" + +if [ "x${COMMAND}" == "xstart" ]; then + exec /server +elif [ "x${COMMAND}" == "xstop" ]; then + kill -TERM 1 +fi diff --git a/mariadb/templates/bin/_readiness.sh.tpl b/mariadb/templates/bin/_readiness.sh.tpl new file mode 100644 index 000000000..86f513e21 --- /dev/null +++ b/mariadb/templates/bin/_readiness.sh.tpl @@ -0,0 +1,52 @@ +#!/usr/bin/env bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -e + +MYSQL="mysql \ + --defaults-file=/etc/mysql/admin_user.cnf \ + --host=localhost \ + --connect-timeout 2" + +mysql_status_query () { + STATUS=$1 + $MYSQL -e "show status like \"${STATUS}\"" | \ + awk "/${STATUS}/ { print \$NF; exit }" +} + +if ! $MYSQL -e 'select 1' > /dev/null 2>&1 ; then + exit 1 +fi + +if [ "x$(mysql_status_query wsrep_cluster_status)" != "xPrimary" ]; then + # Not in primary cluster + exit 1 +fi +if [ "x$(mysql_status_query wsrep_ready)" != "xON" ]; then + # WSREP not ready + exit 1 +fi +if [ "x$(mysql_status_query wsrep_local_state_comment)" != "xSynced" ]; then + # WSREP not synced + exit 1 +fi + +# If we made it this far, its safe to remove the bootstrap file if present +if [ -e ${BOOTSTRAP_FILE} ]; then + rm -f ${BOOTSTRAP_FILE} +fi diff --git a/mariadb/templates/bin/_start.sh.tpl b/mariadb/templates/bin/_start.sh.tpl new file mode 100644 index 000000000..6920a9af2 --- /dev/null +++ b/mariadb/templates/bin/_start.sh.tpl @@ -0,0 +1,188 @@ +#!/bin/bash +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -xe + +# MariaDB 10.2.13 has a regression which breaks clustering, patch +# around this for now +if /usr/sbin/mysqld --version | grep --silent 10.2.13 ; then + sed -i 's^LSOF_OUT=.*^LSOF_OUT=$(lsof -sTCP:LISTEN -i TCP:${PORT} -a -c nc -c socat -F c 2> /dev/null || :)^' /usr/bin/wsrep_sst_xtrabackup-v2 +fi + +# Bootstrap database +CLUSTER_INIT_ARGS="" +CLUSTER_CONFIG_PATH=/etc/mysql/conf.d/10-cluster-config.cnf + +function exitWithManualRecovery() { + + UUID=$(sed -e 's/^.*uuid:[\ ,\t]*//' -e 'tx' -e 'd' -e ':x' /var/lib/mysql/grastate.dat) + SEQNO=$(sed -e 's/^.*seqno:[\ ,\t]*//' -e 'tx' -e 'd' -e ':x' /var/lib/mysql/grastate.dat) + + cat >/dev/stderr < + to force bootstrapping from the specified node. + + Remember to remove FORCE_RECOVERY after your nodes + are fully recovered! You may lose data otherwise. + +You can ignore this message and wait for the next restart if at +least one node started without errors. +EOF + + exit 1 +} + +# Construct cluster config +MEMBERS="" +for i in $(seq 1 ${MARIADB_REPLICAS}); do + if [ "$i" -eq "1" ]; then + NUM="0" + else + NUM="$(expr $i - 1)" + fi + CANDIDATE_POD="${POD_NAME_PREFIX}-$NUM.$(hostname -d)" + if [ "x${CANDIDATE_POD}" != "x${POD_NAME}.$(hostname -d)" ]; then + if [ -n "${MEMBERS}" ]; then + MEMBERS+=, + fi + MEMBERS+="${CANDIDATE_POD}:${WSREP_PORT}" + fi +done + +echo "Writing cluster config for ${POD_NAME} to ${CLUSTER_CONFIG_PATH}" +cat > ${CLUSTER_CONFIG_PATH} </dev/stderr </dev/stderr </var/lib/mysql/grastate.dat < "${BOOTSTRAP_FILE}" << EOF +DELETE FROM mysql.user ; +CREATE OR REPLACE USER 'root'@'%' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ; +GRANT ALL ON *.* TO 'root'@'%' WITH GRANT OPTION ; +DROP DATABASE IF EXISTS test ; +FLUSH PRIVILEGES ; +EOF + + CLUSTER_INIT_ARGS="${CLUSTER_INIT_ARGS} --init-file=${BOOTSTRAP_FILE}" +fi + +exec mysqld ${CLUSTER_INIT_ARGS} diff --git a/mariadb/templates/bin/_stop.sh.tpl b/mariadb/templates/bin/_stop.sh.tpl new file mode 100644 index 000000000..c197065a0 --- /dev/null +++ b/mariadb/templates/bin/_stop.sh.tpl @@ -0,0 +1,24 @@ +#!/bin/bash +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -xe + +exec mysqladmin \ + --defaults-file=/etc/mysql/admin_user.cnf \ + --host=localhost \ + --connect-timeout 2 \ + shutdown diff --git a/mariadb/templates/configmap-bin.yaml b/mariadb/templates/configmap-bin.yaml new file mode 100644 index 000000000..5e0b62cfc --- /dev/null +++ b/mariadb/templates/configmap-bin.yaml @@ -0,0 +1,39 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: mariadb-bin +data: +{{- if .Values.images.local_registry.active }} + image-repo-sync.sh: | +{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} +{{- end }} + mariadb-ingress-controller.sh: | +{{ tuple "bin/_mariadb-ingress-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + mariadb-ingress-error-pages.sh: | +{{ tuple "bin/_mariadb-ingress-error-pages.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + readiness.sh: | +{{ tuple "bin/_readiness.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + start.sh: | +{{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + stop.sh: | +{{ tuple "bin/_stop.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/mariadb/templates/configmap-etc.yaml b/mariadb/templates/configmap-etc.yaml new file mode 100644 index 000000000..aa11d5db9 --- /dev/null +++ b/mariadb/templates/configmap-etc.yaml @@ -0,0 +1,39 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_etc }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: mariadb-etc +data: + my.cnf: | +{{ tuple "etc/_my.cnf.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }} + 00-base.cnf: | +{{ tuple "etc/_00-base.cnf.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }} + 20-override.cnf: | +{{ tuple "etc/_20-override.cnf.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }} + 99-force.cnf: | +{{ tuple "etc/_99-force.cnf.