MariaDB: Move chart to openstack-helm-infra
This moves the mariadb chart to openstack-helm-infra as part of the effort to move charts to the appropriate repositories Change-Id: Ife56e28de46c536108cebb4f4cdf6bad2a415289 Story: 2002204 Task: 21725
This commit is contained in:
parent
0bfb2979ec
commit
93630ac6e3
@ -67,6 +67,19 @@ Alternatively, this step can be performed by running the script directly:
|
|||||||
|
|
||||||
./tools/deployment/developer/ceph/040-ldap.sh
|
./tools/deployment/developer/ceph/040-ldap.sh
|
||||||
|
|
||||||
|
Deploy MariaDB
|
||||||
|
^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
.. literalinclude:: ../../../../tools/deployment/developer/ceph/045-mariadb.sh
|
||||||
|
:language: shell
|
||||||
|
:lines: 1,17-
|
||||||
|
|
||||||
|
Alternatively, this step can be performed by running the script directly:
|
||||||
|
|
||||||
|
.. code-block:: shell
|
||||||
|
|
||||||
|
./tools/deployment/developer/ceph/045-mariadb.sh
|
||||||
|
|
||||||
Deploy Prometheus
|
Deploy Prometheus
|
||||||
^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
@ -54,6 +54,19 @@ Alternatively, this step can be performed by running the script directly:
|
|||||||
|
|
||||||
./tools/deployment/developer/nfs/040-ldap.sh
|
./tools/deployment/developer/nfs/040-ldap.sh
|
||||||
|
|
||||||
|
Deploy MariaDB
|
||||||
|
^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
.. literalinclude:: ../../../../tools/deployment/developer/nfs/045-mariadb.sh
|
||||||
|
:language: shell
|
||||||
|
:lines: 1,17-
|
||||||
|
|
||||||
|
Alternatively, this step can be performed by running the script directly:
|
||||||
|
|
||||||
|
.. code-block:: shell
|
||||||
|
|
||||||
|
./tools/deployment/developer/nfs/045-mariadb.sh
|
||||||
|
|
||||||
Deploy Prometheus
|
Deploy Prometheus
|
||||||
^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
@ -67,6 +67,19 @@ Alternatively, this step can be performed by running the script directly:
|
|||||||
|
|
||||||
./tools/deployment/multinode/040-ldap.sh
|
./tools/deployment/multinode/040-ldap.sh
|
||||||
|
|
||||||
|
Deploy MariaDB
|
||||||
|
^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
.. literalinclude:: ../../../tools/deployment/multinode/045-mariadb.sh
|
||||||
|
:language: shell
|
||||||
|
:lines: 1,17-
|
||||||
|
|
||||||
|
Alternatively, this step can be performed by running the script directly:
|
||||||
|
|
||||||
|
.. code-block:: shell
|
||||||
|
|
||||||
|
./tools/deployment/multinode/045-mariadb.sh
|
||||||
|
|
||||||
Deploy Prometheus
|
Deploy Prometheus
|
||||||
^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
21
mariadb/.helmignore
Normal file
21
mariadb/.helmignore
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
25
mariadb/Chart.yaml
Normal file
25
mariadb/Chart.yaml
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
# Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
apiVersion: v1
|
||||||
|
description: OpenStack-Helm MariaDB
|
||||||
|
name: mariadb
|
||||||
|
version: 0.1.0
|
||||||
|
home: https://mariadb.com/kb/en/
|
||||||
|
icon: http://badges.mariadb.org/mariadb-badge-180x60.png
|
||||||
|
sources:
|
||||||
|
- https://github.com/MariaDB/server
|
||||||
|
- https://git.openstack.org/cgit/openstack/openstack-helm
|
||||||
|
maintainers:
|
||||||
|
- name: OpenStack-Helm Authors
|
38
mariadb/README.rst
Normal file
38
mariadb/README.rst
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
openstack-helm/mariadb
|
||||||
|
======================
|
||||||
|
|
||||||
|
By default, this chart creates a 3-member mariadb galera cluster.
|
||||||
|
|
||||||
|
This chart leverages StatefulSets, with persistent storage.
|
||||||
|
|
||||||
|
It creates a job that acts as a temporary standalone galera cluster.
|
||||||
|
This host is bootstrapped with authentication and then the WSREP
|
||||||
|
bindings are exposed publicly. The cluster members being StatefulSets
|
||||||
|
are provisioned one at a time. The first host must be marked as
|
||||||
|
``Ready`` before the next host will be provisioned. This is determined
|
||||||
|
by the readinessProbes which actually validate that MySQL is up and
|
||||||
|
responsive.
|
||||||
|
|
||||||
|
The configuration leverages xtrabackup-v2 for synchronization. This may
|
||||||
|
later be augmented to leverage rsync which has some benefits.
|
||||||
|
|
||||||
|
Once the seed job completes, which completes only when galera reports
|
||||||
|
that it is Synced and all cluster members are reporting in thus matching
|
||||||
|
the cluster count according to the job to the replica count in the helm
|
||||||
|
values configuration, the job is terminated. When the job is no longer
|
||||||
|
active, future StatefulSets provisioned will leverage the existing
|
||||||
|
cluster members as gcomm endpoints. It is only when the job is running
|
||||||
|
that the cluster members leverage the seed job as their gcomm endpoint.
|
||||||
|
This ensures you can restart members and scale the cluster.
|
||||||
|
|
||||||
|
The StatefulSets all leverage PVCs to provide stateful storage to
|
||||||
|
``/var/lib/mysql``.
|
||||||
|
|
||||||
|
You must ensure that your control nodes that should receive mariadb
|
||||||
|
instances are labeled with ``openstack-control-plane=enabled``, or
|
||||||
|
whatever you have configured in values.yaml for the label
|
||||||
|
configuration:
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
kubectl label nodes openstack-control-plane=enabled --all
|
901
mariadb/files/nginx.tmpl
Normal file
901
mariadb/files/nginx.tmpl
Normal file
@ -0,0 +1,901 @@
|
|||||||
|
{{ $all := . }}
|
||||||
|
{{ $servers := .Servers }}
|
||||||
|
{{ $cfg := .Cfg }}
|
||||||
|
{{ $IsIPV6Enabled := .IsIPV6Enabled }}
|
||||||
|
{{ $healthzURI := .HealthzURI }}
|
||||||
|
{{ $backends := .Backends }}
|
||||||
|
{{ $proxyHeaders := .ProxySetHeaders }}
|
||||||
|
{{ $addHeaders := .AddHeaders }}
|
||||||
|
|
||||||
|
{{ if $cfg.EnableModsecurity }}
|
||||||
|
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if $cfg.EnableOpentracing }}
|
||||||
|
load_module /etc/nginx/modules/ngx_http_opentracing_module.so;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if (and $cfg.EnableOpentracing (ne $cfg.ZipkinCollectorHost "")) }}
|
||||||
|
load_module /etc/nginx/modules/ngx_http_zipkin_module.so;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
daemon off;
|
||||||
|
|
||||||
|
worker_processes {{ $cfg.WorkerProcesses }};
|
||||||
|
pid /run/nginx.pid;
|
||||||
|
{{ if ne .MaxOpenFiles 0 }}
|
||||||
|
worker_rlimit_nofile {{ .MaxOpenFiles }};
|
||||||
|
{{ end}}
|
||||||
|
|
||||||
|
{{/* http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout */}}
|
||||||
|
{{/* avoid waiting too long during a reload */}}
|
||||||
|
worker_shutdown_timeout {{ $cfg.WorkerShutdownTimeout }} ;
|
||||||
|
|
||||||
|
events {
|
||||||
|
multi_accept on;
|
||||||
|
worker_connections {{ $cfg.MaxWorkerConnections }};
|
||||||
|
use epoll;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
{{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}}
|
||||||
|
{{ if $cfg.UseProxyProtocol }}
|
||||||
|
real_ip_header proxy_protocol;
|
||||||
|
{{ else }}
|
||||||
|
real_ip_header {{ $cfg.ForwardedForHeader }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
real_ip_recursive on;
|
||||||
|
{{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
|
||||||
|
set_real_ip_from {{ $trusted_ip }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{/* databases used to determine the country depending on the client IP address */}}
|
||||||
|
{{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}}
|
||||||
|
{{/* this is require to calculate traffic for individual country using GeoIP in the status page */}}
|
||||||
|
geoip_country /etc/nginx/GeoIP.dat;
|
||||||
|
geoip_city /etc/nginx/GeoLiteCity.dat;
|
||||||
|
geoip_proxy_recursive on;
|
||||||
|
|
||||||
|
{{ if $cfg.EnableVtsStatus }}
|
||||||
|
vhost_traffic_status_zone shared:vhost_traffic_status:{{ $cfg.VtsStatusZoneSize }};
|
||||||
|
vhost_traffic_status_filter_by_set_key {{ $cfg.VtsDefaultFilterKey }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
|
||||||
|
aio threads;
|
||||||
|
aio_write on;
|
||||||
|
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
|
||||||
|
log_subrequest on;
|
||||||
|
|
||||||
|
reset_timedout_connection on;
|
||||||
|
|
||||||
|
keepalive_timeout {{ $cfg.KeepAlive }}s;
|
||||||
|
keepalive_requests {{ $cfg.KeepAliveRequests }};
|
||||||
|
|
||||||
|
client_header_buffer_size {{ $cfg.ClientHeaderBufferSize }};
|
||||||
|
client_header_timeout {{ $cfg.ClientHeaderTimeout }}s;
|
||||||
|
large_client_header_buffers {{ $cfg.LargeClientHeaderBuffers }};
|
||||||
|
client_body_buffer_size {{ $cfg.ClientBodyBufferSize }};
|
||||||
|
client_body_timeout {{ $cfg.ClientBodyTimeout }}s;
|
||||||
|
|
||||||
|
http2_max_field_size {{ $cfg.HTTP2MaxFieldSize }};
|
||||||
|
http2_max_header_size {{ $cfg.HTTP2MaxHeaderSize }};
|
||||||
|
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
server_names_hash_max_size {{ $cfg.ServerNameHashMaxSize }};
|
||||||
|
server_names_hash_bucket_size {{ $cfg.ServerNameHashBucketSize }};
|
||||||
|
map_hash_bucket_size {{ $cfg.MapHashBucketSize }};
|
||||||
|
|
||||||
|
proxy_headers_hash_max_size {{ $cfg.ProxyHeadersHashMaxSize }};
|
||||||
|
proxy_headers_hash_bucket_size {{ $cfg.ProxyHeadersHashBucketSize }};
|
||||||
|
|
||||||
|
variables_hash_bucket_size {{ $cfg.VariablesHashBucketSize }};
|
||||||
|
variables_hash_max_size {{ $cfg.VariablesHashMaxSize }};
|
||||||
|
|
||||||
|
underscores_in_headers {{ if $cfg.EnableUnderscoresInHeaders }}on{{ else }}off{{ end }};
|
||||||
|
ignore_invalid_headers {{ if $cfg.IgnoreInvalidHeaders }}on{{ else }}off{{ end }};
|
||||||
|
|
||||||
|
{{ if $cfg.EnableOpentracing }}
|
||||||
|
opentracing on;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if (and $cfg.EnableOpentracing (ne $cfg.ZipkinCollectorHost "")) }}
|
||||||
|
zipkin_collector_host {{ $cfg.ZipkinCollectorHost }};
|
||||||
|
zipkin_collector_port {{ $cfg.ZipkinCollectorPort }};
|
||||||
|
zipkin_service_name {{ $cfg.ZipkinServiceName }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type text/html;
|
||||||
|
|
||||||
|
{{ if $cfg.EnableBrotli }}
|
||||||
|
brotli on;
|
||||||
|
brotli_comp_level {{ $cfg.BrotliLevel }};
|
||||||
|
brotli_types {{ $cfg.BrotliTypes }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if $cfg.UseGzip }}
|
||||||
|
gzip on;
|
||||||
|
gzip_comp_level 5;
|
||||||
|
gzip_http_version 1.1;
|
||||||
|
gzip_min_length 256;
|
||||||
|
gzip_types {{ $cfg.GzipTypes }};
|
||||||
|
gzip_proxied any;
|
||||||
|
gzip_vary on;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
# Custom headers for response
|
||||||
|
{{ range $k, $v := $addHeaders }}
|
||||||
|
add_header {{ $k }} "{{ $v }}";