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }} +{{- if $envAll.Values.conf.ingress }} + nginx.tmpl: | +{{ $envAll.Values.conf.ingress | indent 4 }} +{{- else }} +{{ ( $envAll.Files.Glob "files/nginx.tmpl" ).AsConfig | indent 2 }} +{{- end }} +{{- end }} diff --git a/mariadb/templates/configmap-services-tcp.yaml b/mariadb/templates/configmap-services-tcp.yaml new file mode 100644 index 000000000..605a18609 --- /dev/null +++ b/mariadb/templates/configmap-services-tcp.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_services_tcp }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: mariadb-services-tcp +data: + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}: "{{ .Release.Namespace }}/{{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" +{{- end }} diff --git a/mariadb/templates/deployment-error.yaml b/mariadb/templates/deployment-error.yaml new file mode 100644 index 000000000..87d4c1616 --- /dev/null +++ b/mariadb/templates/deployment-error.yaml @@ -0,0 +1,83 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment_error }} +{{- $envAll := . }} + +{{- $serviceAccountName := "mariadb-ingress-error-pages"}} +{{ tuple $envAll "error_pages" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mariadb-ingress-error-pages + labels: +{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.error_page }} + selector: + matchLabels: +{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + spec: + serviceAccountName: {{ $serviceAccountName }} + affinity: +{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.error_server.node_selector_key }}: {{ .Values.labels.error_server.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.error_pages.timeout | default "60" }} + initContainers: +{{ tuple $envAll "error_pages" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: ingress-error-pages +{{ tuple $envAll "error_pages" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.error_pages | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 5 + ports: + - containerPort: 8080 + command: + - /tmp/mariadb-ingress-error-pages.sh + - start + lifecycle: + preStop: + exec: + command: + - /tmp/mariadb-ingress-error-pages.sh + - stop + volumeMounts: + - name: ingress-bin + mountPath: /tmp/mariadb-ingress-error-pages.sh + subPath: mariadb-ingress-error-pages.sh + readOnly: true + volumes: + - name: ingress-bin + configMap: + name: mariadb-bin + defaultMode: 0555 +{{- end }} diff --git a/mariadb/templates/deployment-ingress.yaml b/mariadb/templates/deployment-ingress.yaml new file mode 100644 index 000000000..4bfc147fe --- /dev/null +++ b/mariadb/templates/deployment-ingress.yaml @@ -0,0 +1,202 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment_ingress }} +{{- $envAll := . }} + +{{- $ingressClass := printf "%s-%s" .Release.Name "mariadb-ingress" }} + +{{- $serviceAccountName := printf "%s-%s" .Release.Name "ingress" }} +{{ tuple $envAll "ingress" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resourceNames: + - {{ printf "%s-%s" .Release.Name $ingressClass | quote }} + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mariadb-ingress + labels: +{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.ingress }} + selector: + matchLabels: +{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + spec: + serviceAccountName: {{ $serviceAccountName }} + affinity: +{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.ingress.node_selector_key }}: {{ .Values.labels.ingress.node_selector_value }} + terminationGracePeriodSeconds: 60 + initContainers: +{{ tuple $envAll "ingress" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: ingress +{{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + readinessProbe: + tcpSocket: + port: {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + livenessProbe: + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + timeoutSeconds: 1 + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: {{ .Release.Name | quote }} + - name: INGRESS_CLASS + value: {{ $ingressClass | quote }} + - name: ERROR_PAGE_SERVICE + value: {{ tuple "oslo_db" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }} + command: + - /tmp/mariadb-ingress-controller.sh + - start + lifecycle: + preStop: + exec: + command: + - /tmp/mariadb-ingress-controller.sh + - stop + volumeMounts: + - name: mariadb-bin + mountPath: /tmp/mariadb-ingress-controller.sh + subPath: mariadb-ingress-controller.sh + readOnly: true + - name: mariadb-etc + mountPath: /etc/nginx/template/nginx.tmpl + subPath: nginx.tmpl + readOnly: true + volumes: + - name: mariadb-bin + configMap: + name: mariadb-bin + defaultMode: 0555 + - name: mariadb-etc + configMap: + name: mariadb-etc + defaultMode: 0444 +{{- end }} diff --git a/mariadb/templates/etc/_00-base.cnf.tpl b/mariadb/templates/etc/_00-base.cnf.tpl new file mode 100644 index 000000000..5e2597f99 --- /dev/null +++ b/mariadb/templates/etc/_00-base.cnf.tpl @@ -0,0 +1,107 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +[mysqld] +# Charset +character_set_server=utf8 +collation_server=utf8_unicode_ci +skip-character-set-client-handshake + +# Logging +slow_query_log=on +slow_query_log_file=/var/log/mysql/mariadb-slow.log +log_warnings=2 + +# General logging has huge performance penalty therefore is disabled by default +general_log=off +general_log_file=/var/log/mysql/mariadb-error.log + +long_query_time=3 +log_queries_not_using_indexes=on + +# Networking +bind_address=0.0.0.0 +port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + +# When a client connects, the server will perform hostname resolution, +# and when DNS is slow, establishing the connection will become slow as well. +# It is therefore recommended to start the server with skip-name-resolve to +# disable all DNS lookups. The only limitation is that the GRANT statements +# must then use IP addresses only. +skip_name_resolve + +# Tuning +user=mysql +max_allowed_packet=256M +open_files_limit=10240 +max_connections=8192 +max-connect-errors=1000000 + +## Generally, it is unwise to set the query cache to be larger than 64-128M +## as the costs associated with maintaining the cache outweigh the performance +## gains. +## The query cache is a well known bottleneck that can be seen even when +## concurrency is moderate. The best option is to disable it from day 1 +## by setting query_cache_size=0 (now the default on MySQL 5.6) +## and to use other ways to speed up read queries: good indexing, adding +## replicas to spread the read load or using an external cache. +query_cache_size=0 +query_cache_type=0 + +sync_binlog=0 +thread_cache_size=16 +table_open_cache=2048 +table_definition_cache=1024 + +# +# InnoDB +# +# The buffer pool is where data and indexes are cached: having it as large as possible +# will ensure you use memory and not disks for most read operations. +# Typical values are 50..75% of available RAM. +# TODO(tomasz.paszkowski): This needs to by dynamic based on available RAM. +innodb_buffer_pool_size=1024M +innodb_doublewrite=0 +innodb_file_format=Barracuda +innodb_file_per_table=1 +innodb_flush_method=O_DIRECT +innodb_io_capacity=500 +innodb_locks_unsafe_for_binlog=1 +innodb_log_file_size=128M +innodb_old_blocks_time=1000 +innodb_read_io_threads=8 +innodb_write_io_threads=8 + +# Clustering +binlog_format=ROW +default-storage-engine=InnoDB +innodb_autoinc_lock_mode=2 +innodb_flush_log_at_trx_commit=2 +wsrep_cluster_name={{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" | replace "." "_" }} +wsrep_on=1 +wsrep_provider=/usr/lib/galera/libgalera_smm.so +wsrep_provider_options="gmcast.listen_addr=tcp://0.0.0.0:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" +wsrep_slave_threads=12 +wsrep_sst_auth=root:{{ .Values.endpoints.oslo_db.auth.admin.password }} +wsrep_sst_method=xtrabackup-v2 + +[mysqldump] +max-allowed-packet=16M + +[client] +default_character_set=utf8 +protocol=tcp +port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} diff --git a/mariadb/templates/etc/_20-override.cnf.tpl b/mariadb/templates/etc/_20-override.cnf.tpl new file mode 100644 index 000000000..7c445fd65 --- /dev/null +++ b/mariadb/templates/etc/_20-override.cnf.tpl @@ -0,0 +1,17 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{ .Values.database.config_override }} diff --git a/mariadb/templates/etc/_99-force.cnf.tpl b/mariadb/templates/etc/_99-force.cnf.tpl new file mode 100644 index 000000000..3d92e99ff --- /dev/null +++ b/mariadb/templates/etc/_99-force.cnf.tpl @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +[mysqld] +datadir=/var/lib/mysql +tmpdir=/tmp diff --git a/mariadb/templates/etc/_my.cnf.tpl b/mariadb/templates/etc/_my.cnf.tpl new file mode 100644 index 000000000..33184d529 --- /dev/null +++ b/mariadb/templates/etc/_my.cnf.tpl @@ -0,0 +1,22 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +[mysqld] +datadir=/var/lib/mysql +basedir=/usr + +[client-server] +!includedir /etc/mysql/conf.d/ diff --git a/mariadb/templates/job-image-repo-sync.yaml b/mariadb/templates/job-image-repo-sync.yaml new file mode 100644 index 000000000..e099429a1 --- /dev/null +++ b/mariadb/templates/job-image-repo-sync.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} +{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "mariadb" -}} +{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} +{{- end }} diff --git a/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl b/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl new file mode 100644 index 000000000..49773d0a1 --- /dev/null +++ b/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl @@ -0,0 +1,24 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +mysql --defaults-file=/etc/mysql/admin_user.cnf -e \ + "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \ + GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%'; \ + FLUSH PRIVILEGES;" diff --git a/mariadb/templates/monitoring/prometheus/bin/_mysqld-exporter.sh.tpl b/mariadb/templates/monitoring/prometheus/bin/_mysqld-exporter.sh.tpl new file mode 100644 index 000000000..6a7395fcc --- /dev/null +++ b/mariadb/templates/monitoring/prometheus/bin/_mysqld-exporter.sh.tpl @@ -0,0 +1,30 @@ +#!/bin/sh + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +COMMAND="${@:-start}" + +function start () { + exec /bin/mysqld_exporter -config.my-cnf=/etc/mysql/mysql_user.cnf +} + +function stop () { + kill -TERM 1 +} + +$COMMAND diff --git a/mariadb/templates/monitoring/prometheus/exporter-configmap-bin.yaml b/mariadb/templates/monitoring/prometheus/exporter-configmap-bin.yaml new file mode 100644 index 000000000..169f8e56a --- /dev/null +++ b/mariadb/templates/monitoring/prometheus/exporter-configmap-bin.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.monitoring.prometheus.configmap_bin .Values.monitoring.prometheus.enabled }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: mysql-exporter-bin +data: + create-mysql-user.sh: | +{{ tuple "bin/_create-mysql-user.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + mysqld-exporter.sh: | +{{ tuple "bin/_mysqld-exporter.