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
server_tokens {{ if $cfg.ShowServerTokens }}on{{ else }}off{{ end }};
|
||||||
|
|
||||||
|
# disable warnings
|
||||||
|
uninitialized_variable_warn off;
|
||||||
|
|
||||||
|
# Additional available variables:
|
||||||
|
# $namespace
|
||||||
|
# $ingress_name
|
||||||
|
# $service_name
|
||||||
|
log_format upstreaminfo {{ if $cfg.LogFormatEscapeJSON }}escape=json {{ end }}'{{ buildLogFormatUpstream $cfg }}';
|
||||||
|
|
||||||
|
{{/* map urls that should not appear in access.log */}}
|
||||||
|
{{/* http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log */}}
|
||||||
|
map $request_uri $loggable {
|
||||||
|
{{ range $reqUri := $cfg.SkipAccessLogURLs }}
|
||||||
|
{{ $reqUri }} 0;{{ end }}
|
||||||
|
default 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
{{ if $cfg.DisableAccessLog }}
|
||||||
|
access_log off;
|
||||||
|
{{ else }}
|
||||||
|
access_log {{ $cfg.AccessLogPath }} upstreaminfo if=$loggable;
|
||||||
|
{{ end }}
|
||||||
|
error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
|
||||||
|
|
||||||
|
{{ buildResolvers $cfg.Resolver }}
|
||||||
|
|
||||||
|
{{/* Whenever nginx proxies a request without a "Connection" header, the "Connection" header is set to "close" */}}
|
||||||
|
{{/* when making the target request. This means that you cannot simply use */}}
|
||||||
|
{{/* "proxy_set_header Connection $http_connection" for WebSocket support because in this case, the */}}
|
||||||
|
{{/* "Connection" header would be set to "" whenever the original request did not have a "Connection" header, */}}
|
||||||
|
{{/* which would mean no "Connection" header would be in the target request. Since this would deviate from */}}
|
||||||
|
{{/* normal nginx behavior we have to use this approach. */}}
|
||||||
|
# Retain the default nginx handling of requests without a "Connection" header
|
||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' close;
|
||||||
|
}
|
||||||
|
|
||||||
|
map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
|
||||||
|
{{ if $cfg.UseProxyProtocol }}
|
||||||
|
# Get IP address from Proxy Protocol
|
||||||
|
default $proxy_protocol_addr;
|
||||||
|
{{ else }}
|
||||||
|
default $remote_addr;
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
|
||||||
|
# trust http_x_forwarded_proto headers correctly indicate ssl offloading
|
||||||
|
map $http_x_forwarded_proto $pass_access_scheme {
|
||||||
|
default $http_x_forwarded_proto;
|
||||||
|
'' $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $http_x_forwarded_port $pass_server_port {
|
||||||
|
default $http_x_forwarded_port;
|
||||||
|
'' $server_port;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $http_x_forwarded_host $best_http_host {
|
||||||
|
default $http_x_forwarded_host;
|
||||||
|
'' $this_host;
|
||||||
|
}
|
||||||
|
|
||||||
|
{{ if $all.IsSSLPassthroughEnabled }}
|
||||||
|
# map port {{ $all.ListenPorts.SSLProxy }} to 443 for header X-Forwarded-Port
|
||||||
|
map $pass_server_port $pass_port {
|
||||||
|
{{ $all.ListenPorts.SSLProxy }} 443;
|
||||||
|
default $pass_server_port;
|
||||||
|
}
|
||||||
|
{{ else }}
|
||||||
|
map $pass_server_port $pass_port {
|
||||||
|
443 443;
|
||||||
|
default $pass_server_port;
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
# Obtain best http host
|
||||||
|
map $http_host $this_host {
|
||||||
|
default $http_host;
|
||||||
|
'' $host;
|
||||||
|
}
|
||||||
|
|
||||||
|
{{ if $cfg.ComputeFullForwardedFor }}
|
||||||
|
# We can't use $proxy_add_x_forwarded_for because the realip module
|
||||||
|
# replaces the remote_addr too soon
|
||||||
|
map $http_x_forwarded_for $full_x_forwarded_for {
|
||||||
|
{{ if $all.Cfg.UseProxyProtocol }}
|
||||||
|
default "$http_x_forwarded_for, $proxy_protocol_addr";
|
||||||
|
'' "$proxy_protocol_addr";
|
||||||
|
{{ else }}
|
||||||
|
default "$http_x_forwarded_for, $realip_remote_addr";
|
||||||
|
'' "$realip_remote_addr";
|
||||||
|
{{ end}}
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
server_name_in_redirect off;
|
||||||
|
port_in_redirect off;
|
||||||
|
|
||||||
|
ssl_protocols {{ $cfg.SSLProtocols }};
|
||||||
|
|
||||||
|
# turn on session caching to drastically improve performance
|
||||||
|
{{ if $cfg.SSLSessionCache }}
|
||||||
|
ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.SSLSessionCacheSize }};
|
||||||
|
ssl_session_timeout {{ $cfg.SSLSessionTimeout }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
# allow configuring ssl session tickets
|
||||||
|
ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }};
|
||||||
|
|
||||||
|
{{ if not (empty $cfg.SSLSessionTicketKey ) }}
|
||||||
|
ssl_session_ticket_key /etc/nginx/tickets.key;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
# slightly reduce the time-to-first-byte
|
||||||
|
ssl_buffer_size {{ $cfg.SSLBufferSize }};
|
||||||
|
|
||||||
|
{{ if not (empty $cfg.SSLCiphers) }}
|
||||||
|
# allow configuring custom ssl ciphers
|
||||||
|
ssl_ciphers '{{ $cfg.SSLCiphers }}';
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if not (empty $cfg.SSLDHParam) }}
|
||||||
|
# allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
|
||||||
|
ssl_dhparam {{ $cfg.SSLDHParam }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if not $cfg.EnableDynamicTLSRecords }}
|
||||||
|
ssl_dyn_rec_size_lo 0;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
ssl_ecdh_curve {{ $cfg.SSLECDHCurve }};
|
||||||
|
|
||||||
|
{{ if .CustomErrors }}
|
||||||
|
# Custom error pages
|
||||||
|
proxy_intercept_errors on;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ range $errCode := $cfg.CustomHTTPErrors }}
|
||||||
|
error_page {{ $errCode }} = @custom_{{ $errCode }};{{ end }}
|
||||||
|
|
||||||
|
proxy_ssl_session_reuse on;
|
||||||
|
|
||||||
|
{{ if $cfg.AllowBackendServerHeader }}
|
||||||
|
proxy_pass_header Server;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if not (empty $cfg.HTTPSnippet) }}
|
||||||
|
# Custom code snippet configured in the configuration configmap
|
||||||
|
{{ $cfg.HTTPSnippet }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ range $name, $upstream := $backends }}
|
||||||
|
{{ if eq $upstream.SessionAffinity.AffinityType "cookie" }}
|
||||||
|
upstream sticky-{{ $upstream.Name }} {
|
||||||
|
sticky hash={{ $upstream.SessionAffinity.CookieSessionAffinity.Hash }} name={{ $upstream.SessionAffinity.CookieSessionAffinity.Name }} httponly;
|
||||||
|
|
||||||
|
{{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
|
||||||
|
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ range $server := $upstream.Endpoints }}server {{ $server.Address | formatIP }}:{{ $server.Port }} max_fails={{ $server.MaxFails }} fail_timeout={{ $server.FailTimeout }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
|
||||||
|
upstream {{ $upstream.Name }} {
|
||||||
|
# Load balance algorithm; empty for round robin, which is the default
|
||||||
|
{{ if ne $cfg.LoadBalanceAlgorithm "round_robin" }}
|
||||||
|
{{ $cfg.LoadBalanceAlgorithm }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if $upstream.UpstreamHashBy }}
|
||||||
|
hash {{ $upstream.UpstreamHashBy }} consistent;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
|
||||||
|
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ range $server := $upstream.Endpoints }}server {{ $server.Address | formatIP }}:{{ $server.Port }} max_fails={{ $server.MaxFails }} fail_timeout={{ $server.FailTimeout }};
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{/* build the maps that will be use to validate the Whitelist */}}
|
||||||
|
{{ range $index, $server := $servers }}
|
||||||
|
{{ range $location := $server.Locations }}
|
||||||
|
{{ $path := buildLocation $location }}
|
||||||
|
|
||||||
|
{{ if isLocationAllowed $location }}
|
||||||
|
{{ if gt (len $location.Whitelist.CIDR) 0 }}
|
||||||
|
|
||||||
|
# Deny for {{ print $server.Hostname $path }}
|
||||||
|
geo $the_real_ip {{ buildDenyVariable (print $server.Hostname "_" $path) }} {
|
||||||
|
default 1;
|
||||||
|
|
||||||
|
{{ range $ip := $location.Whitelist.CIDR }}
|
||||||
|
{{ $ip }} 0;{{ end }}
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ range $rl := (filterRateLimits $servers ) }}
|
||||||
|
# Ratelimit {{ $rl.Name }}
|
||||||
|
geo $the_real_ip $whitelist_{{ $rl.ID }} {
|
||||||
|
default 0;
|
||||||
|
{{ range $ip := $rl.Whitelist }}
|
||||||
|
{{ $ip }} 1;{{ end }}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Ratelimit {{ $rl.Name }}
|
||||||
|
map $whitelist_{{ $rl.ID }} $limit_{{ $rl.ID }} {
|
||||||
|
0 {{ $cfg.LimitConnZoneVariable }};
|
||||||
|
1 "";
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
|
||||||
|
{{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
|
||||||
|
{{ range $zone := (buildRateLimitZones $servers) }}
|
||||||
|
{{ $zone }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{/* Build server redirects (from/to www) */}}
|
||||||
|
{{ range $hostname, $to := .RedirectServers }}
|
||||||
|
server {
|
||||||
|
{{ range $address := $all.Cfg.BindAddressIpv4 }}
|
||||||
|
listen {{ $address }}:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }};
|
||||||
|
listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} ssl;
|
||||||
|
{{ else }}
|
||||||
|
listen {{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }};
|
||||||
|
listen {{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} ssl;
|
||||||
|
{{ end }}
|
||||||
|
{{ if $IsIPV6Enabled }}
|
||||||
|
{{ range $address := $all.Cfg.BindAddressIpv6 }}
|
||||||
|
listen {{ $address }}:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }};
|
||||||
|
listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }};
|
||||||
|
{{ else }}
|
||||||
|
listen [::]:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }};
|
||||||
|
listen [::]:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }};
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
server_name {{ $hostname }};
|
||||||
|
|
||||||
|
{{ if ne $all.ListenPorts.HTTPS 443 }}
|
||||||
|
{{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
|
||||||
|
return {{ $all.Cfg.HTTPRedirectCode }} $scheme://{{ $to }}{{ $redirect_port }}$request_uri;
|
||||||
|
{{ else }}
|
||||||
|
return {{ $all.Cfg.HTTPRedirectCode }} $scheme://{{ $to }}$request_uri;
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ range $index, $server := $servers }}
|
||||||
|
|
||||||
|
## start server {{ $server.Hostname }}
|
||||||
|
server {
|
||||||
|
server_name {{ $server.Hostname }} {{ $server.Alias }};
|
||||||
|
{{ template "SERVER" serverConfig $all $server }}
|
||||||
|
|
||||||
|
{{ if not (empty $cfg.ServerSnippet) }}
|
||||||
|
# Custom code snippet configured in the configuration configmap
|
||||||
|
{{ $cfg.ServerSnippet }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ template "CUSTOM_ERRORS" $all }}