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml b/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml new file mode 100644 index 000000000..274a06c0e --- /dev/null +++ b/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml @@ -0,0 +1,91 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.monitoring.prometheus.deployment_exporter .Values.monitoring.prometheus.enabled }} +{{- $envAll := . }} + +{{- $serviceAccountName := "prometheus-mysql-exporter"}} +{{ tuple $envAll "prometheus_mysql_exporter" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: prometheus-mysql-exporter + labels: +{{ tuple $envAll "prometheus_mysql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.prometheus_mysql_exporter }} + selector: + matchLabels: +{{ tuple $envAll "prometheus_mysql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "prometheus_mysql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + namespace: {{ .Values.endpoints.prometheus_mysql_exporter.namespace }} + spec: + serviceAccountName: {{ $serviceAccountName }} + nodeSelector: + {{ .Values.labels.prometheus_mysql_exporter.node_selector_key }}: {{ .Values.labels.prometheus_mysql_exporter.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.prometheus_mysql_exporter.timeout | default "30" }} + initContainers: +{{ tuple $envAll "prometheus_mysql_exporter" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: mysql-exporter +{{ tuple $envAll "prometheus_mysql_exporter" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.prometheus_mysql_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/mysqld-exporter.sh + - start + ports: + - name: metrics + containerPort: {{ .Values.network.prometheus_mysql_exporter.port }} + env: + - name: EXPORTER_USER + valueFrom: + secretKeyRef: + name: mysql-exporter-secrets + key: EXPORTER_USER + - name: EXPORTER_PASSWORD + valueFrom: + secretKeyRef: + name: mysql-exporter-secrets + key: EXPORTER_PASSWORD + - name: DATA_SOURCE_NAME + valueFrom: + secretKeyRef: + name: mysql-exporter-secrets + key: DATA_SOURCE_NAME + volumeMounts: + - name: mysql-exporter-secrets + mountPath: /etc/mysql/mysql_user.cnf + subPath: mysql_user.cnf + readOnly: true + - name: mysql-exporter-bin + mountPath: /tmp/mysqld-exporter.sh + subPath: mysqld-exporter.sh + readOnly: true + volumes: + - name: mysql-exporter-secrets + secret: + secretName: mysql-exporter-secrets + defaultMode: 0444 + - name: mysql-exporter-bin + configMap: + name: mysql-exporter-bin + defaultMode: 0555 +{{- end }} diff --git a/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml b/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml new file mode 100644 index 000000000..df7a14701 --- /dev/null +++ b/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml @@ -0,0 +1,83 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.monitoring.prometheus.job_user_create .Values.monitoring.prometheus.enabled }} +{{- $envAll := . }} + +{{- $serviceAccountName := "exporter-create-sql-user" }} +{{ tuple $envAll "prometheus_create_mysql_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: exporter-create-sql-user +spec: + template: + metadata: + labels: +{{ tuple $envAll "prometheus_mysql_exporter" "create-sql-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.prometheus_mysql_exporter.node_selector_key }}: {{ .Values.labels.prometheus_mysql_exporter.node_selector_value }} + initContainers: +{{ tuple $envAll "prometheus_create_mysql_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: exporter-create-sql-user +{{ tuple $envAll "prometheus_create_mysql_user" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.prometheus_create_mysql_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/create-mysql-user.sh + env: + - name: EXPORTER_USER + valueFrom: + secretKeyRef: + name: mysql-exporter-secrets + key: EXPORTER_USER + - name: EXPORTER_PASSWORD + valueFrom: + secretKeyRef: + name: mysql-exporter-secrets + key: EXPORTER_PASSWORD + - name: MYSQL_SERVICE + value: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + - name: MYSQL_ROOT_USER + value: {{ .Values.endpoints.oslo_db.auth.admin.username }} + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb-db-root-password + key: MYSQL_ROOT_PASSWORD + volumeMounts: + - name: mysql-exporter-bin + mountPath: /tmp/create-mysql-user.sh + subPath: create-mysql-user.sh + readOnly: true + - name: mariadb-secrets + mountPath: /etc/mysql/admin_user.cnf + subPath: admin_user.cnf + readOnly: true + volumes: + - name: mysql-exporter-bin + configMap: + name: mysql-exporter-bin + defaultMode: 0555 + - name: mariadb-secrets + secret: + secretName: mariadb-secrets + defaultMode: 0444 +{{- end }} diff --git a/mariadb/templates/monitoring/prometheus/exporter-secrets-etc.yaml b/mariadb/templates/monitoring/prometheus/exporter-secrets-etc.yaml new file mode 100644 index 000000000..2d19c2756 --- /dev/null +++ b/mariadb/templates/monitoring/prometheus/exporter-secrets-etc.yaml @@ -0,0 +1,35 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.monitoring.prometheus.secret_etc .Values.monitoring.prometheus.enabled }} +{{- $envAll := . }} + +{{- $exporter_user := .Values.endpoints.oslo_db.auth.exporter.username }} +{{- $exporter_password := .Values.endpoints.oslo_db.auth.exporter.password }} +{{- $db_host := tuple "oslo_db" "direct" "mysql" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} +{{- $data_source_name := printf "%s:%s@(%s)/" $exporter_user $exporter_password $db_host }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: mysql-exporter-secrets +type: Opaque +data: + DATA_SOURCE_NAME: {{ $data_source_name | b64enc }} + EXPORTER_USER: {{ .Values.endpoints.oslo_db.auth.exporter.username | b64enc }} + EXPORTER_PASSWORD: {{ .Values.endpoints.oslo_db.auth.exporter.password | b64enc }} + mysql_user.cnf: {{ tuple "secrets/_exporter_user.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }} +{{- end }} diff --git a/mariadb/templates/monitoring/prometheus/exporter-service.yaml b/mariadb/templates/monitoring/prometheus/exporter-service.yaml new file mode 100644 index 000000000..c040f2642 --- /dev/null +++ b/mariadb/templates/monitoring/prometheus/exporter-service.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.monitoring.prometheus.service_exporter .Values.monitoring.prometheus.enabled }} +{{- $envAll := . }} +{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.mysqld_exporter }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple "prometheus_mysql_exporter" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + labels: +{{ tuple $envAll "prometheus_mysql_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + annotations: +{{- if .Values.monitoring.prometheus.enabled }} +{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_service_annotations" | indent 4 }} +{{- end }} +spec: + ports: + - name: metrics + port: {{ .Values.network.prometheus_mysql_exporter.port }} + selector: +{{ tuple $envAll "prometheus_mysql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- end }} diff --git a/mariadb/templates/monitoring/prometheus/secrets/_exporter_user.cnf.tpl b/mariadb/templates/monitoring/prometheus/secrets/_exporter_user.cnf.tpl new file mode 100644 index 000000000..f3d03afa9 --- /dev/null +++ b/mariadb/templates/monitoring/prometheus/secrets/_exporter_user.cnf.tpl @@ -0,0 +1,21 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +[client] +user = {{ .Values.endpoints.prometheus_mysql_exporter.auth.user.username }} +password = {{ .Values.endpoints.prometheus_mysql_exporter.auth.user.password }} +host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} diff --git a/mariadb/templates/pdb-mariadb.yaml b/mariadb/templates/pdb-mariadb.yaml new file mode 100644 index 000000000..19f85dc12 --- /dev/null +++ b/mariadb/templates/pdb-mariadb.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.pdb_server }} +{{- $envAll := . }} +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: mariadb-server +spec: + minAvailable: {{ .Values.pod.lifecycle.disruption_budget.mariadb.min_available }} + selector: + matchLabels: +{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{- end }} diff --git a/mariadb/templates/secret-db-root-password.yaml b/mariadb/templates/secret-db-root-password.yaml new file mode 100644 index 000000000..e99f30b4e --- /dev/null +++ b/mariadb/templates/secret-db-root-password.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_db }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: mariadb-db-root-password +type: Opaque +data: + MYSQL_ROOT_PASSWORD: {{ .Values.endpoints.oslo_db.auth.admin.password | b64enc }} +{{- end }} diff --git a/mariadb/templates/secrets-etc.yaml b/mariadb/templates/secrets-etc.yaml new file mode 100644 index 000000000..1e6865986 --- /dev/null +++ b/mariadb/templates/secrets-etc.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_etc }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: mariadb-secrets +type: Opaque +data: + admin_user.cnf: {{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }} +{{- end }} diff --git a/mariadb/templates/secrets/_admin_user.cnf.tpl b/mariadb/templates/secrets/_admin_user.cnf.tpl new file mode 100644 index 000000000..c30120286 --- /dev/null +++ b/mariadb/templates/secrets/_admin_user.cnf.tpl @@ -0,0 +1,21 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +[client] +user = {{ .Values.endpoints.oslo_db.auth.admin.username }} +password = {{ .Values.endpoints.oslo_db.auth.admin.password }} +host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} diff --git a/mariadb/templates/service-discovery.yaml b/mariadb/templates/service-discovery.yaml new file mode 100644 index 000000000..a705b9066 --- /dev/null +++ b/mariadb/templates/service-discovery.yaml @@ -0,0 +1,35 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service_discovery }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple "oslo_db" "discovery" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + ports: + - name: mysql + port: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + - name: wsrep + port: {{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + clusterIP: None + selector: +{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- end }} diff --git a/mariadb/templates/service-error.yaml b/mariadb/templates/service-error.yaml new file mode 100644 index 000000000..f8891448a --- /dev/null +++ b/mariadb/templates/service-error.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service_error }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: +{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + name: {{ tuple "oslo_db" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + clusterIP: None + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + selector: +{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- end }} diff --git a/mariadb/templates/service-ingress.yaml b/mariadb/templates/service-ingress.yaml new file mode 100644 index 000000000..08d003e41 --- /dev/null +++ b/mariadb/templates/service-ingress.yaml @@ -0,0 +1,33 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service_ingress }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: +{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + name: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + ports: + - name: mysql + port: {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + protocol: TCP + selector: +{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- end }} diff --git a/mariadb/templates/service.yaml b/mariadb/templates/service.yaml new file mode 100644 index 000000000..2600fe4c4 --- /dev/null +++ b/mariadb/templates/service.