|
||||||
|
}
|
||||||
|
## end server {{ $server.Hostname }}
|
||||||
|
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
# default server, used for NGINX healthcheck and access to nginx stats
|
||||||
|
server {
|
||||||
|
# Use the port {{ $all.ListenPorts.Status }} (random value just to avoid known ports) as default port for nginx.
|
||||||
|
# Changing this value requires a change in:
|
||||||
|
# https://github.com/kubernetes/ingress-nginx/blob/master/controllers/nginx/pkg/cmd/controller/nginx.go
|
||||||
|
listen {{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};
|
||||||
|
{{ if $IsIPV6Enabled }}listen [::]:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};{{ end }}
|
||||||
|
set $proxy_upstream_name "-";
|
||||||
|
|
||||||
|
location {{ $healthzURI }} {
|
||||||
|
access_log off;
|
||||||
|
return 200;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /nginx_status {
|
||||||
|
set $proxy_upstream_name "internal";
|
||||||
|
|
||||||
|
{{ if $cfg.EnableVtsStatus }}
|
||||||
|
vhost_traffic_status_display;
|
||||||
|
vhost_traffic_status_display_format html;
|
||||||
|
{{ else }}
|
||||||
|
access_log off;
|
||||||
|
stub_status on;
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
{{ if .CustomErrors }}
|
||||||
|
proxy_set_header X-Code 404;
|
||||||
|
{{ end }}
|
||||||
|
set $proxy_upstream_name "upstream-default-backend";
|
||||||
|
proxy_pass http://upstream-default-backend;
|
||||||
|
}
|
||||||
|
|
||||||
|
{{ template "CUSTOM_ERRORS" $all }}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
stream {
|
||||||
|
log_format log_stream {{ $cfg.LogFormatStream }};
|
||||||
|
|
||||||
|
{{ if $cfg.DisableAccessLog }}
|
||||||
|
access_log off;
|
||||||
|
{{ else }}
|
||||||
|
access_log {{ $cfg.AccessLogPath }} log_stream;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
error_log {{ $cfg.ErrorLogPath }};
|
||||||
|
|
||||||
|
# TCP services
|
||||||
|
{{ range $i, $tcpServer := .TCPBackends }}
|
||||||
|
upstream tcp-{{ $tcpServer.Port }}-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }} {
|
||||||
|
# NOTE(portdirect): mark the 1st server as up, the 2nd as backup, and all others as down.
|
||||||
|
# The ingress controller will manage this list, based on the health checks in the backend pods,
|
||||||
|
# which approximates the pattern commonly used by Haproxy's httpchk.
|
||||||
|
{{ range $j, $endpoint := $tcpServer.Endpoints }}
|
||||||
|
{{ if eq $j 0 }}
|
||||||
|
# NOTE(portdirect): see https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-health-check/#passive-tcp-health-checks to tune passive healthchecks
|
||||||
|
server {{ $endpoint.Address }}:{{ $endpoint.Port }};
|
||||||
|
{{ else if eq $j 1 }}
|
||||||
|
server {{ $endpoint.Address }}:{{ $endpoint.Port }} backup;
|
||||||
|
{{ else }}
|
||||||
|
server {{ $endpoint.Address }}:{{ $endpoint.Port }} down;
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
{{ range $address := $all.Cfg.BindAddressIpv4 }}
|
||||||
|
listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
|
||||||
|
{{ else }}
|
||||||
|
listen {{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
|
||||||
|
{{ end }}
|
||||||
|
{{ if $IsIPV6Enabled }}
|
||||||
|
{{ range $address := $all.Cfg.BindAddressIpv6 }}
|
||||||
|
listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
|
||||||
|
{{ else }}
|
||||||
|
listen [::]:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
proxy_timeout {{ $cfg.ProxyStreamTimeout }};
|
||||||
|
proxy_pass tcp-{{ $tcpServer.Port }}-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }};
|
||||||
|
{{ if $tcpServer.Backend.ProxyProtocol.Encode }}
|
||||||
|
proxy_protocol on;
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
# UDP services
|
||||||
|
{{ range $i, $udpServer := .UDPBackends }}
|
||||||
|
upstream udp-{{ $udpServer.Port }}-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }} {
|
||||||
|
{{ range $j, $endpoint := $udpServer.Endpoints }}
|
||||||
|
server {{ $endpoint.Address }}:{{ $endpoint.Port }};
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
{{ range $address := $all.Cfg.BindAddressIpv4 }}
|
||||||
|
listen {{ $address }}:{{ $udpServer.Port }} udp;
|
||||||
|
{{ else }}
|
||||||
|
listen {{ $udpServer.Port }} udp;
|
||||||
|
{{ end }}
|
||||||
|
{{ if $IsIPV6Enabled }}
|
||||||
|
{{ range $address := $all.Cfg.BindAddressIpv6 }}
|
||||||
|
listen {{ $address }}:{{ $udpServer.Port }} udp;
|
||||||
|
{{ else }}
|
||||||
|
listen [::]:{{ $udpServer.Port }} udp;
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
proxy_responses {{ $cfg.ProxyStreamResponses }};
|
||||||
|
proxy_timeout {{ $cfg.ProxyStreamTimeout }};
|
||||||
|
proxy_pass udp-{{ $udpServer.Port }}-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }};
|
||||||
|
}
|
||||||
|
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
|
||||||
|
{{/* definition of templates to avoid repetitions */}}
|
||||||
|
{{ define "CUSTOM_ERRORS" }}
|
||||||
|
{{ $proxySetHeaders := .ProxySetHeaders }}
|
||||||
|
{{ range $errCode := .Cfg.CustomHTTPErrors }}
|
||||||
|
location @custom_{{ $errCode }} {
|
||||||
|
internal;
|
||||||
|
|
||||||
|
proxy_intercept_errors off;
|
||||||
|
|
||||||
|
proxy_set_header X-Code {{ $errCode }};
|
||||||
|
proxy_set_header X-Format $http_accept;
|
||||||
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
|
proxy_set_header X-Namespace $namespace;
|
||||||
|
proxy_set_header X-Ingress-Name $ingress_name;
|
||||||
|
proxy_set_header X-Service-Name $service_name;
|
||||||
|
|
||||||
|
rewrite (.*) / break;
|
||||||
|
proxy_pass http://upstream-default-backend;
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{/* CORS support from https://michielkalkman.com/snippets/nginx-cors-open-configuration.html */}}
|
||||||
|
{{ define "CORS" }}
|
||||||
|
{{ $cors := .CorsConfig }}
|
||||||
|
# Cors Preflight methods needs additional options and different Return Code
|
||||||
|
if ($request_method = 'OPTIONS') {
|
||||||
|
add_header 'Access-Control-Allow-Origin' '{{ $cors.CorsAllowOrigin }}' always;
|
||||||
|
{{ if $cors.CorsAllowCredentials }} add_header 'Access-Control-Allow-Credentials' '{{ $cors.CorsAllowCredentials }}' always; {{ end }}
|
||||||
|
add_header 'Access-Control-Allow-Methods' '{{ $cors.CorsAllowMethods }}' always;
|
||||||
|
add_header 'Access-Control-Allow-Headers' '{{ $cors.CorsAllowHeaders }}' always;
|
||||||
|
add_header 'Access-Control-Max-Age' 1728000;
|
||||||
|
add_header 'Content-Type' 'text/plain charset=UTF-8';
|
||||||
|
add_header 'Content-Length' 0;
|
||||||
|
return 204;
|
||||||
|
}
|
||||||
|
|
||||||
|
add_header 'Access-Control-Allow-Origin' '{{ $cors.CorsAllowOrigin }}' always;
|
||||||
|
{{ if $cors.CorsAllowCredentials }} add_header 'Access-Control-Allow-Credentials' '{{ $cors.CorsAllowCredentials }}' always; {{ end }}
|
||||||
|
add_header 'Access-Control-Allow-Methods' '{{ $cors.CorsAllowMethods }}' always;
|
||||||
|
add_header 'Access-Control-Allow-Headers' '{{ $cors.CorsAllowHeaders }}' always;
|
||||||
|
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{/* definition of server-template to avoid repetitions with server-alias */}}
|
||||||
|
{{ define "SERVER" }}
|
||||||
|
{{ $all := .First }}
|
||||||
|
{{ $server := .Second }}
|
||||||
|
{{ range $address := $all.Cfg.BindAddressIpv4 }}
|
||||||
|
listen {{ $address }}:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}};
|
||||||
|
{{ else }}
|
||||||
|
listen {{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}};
|
||||||
|
{{ end }}
|
||||||
|
{{ if $all.IsIPV6Enabled }}
|
||||||
|
{{ range $address := $all.Cfg.BindAddressIpv6 }}
|
||||||
|
listen {{ $address }}:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{ end }};
|
||||||
|
{{ else }}
|
||||||
|
listen [::]:{{ $all.ListenPorts.HTTP }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{ end }};
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
set $proxy_upstream_name "-";
|
||||||
|
|
||||||
|
{{/* Listen on {{ $all.ListenPorts.SSLProxy }} because port {{ $all.ListenPorts.HTTPS }} is used in the TLS sni server */}}
|
||||||
|
{{/* This listener must always have proxy_protocol enabled, because the SNI listener forwards on source IP info in it. */}}
|
||||||
|
{{ if not (empty $server.SSLCertificate) }}
|
||||||
|
{{ range $address := $all.Cfg.BindAddressIpv4 }}
|
||||||
|
listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol {{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }};
|
||||||
|
{{ else }}
|
||||||
|
listen {{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol {{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }};
|
||||||
|
{{ end }}
|
||||||
|
{{ if $all.IsIPV6Enabled }}
|
||||||
|
{{ range $address := $all.Cfg.BindAddressIpv6 }}
|
||||||
|
{{ if not (empty $server.SSLCertificate) }}listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }};
|
||||||
|
{{ else }}
|
||||||
|
{{ if not (empty $server.SSLCertificate) }}listen [::]:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }};
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
{{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
|
||||||