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + ports: + - name: mysql + port: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + selector: +{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- end }} diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml new file mode 100644 index 000000000..7165493eb --- /dev/null +++ b/mariadb/templates/statefulset.yaml @@ -0,0 +1,182 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.statefulset }} +{{- $envAll := . }} + +{{- $serviceAccountName := "mariadb" }} +{{ tuple $envAll "mariadb" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + # NOTE(portdirect): the statefulset name must match the POD_NAME_PREFIX env var for discovery to work + name: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + labels: +{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + serviceName: "{{ tuple "oslo_db" "discovery" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}" + podManagementPolicy: "Parallel" + replicas: {{ .Values.pod.replicas.server }} + selector: + matchLabels: +{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + template: + metadata: + labels: +{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + affinity: +{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }} + initContainers: +{{ tuple $envAll "mariadb" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{- if .Values.volume.chown_on_start }} + - name: mariadb-perms +{{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.image" | indent 10 }} + securityContext: + runAsUser: 0 +{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - chown + - -R + - "mysql:mysql" + - /var/lib/mysql + volumeMounts: + - name: mysql-data + mountPath: /var/lib/mysql +{{- end }} + containers: + - name: mariadb +{{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: FORCE_BOOTSTRAP + value: {{ .Values.force_bootstrap | quote }} + - name: FORCE_RECOVERY + value: {{ .Values.force_recovey | quote }} + - name: BOOTSTRAP_FILE + value: {{ printf "/tmp/%s.sql" (randAlphaNum 8) }} + - name: MARIADB_REPLICAS + value: {{ .Values.pod.replicas.server | quote }} + - name: WSREP_PORT + value: {{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} + - name: POD_NAME_PREFIX + value: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb-db-root-password + key: MYSQL_ROOT_PASSWORD + ports: + - name: mysql + protocol: TCP + containerPort: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + - name: wsrep + protocol: TCP + containerPort: {{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + command: + - /tmp/start.sh + lifecycle: + preStop: + exec: + command: + - /tmp/stop.sh + readinessProbe: + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 3 + exec: + command: + - /tmp/readiness.sh + volumeMounts: + - name: mycnfd + mountPath: /etc/mysql/conf.d + - name: mariadb-bin + mountPath: /tmp/start.sh + subPath: start.sh + readOnly: true + - name: mariadb-bin + mountPath: /tmp/stop.sh + subPath: stop.sh + readOnly: true + - name: mariadb-bin + mountPath: /tmp/readiness.sh + subPath: readiness.sh + readOnly: true + - name: mariadb-etc + mountPath: /etc/mysql/my.cnf + subPath: my.cnf + readOnly: true + - name: mariadb-etc + mountPath: /etc/mysql/conf.d/00-base.cnf + subPath: 00-base.cnf + readOnly: true + - name: mariadb-etc + mountPath: /etc/mysql/conf.d/20-override.cnf + subPath: 20-override.cnf + readOnly: true + - name: mariadb-etc + mountPath: /etc/mysql/conf.d/99-force.cnf + subPath: 99-force.cnf + readOnly: true + - name: mariadb-secrets + mountPath: /etc/mysql/admin_user.cnf + subPath: admin_user.cnf + readOnly: true + - name: mysql-data + mountPath: /var/lib/mysql + volumes: + - name: mycnfd + emptyDir: {} + - name: mariadb-bin + configMap: + name: mariadb-bin + defaultMode: 0555 + - name: mariadb-etc + configMap: + name: mariadb-etc + defaultMode: 0444 + - name: mariadb-secrets + secret: + secretName: mariadb-secrets + defaultMode: 0444 + {{- if not .Values.volume.enabled }} + - name: mysql-data + emptyDir: {} + {{- end }} +{{- if .Values.volume.enabled }} + volumeClaimTemplates: + - metadata: + name: mysql-data + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: {{ .Values.volume.size }} + storageClassName: {{ .Values.volume.class_name }} +{{- end }} +{{- end }} diff --git a/mariadb/values.yaml b/mariadb/values.yaml new file mode 100644 index 000000000..dffca8abf --- /dev/null +++ b/mariadb/values.yaml @@ -0,0 +1,289 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for mariadb. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +release_group: null + +images: + tags: + # NOTE: if you update from 10.2.13 please look at + # https://review.openstack.org/#/q/Ifd09d7effe7d382074ca9e6678df36bdd4bce0af + # and check whether it's still needed + mariadb: docker.io/mariadb:10.2.13 + ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0 + error_pages: gcr.io/google_containers/defaultbackend:1.0 + prometheus_create_mysql_user: docker.io/mariadb:10.2.13 + prometheus_mysql_exporter: docker.io/prom/mysqld-exporter:v0.10.0 + prometheus_mysql_exporter_helm_tests: docker.io/openstackhelm/heat:newton + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 + image_repo_sync: docker.io/docker:17.07.0 + pull_policy: "IfNotPresent" + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + +labels: + server: + node_selector_key: openstack-control-plane + node_selector_value: enabled + ingress: + node_selector_key: openstack-control-plane + node_selector_value: enabled + prometheus_mysql_exporter: + node_selector_key: openstack-control-plane + node_selector_value: enabled + error_server: + node_selector_key: openstack-control-plane + node_selector_value: enabled + +pod: + affinity: + anti: + type: + default: preferredDuringSchedulingIgnoredDuringExecution + topologyKey: + default: kubernetes.io/hostname + replicas: + server: 1 + ingress: 1 + error_page: 1 + prometheus_mysql_exporter: 1 + lifecycle: + upgrades: + deployments: + revision_history: 3 + pod_replacement_strategy: RollingUpdate + rolling_update: + max_unavailable: 1 + max_surge: 3 + termination_grace_period: + prometheus_mysql_exporter: + timeout: 30 + error_pages: + timeout: 10 + disruption_budget: + mariadb: + min_available: 0 + resources: + enabled: false + prometheus_mysql_exporter: + limits: + memory: "1024Mi" + cpu: "2000m" + requests: + memory: "128Mi" + cpu: "500m" + server: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + jobs: + tests: + limits: + memory: "1024Mi" + cpu: "2000m" + requests: + memory: "128Mi" + cpu: "100m" + prometheus_create_mysql_user: + limits: + memory: "1024Mi" + cpu: "2000m" + requests: + memory: "128Mi" + cpu: "100m" + image_repo_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + +dependencies: + dynamic: + common: + local_image_registry: + jobs: + - mariadb-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + error_pages: + jobs: null + ingress: + jobs: null + services: + - endpoint: error_pages + service: oslo_db + mariadb: + jobs: null + services: null + prometheus_create_mysql_user: + services: + - endpoint: internal + service: oslo_db + prometheus_mysql_exporter: + jobs: + - exporter-create-sql-user + services: + - endpoint: internal + service: oslo_db + prometheus_mysql_exporter_tests: + services: + - endpoint: internal + service: prometheus_mysql_exporter + - endpoint: internal + service: monitoring + image_repo_sync: + services: + - endpoint: internal + service: local_image_registry + +force_bootstrap: false + +volume: + chown_on_start: true + enabled: true + class_name: general + size: 5Gi + + + +conf: + ingress: null + +database: + config_override: null + # Any configuration here will override the base config. + # config_override: |- + # [mysqld] + # wsrep_slave_threads=1 + +monitoring: + prometheus: + enabled: false + mysqld_exporter: + scrape: true + +network: + prometheus_mysql_exporter: + port: 9104 + +# typically overridden by environmental +# values, but should include all endpoints +# required by this chart +endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 + monitoring: + name: prometheus + namespace: null + hosts: + default: prom-metrics + public: prometheus + host_fqdn_override: + default: null + path: + default: null + scheme: + default: 'http' + port: + api: + default: 9090 + public: 80 + prometheus_mysql_exporter: + namespace: null + auth: + user: + username: exporter + password: password + hosts: + default: mysql-exporter + host_fqdn_override: + default: null + path: + default: /metrics + scheme: + default: 'http' + port: + metrics: + default: 9104 + oslo_db: + namespace: null + auth: + admin: + username: root + password: password + exporter: + username: exporter + password: password + hosts: + default: mariadb + direct: mariadb-server + discovery: mariadb-discovery + error_pages: mariadb-ingress-error-pages + host_fqdn_override: + default: null + path: null + scheme: mysql+pymysql + port: + mysql: + default: 3306 + wsrep: + default: 4567 + +manifests: + configmap_bin: true + configmap_etc: true + configmap_services_tcp: true + deployment_error: true + deployment_ingress: true + job_image_repo_sync: true + monitoring: + prometheus: + configmap_bin: true + deployment_exporter: true + job_user_create: true + secret_etc: true + service_exporter: true + pdb_server: true + secret_db: true + secret_etc: true + service_discovery: true + service_ingress: true + service_error: true + service: true + statefulset: true diff --git a/playbooks/osh-infra-dev-deploy-ceph.yaml b/playbooks/osh-infra-dev-deploy-ceph.yaml index 5f74dc3a5..b5a8ade5c 100644 --- a/playbooks/osh-infra-dev-deploy-ceph.yaml +++ b/playbooks/osh-infra-dev-deploy-ceph.yaml @@ -60,6 +60,12 @@ ./tools/deployment/developer/ceph/040-ldap.sh args: chdir: "{{ zuul.project.src_dir }}" + - name: Deploy MariaDB + shell: | + set -xe; + ./tools/deployment/developer/ceph/045-mariadb.sh + args: + chdir: "{{ zuul.project.src_dir }}" - name: Deploy Prometheus shell: | set -xe; diff --git a/playbooks/osh-infra-dev-deploy-nfs.yaml b/playbooks/osh-infra-dev-deploy-nfs.yaml index 38542a1a0..019f45940 100644 --- a/playbooks/osh-infra-dev-deploy-nfs.yaml +++ b/playbooks/osh-infra-dev-deploy-nfs.yaml @@ -54,6 +54,12 @@ ./tools/deployment/developer/nfs/040-ldap.sh args: chdir: "{{ zuul.project.src_dir }}" + - name: Deploy MariaDB + shell: | + set -xe; + ./tools/deployment/developer/nfs/045-mariadb.sh + args: + chdir: "{{ zuul.project.src_dir }}" - name: Deploy Prometheus shell: | set -xe; diff --git a/playbooks/osh-infra-multinode-deploy.yaml b/playbooks/osh-infra-multinode-deploy.yaml index ad2c820ac..d897667cc 100644 --- a/playbooks/osh-infra-multinode-deploy.yaml +++ b/playbooks/osh-infra-multinode-deploy.yaml @@ -44,6 +44,12 @@ ./tools/deployment/multinode/040-ldap.sh args: chdir: "{{ zuul.project.src_dir }}" + - name: Deploy MariaDB + shell: | + set -xe; + ./tools/deployment/multinode/045-mariadb.sh + args: + chdir: "{{ zuul.project.src_dir }}" - name: Deploy Prometheus shell: | set -xe; diff --git a/playbooks/osh-infra-openstack-support.yaml b/playbooks/osh-infra-openstack-support.yaml index 2b77f4c00..400c4117e 100644 --- a/playbooks/osh-infra-openstack-support.yaml +++ b/playbooks/osh-infra-openstack-support.yaml @@ -60,3 +60,9 @@ ./tools/deployment/openstack-support/030-memcached.sh args: chdir: "{{ zuul.project.src_dir }}" + - name: Deploy Mariadb + shell: | + set -xe; + ./tools/deployment/openstack-support/035-mariadb.sh + args: + chdir: "{{ zuul.project.src_dir }}" diff --git a/tools/deployment/developer/ceph/045-mariadb.sh b/tools/deployment/developer/ceph/045-mariadb.sh new file mode 120000 index 000000000..80f213b41 --- /dev/null +++ b/tools/deployment/developer/ceph/045-mariadb.sh @@ -0,0 +1 @@ +../common/045-mariadb.sh \ No newline at end of file diff --git a/tools/deployment/developer/common/045-mariadb.sh b/tools/deployment/developer/common/045-mariadb.sh new file mode 100755 index 000000000..be0fad2b4 --- /dev/null +++ b/tools/deployment/developer/common/045-mariadb.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +#NOTE: Lint and package chart +make mariadb + +#NOTE: Deploy command +: ${OSH_INFRA_EXTRA_HELM_ARGS:=""} +helm upgrade --install mariadb ./mariadb \ + --namespace=osh-infra \ + --set pod.replicas.server=1 \ + ${OSH_INFRA_EXTRA_HELM_ARGS} \ + ${OSH_INFRA_EXTRA_HELM_ARGS_MARIADB} + +#NOTE: Wait for deploy +./tools/deployment/common/wait-for-pods.sh osh-infra + +#NOTE: Validate Deployment info +helm status mariadb diff --git a/tools/deployment/developer/common/100-grafana.sh b/tools/deployment/developer/common/100-grafana.sh index d63bf375f..b925a56d7 100755 --- a/tools/deployment/developer/common/100-grafana.sh +++ b/tools/deployment/developer/common/100-grafana.sh @@ -20,29 +20,8 @@ set -xe make grafana #NOTE: Deploy command -tee /tmp/grafana.yaml << EOF -dependencies: - static: - grafana: - jobs: null - services: null -manifests: - job_db_init: false - job_db_init_session: false - job_db_session_sync: false - secret_db: false - secret_db_session: false -conf: - grafana: - database: - type: sqlite3 - session: - provider: file - provider_config: sessions -EOF helm upgrade --install grafana ./grafana \ - --namespace=osh-infra \ - --values=/tmp/grafana.yaml + --namespace=osh-infra #NOTE: Wait for deploy ./tools/deployment/common/wait-for-pods.sh osh-infra diff --git a/tools/deployment/developer/nfs/045-mariadb.sh b/tools/deployment/developer/nfs/045-mariadb.sh new file mode 120000 index 000000000..80f213b41 --- /dev/null +++ b/tools/deployment/developer/nfs/045-mariadb.sh @@ -0,0 +1 @@ +../common/045-mariadb.sh \ No newline at end of file diff --git a/tools/deployment/multinode/045-mariadb.sh b/tools/deployment/multinode/045-mariadb.sh new file mode 100755 index 000000000..4464122f9 --- /dev/null +++ b/tools/deployment/multinode/045-mariadb.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +#NOTE: Lint and package chart +make mariadb + +#NOTE: Deploy command +: ${OSH_INFRA_EXTRA_HELM_ARGS:=""} +helm upgrade --install mariadb ./mariadb \ + --namespace=osh-infra \ + ${OSH_INFRA_EXTRA_HELM_ARGS} \ + ${OSH_INFRA_EXTRA_HELM_ARGS_MARIADB} + +#NOTE: Wait for deploy +./tools/deployment/common/wait-for-pods.sh osh-infra + +#NOTE: Validate Deployment info +helm status mariadb diff --git a/tools/deployment/multinode/100-grafana.sh b/tools/deployment/multinode/100-grafana.sh index 4fdf4ee26..1aff7ab1a 100755 --- a/tools/deployment/multinode/100-grafana.sh +++ b/tools/deployment/multinode/100-grafana.sh @@ -20,32 +20,9 @@ set -xe make grafana #NOTE: Deploy command -tee /tmp/grafana.yaml << EOF -dependencies: - static: - grafana: - jobs: null - services: null -manifests: - job_db_init: false - job_db_init_session: false - job_db_session_sync: false - secret_db: false - secret_db_session: false -conf: - grafana: - database: - type: sqlite3 - session: - provider: file - provider_config: sessions -pod: - replicas: - grafana: 2 -EOF helm upgrade --install grafana ./grafana \ --namespace=osh-infra \ - --values=/tmp/grafana.yaml + --set pod.replicas.grafana=2 #NOTE: Wait for deploy ./tools/deployment/common/wait-for-pods.sh osh-infra diff --git a/tools/deployment/openstack-support/035-mariadb.sh b/tools/deployment/openstack-support/035-mariadb.sh new file mode 100755 index 000000000..6213fe72c --- /dev/null +++ b/tools/deployment/openstack-support/035-mariadb.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +#NOTE: Lint and package chart +make mariadb + +#NOTE: Deploy command +: ${OSH_INFRA_EXTRA_HELM_ARGS:=""} +helm upgrade --install mariadb ./mariadb \ + --namespace=openstack \ + --set pod.replicas.server=1 \ + ${OSH_INFRA_EXTRA_HELM_ARGS} \ + ${OSH_INFRA_EXTRA_HELM_ARGS_MARIADB} + +#NOTE: Wait for deploy +./tools/deployment/common/wait-for-pods.sh openstack + +#NOTE: Validate Deployment info +helm status mariadb