|
# PEM sha: {{ $server.SSLPemChecksum }}
|
||||||
|
ssl_certificate {{ $server.SSLCertificate }};
|
||||||
|
ssl_certificate_key {{ $server.SSLCertificate }};
|
||||||
|
{{ if not (empty $server.SSLFullChainCertificate)}}
|
||||||
|
ssl_trusted_certificate {{ $server.SSLFullChainCertificate }};
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if (and (not (empty $server.SSLCertificate)) $all.Cfg.HSTS) }}
|
||||||
|
more_set_headers "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }};{{ if $all.Cfg.HSTSPreload }} preload{{ end }}";
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
|
||||||
|
{{ if not (empty $server.CertificateAuth.CAFileName) }}
|
||||||
|
# PEM sha: {{ $server.CertificateAuth.PemSHA }}
|
||||||
|
ssl_client_certificate {{ $server.CertificateAuth.CAFileName }};
|
||||||
|
ssl_verify_client {{ $server.CertificateAuth.VerifyClient }};
|
||||||
|
ssl_verify_depth {{ $server.CertificateAuth.ValidationDepth }};
|
||||||
|
{{ if not (empty $server.CertificateAuth.ErrorPage)}}
|
||||||
|
error_page 495 496 = {{ $server.CertificateAuth.ErrorPage }};
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if not (empty $server.ServerSnippet) }}
|
||||||
|
{{ $server.ServerSnippet }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ range $location := $server.Locations }}
|
||||||
|
{{ $path := buildLocation $location }}
|
||||||
|
{{ $authPath := buildAuthLocation $location }}
|
||||||
|
|
||||||
|
{{ if not (empty $location.Rewrite.AppRoot)}}
|
||||||
|
if ($uri = /) {
|
||||||
|
return 302 {{ $location.Rewrite.AppRoot }};
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if not (empty $authPath) }}
|
||||||
|
location = {{ $authPath }} {
|
||||||
|
internal;
|
||||||
|
set $proxy_upstream_name "external-authentication";
|
||||||
|
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
|
{{ if not (empty $location.ExternalAuth.Method) }}
|
||||||
|
proxy_method {{ $location.ExternalAuth.Method }};
|
||||||
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
|
proxy_set_header X-Scheme $pass_access_scheme;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
proxy_set_header Host {{ $location.ExternalAuth.Host }};
|
||||||
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
|
proxy_set_header X-Original-Method $request_method;
|
||||||
|
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||||||
|
proxy_set_header X-Sent-From "nginx-ingress-controller";
|
||||||
|
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_ssl_server_name on;
|
||||||
|
proxy_pass_request_headers on;
|
||||||
|
client_max_body_size "{{ $location.Proxy.BodySize }}";
|
||||||
|
{{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }}
|
||||||
|
client_body_buffer_size {{ $location.ClientBodyBufferSize }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
set $target {{ $location.ExternalAuth.URL }};
|
||||||
|
proxy_pass $target;
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
location {{ $path }} {
|
||||||
|
{{ if $all.Cfg.EnableVtsStatus }}{{ if $location.VtsFilterKey }} vhost_traffic_status_filter_by_set_key {{ $location.VtsFilterKey }};{{ end }}{{ end }}
|
||||||
|
|
||||||
|
set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location }}";
|
||||||
|
|
||||||
|
{{ $ing := (getIngressInformation $location.Ingress $path) }}
|
||||||
|
{{/* $ing.Metadata contains the Ingress metadata */}}
|
||||||
|
set $namespace "{{ $ing.Namespace }}";
|
||||||
|
set $ingress_name "{{ $ing.Rule }}";
|
||||||
|
set $service_name "{{ $ing.Service }}";
|
||||||
|
|
||||||
|
{{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }}
|
||||||
|
# enforce ssl on server side
|
||||||
|
if ($pass_access_scheme = http) {
|
||||||
|
{{ if ne $all.ListenPorts.HTTPS 443 }}
|
||||||
|
{{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
|
||||||
|
return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host{{ $redirect_port }}$request_uri;
|
||||||
|
{{ else }}
|
||||||
|
return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host$request_uri;
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if $all.Cfg.EnableModsecurity }}
|
||||||
|
modsecurity on;
|
||||||
|
|
||||||
|
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
|
||||||
|
{{ if $all.Cfg.EnableOWASPCoreRules }}
|
||||||
|
modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if isLocationAllowed $location }}
|
||||||
|
{{ if gt (len $location.Whitelist.CIDR) 0 }}
|
||||||
|
if ({{ buildDenyVariable (print $server.Hostname "_" $path) }}) {
|
||||||
|
return 403;
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
|
||||||
|
|
||||||
|
{{ if not (empty $authPath) }}
|
||||||
|
# this location requires authentication
|
||||||
|
auth_request {{ $authPath }};
|
||||||
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
{{- range $idx, $line := buildAuthResponseHeaders $location }}
|
||||||
|
{{ $line }}
|
||||||
|
{{- end }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if not (empty $location.ExternalAuth.SigninURL) }}
|
||||||
|
error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{/* if the location contains a rate limit annotation, create one */}}
|
||||||
|
{{ $limits := buildRateLimit $location }}
|
||||||
|
{{ range $limit := $limits }}
|
||||||
|
{{ $limit }}{{ end }}
|
||||||
|
|
||||||
|
{{ if $location.BasicDigestAuth.Secured }}
|
||||||
|
{{ if eq $location.BasicDigestAuth.Type "basic" }}
|
||||||
|
auth_basic "{{ $location.BasicDigestAuth.Realm }}";
|
||||||
|
auth_basic_user_file {{ $location.BasicDigestAuth.File }};
|
||||||
|
{{ else }}
|
||||||
|
auth_digest "{{ $location.BasicDigestAuth.Realm }}";
|
||||||
|
auth_digest_user_file {{ $location.BasicDigestAuth.File }};
|
||||||
|
{{ end }}
|
||||||
|
proxy_set_header Authorization "";
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if $location.CorsConfig.CorsEnabled }}
|
||||||
|
{{ template "CORS" $location }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if not (empty $location.Redirect.URL) }}
|
||||||
|
if ($uri ~* {{ $path }}) {
|
||||||
|
return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }};
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
client_max_body_size "{{ $location.Proxy.BodySize }}";
|
||||||
|
{{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }}
|
||||||
|
client_body_buffer_size {{ $location.ClientBodyBufferSize }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{/* By default use vhost as Host to upstream, but allow overrides */}}
|
||||||
|
{{ if not (empty $location.UpstreamVhost) }}
|
||||||
|
proxy_set_header Host "{{ $location.UpstreamVhost }}";
|
||||||
|
{{ else }}
|
||||||
|
proxy_set_header Host $best_http_host;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
|
||||||
|
# Pass the extracted client certificate to the backend
|
||||||
|
{{ if not (empty $server.CertificateAuth.CAFileName) }}
|
||||||
|
{{ if $server.CertificateAuth.PassCertToUpstream }}
|
||||||
|
proxy_set_header ssl-client-cert $ssl_client_escaped_cert;
|
||||||
|
{{ else }}
|
||||||
|
proxy_set_header ssl-client-cert "";
|
||||||
|
{{ end }}
|
||||||
|
proxy_set_header ssl-client-verify $ssl_client_verify;
|
||||||
|
proxy_set_header ssl-client-dn $ssl_client_s_dn;
|
||||||
|
{{ else }}
|
||||||
|
proxy_set_header ssl-client-cert "";
|
||||||
|
proxy_set_header ssl-client-verify "";
|
||||||
|
proxy_set_header ssl-client-dn "";
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
# Allow websocket connections
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
proxy_set_header X-Real-IP $the_real_ip;
|
||||||
|
{{ if $all.Cfg.ComputeFullForwardedFor }}
|
||||||
|
proxy_set_header X-Forwarded-For $full_x_forwarded_for;
|
||||||
|
{{ else }}
|
||||||
|
proxy_set_header X-Forwarded-For $the_real_ip;
|
||||||
|
{{ end }}
|
||||||
|
proxy_set_header X-Forwarded-Host $best_http_host;
|
||||||
|
proxy_set_header X-Forwarded-Port $pass_port;
|
||||||
|
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
|
||||||
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
|
proxy_set_header X-Scheme $pass_access_scheme;
|
||||||
|
|
||||||
|
# Pass the original X-Forwarded-For
|
||||||
|
proxy_set_header X-Original-Forwarded-For {{ buildForwardedFor $all.Cfg.ForwardedForHeader }};
|
||||||
|
|
||||||
|
# mitigate HTTPoxy Vulnerability
|
||||||
|
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
|
||||||
|
# Custom headers to proxied server
|
||||||
|
{{ range $k, $v := $all.ProxySetHeaders }}
|
||||||
|
proxy_set_header {{ $k }} "{{ $v }}";
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
proxy_connect_timeout {{ $location.Proxy.ConnectTimeout }}s;
|
||||||
|
proxy_send_timeout {{ $location.Proxy.SendTimeout }}s;
|
||||||
|
proxy_read_timeout {{ $location.Proxy.ReadTimeout }}s;
|
||||||
|
|
||||||
|
{{ if (or (eq $location.Proxy.ProxyRedirectFrom "default") (eq $location.Proxy.ProxyRedirectFrom "off")) }}
|
||||||
|
proxy_redirect {{ $location.Proxy.ProxyRedirectFrom }};
|
||||||
|
{{ else }}
|
||||||
|
proxy_redirect {{ $location.Proxy.ProxyRedirectFrom }} {{ $location.Proxy.ProxyRedirectTo }};
|
||||||
|
{{ end }}
|
||||||
|
proxy_buffering off;
|
||||||
|
proxy_buffer_size "{{ $location.Proxy.BufferSize }}";
|
||||||
|
proxy_buffers 4 "{{ $location.Proxy.BufferSize }}";
|
||||||
|
proxy_request_buffering "{{ $location.Proxy.RequestBuffering }}";
|
||||||
|
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
|
||||||
|
proxy_cookie_domain {{ $location.Proxy.CookieDomain }};
|
||||||
|
proxy_cookie_path {{ $location.Proxy.CookiePath }};
|
||||||
|
|
||||||
|
# In case of errors try the next upstream server before returning an error
|
||||||
|
proxy_next_upstream {{ buildNextUpstream $location.Proxy.NextUpstream $all.Cfg.RetryNonIdempotent }};
|
||||||
|
|
||||||
|
{{/* rewrite only works if the content is not compressed */}}
|
||||||
|
{{ if $location.Rewrite.AddBaseURL }}
|
||||||
|
proxy_set_header Accept-Encoding "";
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{/* Add any additional configuration defined */}}
|
||||||
|
{{ $location.ConfigurationSnippet }}
|
||||||
|
|
||||||
|
{{ if not (empty $all.Cfg.LocationSnippet) }}
|
||||||
|
# Custom code snippet configured in the configuration configmap
|
||||||
|
{{ $all.Cfg.LocationSnippet }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{/* if we are sending the request to a custom default backend, we add the required headers */}}
|
||||||
|
{{ if (hasPrefix $location.Backend "custom-default-backend-") }}
|
||||||
|
proxy_set_header X-Code 503;
|
||||||
|
proxy_set_header X-Format $http_accept;
|
||||||
|
proxy_set_header X-Namespace $namespace;
|
||||||
|
proxy_set_header X-Ingress-Name $ingress_name;
|
||||||
|
proxy_set_header X-Service-Name $service_name;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
|
||||||
|
{{ if not (empty $location.Backend) }}
|
||||||
|
{{ buildProxyPass $server.Hostname $all.Backends $location }}
|
||||||
|
{{ else }}
|
||||||
|
# No endpoints available for the request
|
||||||
|
return 503;
|
||||||
|
{{ end }}
|
||||||
|
{{ else }}
|
||||||
|
# Location denied. Reason: {{ $location.Denied }}
|
||||||
|
return 503;
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if eq $server.Hostname "_" }}
|
||||||
|
# health checks in cloud providers require the use of port {{ $all.ListenPorts.HTTP }}
|
||||||
|
location {{ $all.HealthzURI }} {
|
||||||
|
access_log off;
|
||||||
|
return 200;
|
||||||
|
}
|
||||||
|
|
||||||
|
# this is required to avoid error if nginx is being monitored
|
||||||
|
# with an external software (like sysdig)
|
||||||
|
location /nginx_status {
|
||||||
|
allow 127.0.0.1;
|
||||||
|
{{ if $all.IsIPV6Enabled }}allow ::1;{{ end }}
|
||||||
|
deny all;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
stub_status on;
|
||||||
|
}
|
||||||
|
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ end }}
|
18
mariadb/requirements.yaml
Normal file
18
mariadb/requirements.yaml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
# Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- name: helm-toolkit
|
||||||
|
repository: http://localhost:8879/charts
|
||||||
|
version: 0.1.0
|
38
mariadb/templates/bin/_mariadb-ingress-controller.sh.tpl
Normal file
38
mariadb/templates/bin/_mariadb-ingress-controller.sh.tpl
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
set -ex
|
||||||
|
COMMAND="${@:-start}"
|
||||||
|
|
||||||
|
function start () {
|
||||||
|
exec /usr/bin/dumb-init \
|
||||||
|
/nginx-ingress-controller \
|
||||||
|
--force-namespace-isolation \
|
||||||
|
--watch-namespace ${POD_NAMESPACE} \
|
||||||
|
--election-id=${RELEASE_NAME} \
|
||||||
|
--ingress-class=${INGRESS_CLASS} \
|
||||||
|
--default-backend-service=${POD_NAMESPACE}/${ERROR_PAGE_SERVICE} \
|
||||||
|
--tcp-services-configmap=${POD_NAMESPACE}/mariadb-services-tcp
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function stop () {
|
||||||
|
kill -TERM 1
|
||||||
|
}
|
||||||
|
|
||||||
|
$COMMAND
|
26
mariadb/templates/bin/_mariadb-ingress-error-pages.sh.tpl
Normal file
26
mariadb/templates/bin/_mariadb-ingress-error-pages.sh.tpl
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
set -ex
|
||||||
|
COMMAND="${@:-start}"
|
||||||
|
|
||||||
|
if [ "x${COMMAND}" == "xstart" ]; then
|
||||||
|
exec /server
|
||||||
|
elif [ "x${COMMAND}" == "xstop" ]; then
|
||||||
|
kill -TERM 1
|
||||||
|
fi
|
52
mariadb/templates/bin/_readiness.sh.tpl
Normal file
52
mariadb/templates/bin/_readiness.sh.tpl
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
MYSQL="mysql \
|
||||||
|
--defaults-file=/etc/mysql/admin_user.cnf \
|
||||||
|
--host=localhost \
|
||||||
|
--connect-timeout 2"
|
||||||
|
|
||||||
|
mysql_status_query () {
|
||||||
|
STATUS=$1
|
||||||
|
$MYSQL -e "show status like \"${STATUS}\"" | \
|
||||||
|
awk "/${STATUS}/ { print \$NF; exit }"
|
||||||
|
}
|
||||||
|
|
||||||
|
if ! $MYSQL -e 'select 1' > /dev/null 2>&1 ; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "x$(mysql_status_query wsrep_cluster_status)" != "xPrimary" ]; then
|
||||||
|
# Not in primary cluster
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ "x$(mysql_status_query wsrep_ready)" != "xON" ]; then
|
||||||
|
# WSREP not ready
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ "x$(mysql_status_query wsrep_local_state_comment)" != "xSynced" ]; then
|
||||||
|
# WSREP not synced
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If we made it this far, its safe to remove the bootstrap file if present
|
||||||
|
if [ -e ${BOOTSTRAP_FILE} ]; then
|
||||||
|
rm -f ${BOOTSTRAP_FILE}
|
||||||
|
fi
|
188
mariadb/templates/bin/_start.sh.tpl
Normal file
188
mariadb/templates/bin/_start.sh.tpl
Normal file
@ -0,0 +1,188 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
# MariaDB 10.2.13 has a regression which breaks clustering, patch
|
||||||
|
# around this for now
|
||||||
|
if /usr/sbin/mysqld --version | grep --silent 10.2.13 ; then
|
||||||
|
sed -i 's^LSOF_OUT=.*^LSOF_OUT=$(lsof -sTCP:LISTEN -i TCP:${PORT} -a -c nc -c socat -F c 2> /dev/null || :)^' /usr/bin/wsrep_sst_xtrabackup-v2
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Bootstrap database
|
||||||
|
CLUSTER_INIT_ARGS=""
|
||||||
|
CLUSTER_CONFIG_PATH=/etc/mysql/conf.d/10-cluster-config.cnf
|
||||||
|
|
||||||
|
function exitWithManualRecovery() {
|
||||||
|
|
||||||
|
UUID=$(sed -e 's/^.*uuid:[\ ,\t]*//' -e 'tx' -e 'd' -e ':x' /var/lib/mysql/grastate.dat)
|
||||||
|
SEQNO=$(sed -e 's/^.*seqno:[\ ,\t]*//' -e 'tx' -e 'd' -e ':x' /var/lib/mysql/grastate.dat)
|
||||||
|
|
||||||
|
cat >/dev/stderr <<EOF
|
||||||
|
**********************************************************
|
||||||
|
* MANUAL RECOVERY ACTION REQUIRED *
|
||||||
|
**********************************************************
|
||||||
|
|
||||||
|
All cluster members are down and grastate.dat indicates that it's not
|
||||||
|
safe to start the cluster from this node. If you see this message on
|
||||||
|
all nodes, you have to do a manual recovery by following these steps:
|
||||||
|
|
||||||
|
a) Find the node with the highest WSREP seq#:
|
||||||
|
|
||||||
|
POD ${PODNAME} uuid: ${UUID} seq: ${SEQNO}
|
||||||
|
|
||||||
|
If you see uuid 00000000-0000-0000-0000-000000000000 with
|
||||||
|
seq -1, the node crashed during DDL.
|
||||||
|
|
||||||
|
If seq is -1 you will find a DETECTED CRASH message
|
||||||
|
on your log. Check the output from InnoDB for the last
|
||||||
|
transaction id available.
|
||||||
|
|
||||||
|
b) Set environment variable FORCE_RECOVERY=<NAME OF POD>
|
||||||
|
to force bootstrapping from the specified node.
|
||||||
|
|
||||||
|
Remember to remove FORCE_RECOVERY after your nodes
|
||||||
|
are fully recovered! You may lose data otherwise.
|
||||||
|
|
||||||
|
You can ignore this message and wait for the next restart if at
|
||||||
|
least one node started without errors.
|
||||||
|
EOF
|
||||||
|
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Construct cluster config
|
||||||
|
MEMBERS=""
|
||||||
|
for i in $(seq 1 ${MARIADB_REPLICAS}); do
|
||||||
|
if [ "$i" -eq "1" ]; then
|
||||||
|
NUM="0"
|
||||||
|
else
|
||||||
|
NUM="$(expr $i - 1)"
|
||||||
|
fi
|
||||||
|
CANDIDATE_POD="${POD_NAME_PREFIX}-$NUM.$(hostname -d)"
|
||||||
|
if [ "x${CANDIDATE_POD}" != "x${POD_NAME}.$(hostname -d)" ]; then
|
||||||
|
if [ -n "${MEMBERS}" ]; then
|
||||||
|
MEMBERS+=,
|
||||||
|
fi
|
||||||
|
MEMBERS+="${CANDIDATE_POD}:${WSREP_PORT}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "Writing cluster config for ${POD_NAME} to ${CLUSTER_CONFIG_PATH}"
|
||||||
|
cat > ${CLUSTER_CONFIG_PATH} <<EOF
|
||||||
|
[mysqld]
|
||||||
|
wsrep_cluster_address="gcomm://${MEMBERS}"
|
||||||
|
wsrep_node_address=${POD_IP}
|
||||||
|
wsrep_node_name=${POD_NAME}.$(hostname -d)
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ ! -z "${FORCE_RECOVERY// }" ]; then
|
||||||
|
cat >/dev/stderr <<EOF
|
||||||
|
**********************************************************
|
||||||
|
* !!! FORCE_RECOVERY WARNING !!! *
|
||||||
|
**********************************************************
|
||||||
|
|
||||||
|
POD is starting with FORCE_RECOVERY defined. Remember to unset this
|
||||||
|
variable after recovery! You may end up in recovering from a node
|
||||||
|
with old data on a crash!
|
||||||
|
|
||||||
|
You have been warned ;-)
|
||||||
|
|
||||||
|
**********************************************************
|
||||||
|
* FORCE_RECOVERY WARNING *
|
||||||
|
**********************************************************
|
||||||
|
EOF
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -d /var/lib/mysql/mysql -a -f /var/lib/mysql/grastate.dat ]; then
|
||||||
|
|
||||||
|
# Node already initialized
|
||||||
|
|
||||||
|
if [ "$(sed -e 's/^.*seqno:[\ ,\t]*//' -e 'tx' -e 'd' -e ':x' /var/lib/mysql/grastate.dat)" = "-1" ]; then
|
||||||
|
cat >/dev/stderr <<EOF
|
||||||
|
**********************************************************
|
||||||
|
* DETECTED CRASH *
|
||||||
|
**********************************************************
|
||||||
|
|
||||||
|
Trying to recover from a previous crash by running with wsrep-recover...
|
||||||
|
EOF
|
||||||
|
mysqld --wsrep_cluster_address=gcomm:// --wsrep-recover
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Check if we can find a cluster memeber."
|
||||||
|
if ! mysql --defaults-file=/etc/mysql/admin_user.cnf \
|
||||||
|
--connect-timeout 2 \
|
||||||
|
-e 'select 1'; then
|
||||||
|
# No other nodes are running
|
||||||
|
if [ -z "${FORCE_RECOVERY// }" -a "$(sed -e 's/^.*safe_to_bootstrap:[\ ,\t]*//' -e 'tx' -e 'd' -e ':x' /var/lib/mysql/grastate.dat)" = "1" ]; then
|
||||||
|
echo 'Bootstrapping from this node.'
|
||||||
|
CLUSTER_INIT_ARGS=--wsrep-new-cluster
|
||||||
|
elif [ "x${FORCE_RECOVERY}x" = "x${POD_NAME}x" ]; then
|
||||||
|
echo 'Forced recovery bootstrap from this node.'
|
||||||
|
CLUSTER_INIT_ARGS=--wsrep-new-cluster
|
||||||
|
cp -f /var/lib/mysql/grastate.dat /var/lib/mysql/grastate.bak
|
||||||
|
cat >/var/lib/mysql/grastate.dat <<EOF
|
||||||
|
`grep -v 'safe_to_bootstrap:' /var/lib/mysql/grastate.bak`
|
||||||
|
safe_to_bootstrap: 1
|
||||||
|
EOF
|
||||||
|
chown -R mysql:mysql /var/lib/mysql/grastate.dat
|
||||||
|
else
|
||||||
|
exitWithManualRecovery
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
elif [ ! -d /var/lib/mysql/mysql -o "x${FORCE_BOOTSTRAP}" = "xtrue" ]; then
|
||||||
|
if [ "x${POD_NAME}" = "x${POD_NAME_PREFIX}-0" ]; then
|
||||||
|
echo No data found for pod 0
|
||||||
|
if [ "x${FORCE_BOOTSTRAP}" = "xtrue" ]; then
|
||||||
|
echo 'force_bootstrap set, so will force-initialize node 0.'
|
||||||
|
CLUSTER_INIT_ARGS=--wsrep-new-cluster
|
||||||
|
CLUSTER_BOOTSTRAP=true
|
||||||
|
elif ! mysql --defaults-file=/etc/mysql/admin_user.cnf \
|
||||||
|
--connect-timeout 2 \
|
||||||
|
-e 'select 1'; then
|
||||||
|
echo 'No other nodes found, so will initialize cluster.'
|
||||||
|
CLUSTER_INIT_ARGS=--wsrep-new-cluster
|
||||||
|
CLUSTER_BOOTSTRAP=true
|
||||||
|
else
|
||||||
|
echo 'Found other live nodes, will attempt to join them.'
|
||||||
|
mkdir /var/lib/mysql/mysql
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo 'Not pod 0, so will avoid upstream database initialization.'
|
||||||
|
mkdir /var/lib/mysql/mysql
|
||||||
|
fi
|
||||||
|
chown -R mysql:mysql /var/lib/mysql
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ "x${CLUSTER_BOOTSTRAP}" = "xtrue" ]; then
|
||||||
|
mysql_install_db --user=mysql --datadir=/var/lib/mysql
|
||||||
|
|
||||||
|
cat > "${BOOTSTRAP_FILE}" << EOF
|
||||||
|
DELETE FROM mysql.user ;
|
||||||
|
CREATE OR REPLACE USER 'root'@'%' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
|
||||||
|
GRANT ALL ON *.* TO 'root'@'%' WITH GRANT OPTION ;
|
||||||
|
DROP DATABASE IF EXISTS test ;
|
||||||
|
FLUSH PRIVILEGES ;
|
||||||
|
EOF
|
||||||
|
|
||||||
|
CLUSTER_INIT_ARGS="${CLUSTER_INIT_ARGS} --init-file=${BOOTSTRAP_FILE}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
exec mysqld ${CLUSTER_INIT_ARGS}
|
24
mariadb/templates/bin/_stop.sh.tpl
Normal file
24
mariadb/templates/bin/_stop.sh.tpl
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
exec mysqladmin \
|
||||||
|
--defaults-file=/etc/mysql/admin_user.cnf \
|
||||||
|
--host=localhost \
|
||||||
|
--connect-timeout 2 \
|
||||||
|
shutdown
|
39
mariadb/templates/configmap-bin.yaml
Normal file
39
mariadb/templates/configmap-bin.yaml
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.configmap_bin }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: mariadb-bin
|
||||||
|
data:
|
||||||
|
{{- if .Values.images.local_registry.active }}
|
||||||
|
image-repo-sync.sh: |
|
||||||
|
{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
mariadb-ingress-controller.sh: |
|
||||||
|
{{ tuple "bin/_mariadb-ingress-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
mariadb-ingress-error-pages.sh: |
|
||||||
|
{{ tuple "bin/_mariadb-ingress-error-pages.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
readiness.sh: |
|
||||||
|
{{ tuple "bin/_readiness.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
start.sh: |
|
||||||
|
{{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
stop.sh: |
|
||||||
|
{{ tuple "bin/_stop.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
{{- end }}
|
39
mariadb/templates/configmap-etc.yaml
Normal file
39
mariadb/templates/configmap-etc.yaml
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.configmap_etc }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: mariadb-etc
|
||||||
|
data:
|
||||||
|
my.cnf: |
|
||||||
|
{{ tuple "etc/_my.cnf.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
00-base.cnf: |
|
||||||
|
{{ tuple "etc/_00-base.cnf.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
20-override.cnf: |
|
||||||
|
{{ tuple "etc/_20-override.cnf.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
99-force.cnf: |
|
||||||
|
{{ tuple "etc/_99-force.cnf.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
{{- if $envAll.Values.conf.ingress }}
|
||||||
|
nginx.tmpl: |
|
||||||
|
{{ $envAll.Values.conf.ingress | indent 4 }}
|
||||||
|
{{- else }}
|
||||||
|
{{ ( $envAll.Files.Glob "files/nginx.tmpl" ).AsConfig | indent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
26
mariadb/templates/configmap-services-tcp.yaml
Normal file
26
mariadb/templates/configmap-services-tcp.yaml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.configmap_services_tcp }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: mariadb-services-tcp
|
||||||
|
data:
|
||||||
|
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}: "{{ .Release.Namespace }}/{{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
|
||||||
|
{{- end }}
|
83
mariadb/templates/deployment-error.yaml
Normal file
83
mariadb/templates/deployment-error.yaml
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.deployment_error }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "mariadb-ingress-error-pages"}}
|
||||||
|
{{ tuple $envAll "error_pages" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: mariadb-ingress-error-pages
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.pod.replicas.error_page }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
||||||
|
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
|
annotations:
|
||||||
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
|
affinity:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
|
nodeSelector:
|
||||||
|
{{ .Values.labels.error_server.node_selector_key }}: {{ .Values.labels.error_server.node_selector_value }}
|
||||||
|
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.error_pages.timeout | default "60" }}
|
||||||
|
initContainers:
|
||||||
|
{{ tuple $envAll "error_pages" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
|
containers:
|
||||||
|
- name: ingress-error-pages
|
||||||
|
{{ tuple $envAll "error_pages" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.error_pages | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /healthz
|
||||||
|
port: 8080
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 30
|
||||||
|
timeoutSeconds: 5
|
||||||
|
ports:
|
||||||
|
- containerPort: 8080
|
||||||
|
command:
|
||||||
|
- /tmp/mariadb-ingress-error-pages.sh
|
||||||
|
- start
|
||||||
|
lifecycle:
|
||||||
|
preStop:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /tmp/mariadb-ingress-error-pages.sh
|
||||||
|
- stop
|
||||||
|
volumeMounts:
|
||||||
|
- name: ingress-bin
|
||||||
|
mountPath: /tmp/mariadb-ingress-error-pages.sh
|
||||||
|
subPath: mariadb-ingress-error-pages.sh
|
||||||
|
readOnly: true
|
||||||
|
volumes:
|
||||||
|
- name: ingress-bin
|
||||||
|
configMap:
|
||||||
|
name: mariadb-bin
|
||||||
|
defaultMode: 0555
|
||||||
|
{{- end }}
|
202
mariadb/templates/deployment-ingress.yaml
Normal file
202
mariadb/templates/deployment-ingress.yaml
Normal file
@ -0,0 +1,202 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.deployment_ingress }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
|
||||||
|
{{- $ingressClass := printf "%s-%s" .Release.Name "mariadb-ingress" }}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := printf "%s-%s" .Release.Name "ingress" }}
|
||||||
|
{{ tuple $envAll "ingress" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ $serviceAccountName }}
|
||||||
|
namespace: {{ $envAll.Release.Namespace }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- services
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- extensions
|
||||||
|
resources:
|
||||||
|
- ingresses
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- events
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- patch
|
||||||
|
- apiGroups:
|
||||||
|
- extensions
|
||||||
|
resources:
|
||||||
|
- ingresses/status
|
||||||
|
verbs:
|
||||||
|
- update
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
- endpoints
|
||||||
|
- nodes
|
||||||
|
- pods
|
||||||
|
- secrets
|
||||||
|
verbs:
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
- pods
|
||||||
|
- secrets
|
||||||
|
- namespaces
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resourceNames:
|
||||||
|
- {{ printf "%s-%s" .Release.Name $ingressClass | quote }}
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- update
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- endpoints
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- create
|
||||||
|
- update
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ $serviceAccountName }}
|
||||||
|
namespace: {{ $envAll.Release.Namespace }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ $serviceAccountName }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ $serviceAccountName }}
|
||||||
|
namespace: {{ $envAll.Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: mariadb-ingress
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.pod.replicas.ingress }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
||||||
|
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
|
annotations:
|
||||||
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
|
affinity:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
|
nodeSelector:
|
||||||
|
{{ .Values.labels.ingress.node_selector_key }}: {{ .Values.labels.ingress.node_selector_value }}
|
||||||
|
terminationGracePeriodSeconds: 60
|
||||||
|
initContainers:
|
||||||
|
{{ tuple $envAll "ingress" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
|
containers:
|
||||||
|
- name: ingress
|
||||||
|
{{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
readinessProbe:
|
||||||
|
tcpSocket:
|
||||||
|
port: {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /healthz
|
||||||
|
port: 10254
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
timeoutSeconds: 1
|
||||||
|
env:
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: RELEASE_NAME
|
||||||
|
value: {{ .Release.Name | quote }}
|
||||||
|
- name: INGRESS_CLASS
|
||||||
|
value: {{ $ingressClass | quote }}
|
||||||
|
- name: ERROR_PAGE_SERVICE
|
||||||
|
value: {{ tuple "oslo_db" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
|
||||||
|
command:
|
||||||
|
- /tmp/mariadb-ingress-controller.sh
|
||||||
|
- start
|
||||||
|
lifecycle:
|
||||||
|
preStop:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /tmp/mariadb-ingress-controller.sh
|
||||||
|
- stop
|
||||||
|
volumeMounts:
|
||||||
|
- name: mariadb-bin
|
||||||
|
mountPath: /tmp/mariadb-ingress-controller.sh
|
||||||
|
subPath: mariadb-ingress-controller.sh
|
||||||
|
readOnly: true
|
||||||
|
- name: mariadb-etc
|
||||||
|
mountPath: /etc/nginx/template/nginx.tmpl
|
||||||
|
subPath: nginx.tmpl
|
||||||
|
readOnly: true
|
||||||
|
volumes:
|
||||||
|
- name: mariadb-bin
|
||||||
|
configMap:
|
||||||
|
name: mariadb-bin
|
||||||
|
defaultMode: 0555
|
||||||
|
- name: mariadb-etc
|
||||||
|
configMap:
|
||||||
|
name: mariadb-etc
|
||||||
|
defaultMode: 0444
|
||||||
|
{{- end }}
|
107
mariadb/templates/etc/_00-base.cnf.tpl
Normal file
107
mariadb/templates/etc/_00-base.cnf.tpl
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
[mysqld]
|
||||||
|
# Charset
|
||||||
|
character_set_server=utf8
|
||||||
|
collation_server=utf8_unicode_ci
|
||||||
|
skip-character-set-client-handshake
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
slow_query_log=on
|
||||||
|
slow_query_log_file=/var/log/mysql/mariadb-slow.log
|
||||||
|
log_warnings=2
|
||||||
|
|
||||||
|
# General logging has huge performance penalty therefore is disabled by default
|
||||||
|
general_log=off
|
||||||
|
general_log_file=/var/log/mysql/mariadb-error.log
|
||||||
|
|
||||||
|
long_query_time=3
|
||||||
|
log_queries_not_using_indexes=on
|
||||||
|
|
||||||
|
# Networking
|
||||||
|
bind_address=0.0.0.0
|
||||||
|
port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
|
||||||
|
# When a client connects, the server will perform hostname resolution,
|
||||||
|
# and when DNS is slow, establishing the connection will become slow as well.
|
||||||
|
# It is therefore recommended to start the server with skip-name-resolve to
|
||||||
|
# disable all DNS lookups. The only limitation is that the GRANT statements
|
||||||
|
# must then use IP addresses only.
|
||||||
|
skip_name_resolve
|
||||||
|
|
||||||
|
# Tuning
|
||||||
|
user=mysql
|
||||||
|
max_allowed_packet=256M
|
||||||
|
open_files_limit=10240
|
||||||
|
max_connections=8192
|
||||||
|
max-connect-errors=1000000
|
||||||
|
|
||||||
|
## Generally, it is unwise to set the query cache to be larger than 64-128M
|
||||||
|
## as the costs associated with maintaining the cache outweigh the performance
|
||||||
|
## gains.
|
||||||
|
## The query cache is a well known bottleneck that can be seen even when
|
||||||
|
## concurrency is moderate. The best option is to disable it from day 1
|
||||||
|
## by setting query_cache_size=0 (now the default on MySQL 5.6)
|
||||||
|
## and to use other ways to speed up read queries: good indexing, adding
|
||||||
|
## replicas to spread the read load or using an external cache.
|
||||||
|
query_cache_size=0
|
||||||
|
query_cache_type=0
|
||||||
|
|
||||||
|
sync_binlog=0
|
||||||
|
thread_cache_size=16
|
||||||
|
table_open_cache=2048
|
||||||
|
table_definition_cache=1024
|
||||||
|
|
||||||
|
#
|
||||||
|
# InnoDB
|
||||||
|
#
|
||||||
|
# The buffer pool is where data and indexes are cached: having it as large as possible
|
||||||
|
# will ensure you use memory and not disks for most read operations.
|
||||||
|
# Typical values are 50..75% of available RAM.
|
||||||
|
# TODO(tomasz.paszkowski): This needs to by dynamic based on available RAM.
|
||||||
|
innodb_buffer_pool_size=1024M
|
||||||
|
innodb_doublewrite=0
|
||||||
|
innodb_file_format=Barracuda
|
||||||
|
innodb_file_per_table=1
|
||||||
|
innodb_flush_method=O_DIRECT
|
||||||
|
innodb_io_capacity=500
|
||||||
|
innodb_locks_unsafe_for_binlog=1
|
||||||
|
innodb_log_file_size=128M
|
||||||
|
innodb_old_blocks_time=1000
|
||||||
|
innodb_read_io_threads=8
|
||||||
|
innodb_write_io_threads=8
|
||||||
|
|
||||||
|
# Clustering
|
||||||
|
binlog_format=ROW
|
||||||
|
default-storage-engine=InnoDB
|
||||||
|
innodb_autoinc_lock_mode=2
|
||||||
|
innodb_flush_log_at_trx_commit=2
|
||||||
|
wsrep_cluster_name={{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" | replace "." "_" }}
|
||||||
|
wsrep_on=1
|
||||||
|
wsrep_provider=/usr/lib/galera/libgalera_smm.so
|
||||||
|
wsrep_provider_options="gmcast.listen_addr=tcp://0.0.0.0:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
|
||||||
|
wsrep_slave_threads=12
|
||||||
|
wsrep_sst_auth=root:{{ .Values.endpoints.oslo_db.auth.admin.password }}
|
||||||
|
wsrep_sst_method=xtrabackup-v2
|
||||||
|
|
||||||
|
[mysqldump]
|
||||||
|
max-allowed-packet=16M
|
||||||
|
|
||||||
|
[client]
|
||||||
|
default_character_set=utf8
|
||||||
|
protocol=tcp
|
||||||
|
port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
17
mariadb/templates/etc/_20-override.cnf.tpl
Normal file
17
mariadb/templates/etc/_20-override.cnf.tpl
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{ .Values.database.config_override }}
|
19
mariadb/templates/etc/_99-force.cnf.tpl
Normal file
19
mariadb/templates/etc/_99-force.cnf.tpl
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
[mysqld]
|
||||||
|
datadir=/var/lib/mysql
|
||||||
|
tmpdir=/tmp
|
22
mariadb/templates/etc/_my.cnf.tpl
Normal file
22
mariadb/templates/etc/_my.cnf.tpl
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
[mysqld]
|
||||||
|
datadir=/var/lib/mysql
|
||||||
|
basedir=/usr
|
||||||
|
|
||||||
|
[client-server]
|
||||||
|
!includedir /etc/mysql/conf.d/
|
20
mariadb/templates/job-image-repo-sync.yaml
Normal file
20
mariadb/templates/job-image-repo-sync.yaml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
|
||||||
|
{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "mariadb" -}}
|
||||||
|
{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,24 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
set -ex
|
||||||
|
|
||||||
|
mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
|
||||||
|
"CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
|
||||||
|
GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%'; \
|
||||||
|
FLUSH PRIVILEGES;"
|
@ -0,0 +1,30 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
set -ex
|
||||||
|
COMMAND="${@:-start}"
|
||||||
|
|
||||||
|
function start () {
|
||||||
|
exec /bin/mysqld_exporter -config.my-cnf=/etc/mysql/mysql_user.cnf
|
||||||
|
}
|
||||||
|
|
||||||
|
function stop () {
|
||||||
|
kill -TERM 1
|
||||||
|
}
|
||||||
|
|
||||||
|
$COMMAND
|
@ -0,0 +1,29 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.manifests.monitoring.prometheus.configmap_bin .Values.monitoring.prometheus.enabled }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: mysql-exporter-bin
|
||||||
|
data:
|
||||||
|
create-mysql-user.sh: |
|
||||||
|
{{ tuple "bin/_create-mysql-user.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
mysqld-exporter.sh: |
|
||||||
|
{{ tuple "bin/_mysqld-exporter.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,91 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.manifests.monitoring.prometheus.deployment_exporter .Values.monitoring.prometheus.enabled }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "prometheus-mysql-exporter"}}
|
||||||
|
{{ tuple $envAll "prometheus_mysql_exporter" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: prometheus-mysql-exporter
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "prometheus_mysql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.pod.replicas.prometheus_mysql_exporter }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ tuple $envAll "prometheus_mysql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
||||||
|
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "prometheus_mysql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
|
namespace: {{ .Values.endpoints.prometheus_mysql_exporter.namespace }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
|
nodeSelector:
|
||||||
|
{{ .Values.labels.prometheus_mysql_exporter.node_selector_key }}: {{ .Values.labels.prometheus_mysql_exporter.node_selector_value }}
|
||||||
|
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.prometheus_mysql_exporter.timeout | default "30" }}
|
||||||
|
initContainers:
|
||||||
|
{{ tuple $envAll "prometheus_mysql_exporter" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
|
containers:
|
||||||
|
- name: mysql-exporter
|
||||||
|
{{ tuple $envAll "prometheus_mysql_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.prometheus_mysql_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
command:
|
||||||
|
- /tmp/mysqld-exporter.sh
|
||||||
|
- start
|
||||||
|
ports:
|
||||||
|
- name: metrics
|
||||||
|
containerPort: {{ .Values.network.prometheus_mysql_exporter.port }}
|
||||||
|
env:
|
||||||
|
- name: EXPORTER_USER
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mysql-exporter-secrets
|
||||||
|
key: EXPORTER_USER
|
||||||
|
- name: EXPORTER_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mysql-exporter-secrets
|
||||||
|
key: EXPORTER_PASSWORD
|
||||||
|
- name: DATA_SOURCE_NAME
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mysql-exporter-secrets
|
||||||
|
key: DATA_SOURCE_NAME
|
||||||
|
volumeMounts:
|
||||||
|
- name: mysql-exporter-secrets
|
||||||
|
mountPath: /etc/mysql/mysql_user.cnf
|
||||||
|
subPath: mysql_user.cnf
|
||||||
|
readOnly: true
|
||||||
|
- name: mysql-exporter-bin
|
||||||
|
mountPath: /tmp/mysqld-exporter.sh
|
||||||
|
subPath: mysqld-exporter.sh
|
||||||
|
readOnly: true
|
||||||
|
volumes:
|
||||||
|
- name: mysql-exporter-secrets
|
||||||
|
secret:
|
||||||
|
secretName: mysql-exporter-secrets
|
||||||
|
defaultMode: 0444
|
||||||
|
- name: mysql-exporter-bin
|
||||||
|
configMap:
|
||||||
|
name: mysql-exporter-bin
|
||||||
|
defaultMode: 0555
|
||||||
|
{{- end }}
|
@ -0,0 +1,83 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.manifests.monitoring.prometheus.job_user_create .Values.monitoring.prometheus.enabled }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "exporter-create-sql-user" }}
|
||||||
|
{{ tuple $envAll "prometheus_create_mysql_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: exporter-create-sql-user
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "prometheus_mysql_exporter" "create-sql-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
|
restartPolicy: OnFailure
|
||||||
|
nodeSelector:
|
||||||
|
{{ .Values.labels.prometheus_mysql_exporter.node_selector_key }}: {{ .Values.labels.prometheus_mysql_exporter.node_selector_value }}
|
||||||
|
initContainers:
|
||||||
|
{{ tuple $envAll "prometheus_create_mysql_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
|
containers:
|
||||||
|
- name: exporter-create-sql-user
|
||||||
|
{{ tuple $envAll "prometheus_create_mysql_user" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.prometheus_create_mysql_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
command:
|
||||||
|
- /tmp/create-mysql-user.sh
|
||||||
|
env:
|
||||||
|
- name: EXPORTER_USER
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mysql-exporter-secrets
|
||||||
|
key: EXPORTER_USER
|
||||||
|
- name: EXPORTER_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mysql-exporter-secrets
|
||||||
|
key: EXPORTER_PASSWORD
|
||||||
|
- name: MYSQL_SERVICE
|
||||||
|
value: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
|
- name: MYSQL_ROOT_USER
|
||||||
|
value: {{ .Values.endpoints.oslo_db.auth.admin.username }}
|
||||||
|
- name: MYSQL_ROOT_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mariadb-db-root-password
|
||||||
|
key: MYSQL_ROOT_PASSWORD
|
||||||
|
volumeMounts:
|
||||||
|
- name: mysql-exporter-bin
|
||||||
|
mountPath: /tmp/create-mysql-user.sh
|
||||||
|
subPath: create-mysql-user.sh
|
||||||
|
readOnly: true
|
||||||
|
- name: mariadb-secrets
|
||||||
|
mountPath: /etc/mysql/admin_user.cnf
|
||||||
|
subPath: admin_user.cnf
|
||||||
|
readOnly: true
|
||||||
|
volumes:
|
||||||
|
- name: mysql-exporter-bin
|
||||||
|
configMap:
|
||||||
|
name: mysql-exporter-bin
|
||||||
|
defaultMode: 0555
|
||||||
|
- name: mariadb-secrets
|
||||||
|
secret:
|
||||||
|
secretName: mariadb-secrets
|
||||||
|
defaultMode: 0444
|
||||||
|
{{- end }}
|
@ -0,0 +1,35 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.manifests.monitoring.prometheus.secret_etc .Values.monitoring.prometheus.enabled }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
|
||||||
|
{{- $exporter_user := .Values.endpoints.oslo_db.auth.exporter.username }}
|
||||||
|
{{- $exporter_password := .Values.endpoints.oslo_db.auth.exporter.password }}
|
||||||
|
{{- $db_host := tuple "oslo_db" "direct" "mysql" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
|
||||||
|
{{- $data_source_name := printf "%s:%s@(%s)/" $exporter_user $exporter_password $db_host }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: mysql-exporter-secrets
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
DATA_SOURCE_NAME: {{ $data_source_name | b64enc }}
|
||||||
|
EXPORTER_USER: {{ .Values.endpoints.oslo_db.auth.exporter.username | b64enc }}
|
||||||
|
EXPORTER_PASSWORD: {{ .Values.endpoints.oslo_db.auth.exporter.password | b64enc }}
|
||||||
|
mysql_user.cnf: {{ tuple "secrets/_exporter_user.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,37 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.manifests.monitoring.prometheus.service_exporter .Values.monitoring.prometheus.enabled }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.mysqld_exporter }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ tuple "prometheus_mysql_exporter" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "prometheus_mysql_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
annotations:
|
||||||
|
{{- if .Values.monitoring.prometheus.enabled }}
|
||||||
|
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_service_annotations" | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- name: metrics
|
||||||
|
port: {{ .Values.network.prometheus_mysql_exporter.port }}
|
||||||
|
selector:
|
||||||
|
{{ tuple $envAll "prometheus_mysql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,21 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
[client]
|
||||||
|
user = {{ .Values.endpoints.prometheus_mysql_exporter.auth.user.username }}
|
||||||
|
password = {{ .Values.endpoints.prometheus_mysql_exporter.auth.user.password }}
|
||||||
|
host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
|
port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
29
mariadb/templates/pdb-mariadb.yaml
Normal file
29
mariadb/templates/pdb-mariadb.yaml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.pdb_server }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: mariadb-server
|
||||||
|
spec:
|
||||||
|
minAvailable: {{ .Values.pod.lifecycle.disruption_budget.mariadb.min_available }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
||||||
|
{{- end }}
|
27
mariadb/templates/secret-db-root-password.yaml
Normal file
27
mariadb/templates/secret-db-root-password.yaml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.secret_db }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: mariadb-db-root-password
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
MYSQL_ROOT_PASSWORD: {{ .Values.endpoints.oslo_db.auth.admin.password | b64enc }}
|
||||||
|
{{- end }}
|
27
mariadb/templates/secrets-etc.yaml
Normal file
27
mariadb/templates/secrets-etc.yaml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.secret_etc }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: mariadb-secrets
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
admin_user.cnf: {{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
|
||||||
|
{{- end }}
|
21
mariadb/templates/secrets/_admin_user.cnf.tpl
Normal file
21
mariadb/templates/secrets/_admin_user.cnf.tpl
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
[client]
|
||||||
|
user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
|
||||||
|
password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
|
||||||
|
host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
|
port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
35
mariadb/templates/service-discovery.yaml
Normal file
35
mariadb/templates/service-discovery.yaml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.service_discovery }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ tuple "oslo_db" "discovery" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
|
annotations:
|
||||||
|
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- name: mysql
|
||||||
|
port: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
- name: wsrep
|
||||||
|
port: {{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
clusterIP: None
|
||||||
|
selector:
|
||||||
|
{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
{{- end }}
|
34
mariadb/templates/service-error.yaml
Normal file
34
mariadb/templates/service-error.yaml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.service_error }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
name: {{ tuple "oslo_db" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
|
spec:
|
||||||
|
clusterIP: None
|
||||||
|
ports:
|
||||||
|
- port: 80
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: 8080
|
||||||
|
selector:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
{{- end }}
|
33
mariadb/templates/service-ingress.yaml
Normal file
33
mariadb/templates/service-ingress.yaml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.service_ingress }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
name: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- name: mysql
|
||||||
|
port: {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
protocol: TCP
|
||||||
|
selector:
|
||||||
|
{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
{{- end }}
|
30
mariadb/templates/service.yaml
Normal file
30
mariadb/templates/service.yaml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.service }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- name: mysql
|
||||||
|
port: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
selector:
|
||||||
|
{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
{{- end }}
|
182
mariadb/templates/statefulset.yaml
Normal file
182
mariadb/templates/statefulset.yaml
Normal file
@ -0,0 +1,182 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.statefulset }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "mariadb" }}
|
||||||
|
{{ tuple $envAll "mariadb" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: StatefulSet
|
||||||
|
metadata:
|
||||||
|
# NOTE(portdirect): the statefulset name must match the POD_NAME_PREFIX env var for discovery to work
|
||||||
|
name: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
spec:
|
||||||
|
serviceName: "{{ tuple "oslo_db" "discovery" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}"
|
||||||
|
podManagementPolicy: "Parallel"
|
||||||
|
replicas: {{ .Values.pod.replicas.server }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
|
affinity:
|
||||||
|
{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
|
nodeSelector:
|
||||||
|
{{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }}
|
||||||
|
initContainers:
|
||||||
|
{{ tuple $envAll "mariadb" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
|
{{- if .Values.volume.chown_on_start }}
|
||||||
|
- name: mariadb-perms
|
||||||
|
{{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
command:
|
||||||
|
- chown
|
||||||
|
- -R
|
||||||
|
- "mysql:mysql"
|
||||||
|
- /var/lib/mysql
|
||||||
|
volumeMounts:
|
||||||
|
- name: mysql-data
|
||||||
|
mountPath: /var/lib/mysql
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: mariadb
|
||||||
|
{{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
env:
|
||||||
|
- name: POD_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: status.podIP
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: FORCE_BOOTSTRAP
|
||||||
|
value: {{ .Values.force_bootstrap | quote }}
|
||||||
|
- name: FORCE_RECOVERY
|
||||||
|
value: {{ .Values.force_recovey | quote }}
|
||||||
|
- name: BOOTSTRAP_FILE
|
||||||
|
value: {{ printf "/tmp/%s.sql" (randAlphaNum 8) }}
|
||||||
|
- name: MARIADB_REPLICAS
|
||||||
|
value: {{ .Values.pod.replicas.server | quote }}
|
||||||
|
- name: WSREP_PORT
|
||||||
|
value: {{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
||||||
|
- name: POD_NAME_PREFIX
|
||||||
|
value: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
|
- name: MYSQL_ROOT_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mariadb-db-root-password
|
||||||
|
key: MYSQL_ROOT_PASSWORD
|
||||||
|
ports:
|
||||||
|
- name: mysql
|
||||||
|
protocol: TCP
|
||||||
|
containerPort: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
- name: wsrep
|
||||||
|
protocol: TCP
|
||||||
|
containerPort: {{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
command:
|
||||||
|
- /tmp/start.sh
|
||||||
|
lifecycle:
|
||||||
|
preStop:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /tmp/stop.sh
|
||||||
|
readinessProbe:
|
||||||
|
initialDelaySeconds: 30
|
||||||
|
periodSeconds: 30
|
||||||
|
timeoutSeconds: 3
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /tmp/readiness.sh
|
||||||
|
volumeMounts:
|
||||||
|
- name: mycnfd
|
||||||
|
mountPath: /etc/mysql/conf.d
|
||||||
|
- name: mariadb-bin
|
||||||
|
mountPath: /tmp/start.sh
|
||||||
|
subPath: start.sh
|
||||||
|
readOnly: true
|
||||||
|
- name: mariadb-bin
|
||||||
|
mountPath: /tmp/stop.sh
|
||||||
|
subPath: stop.sh
|
||||||
|
readOnly: true
|
||||||
|
- name: mariadb-bin
|
||||||
|
mountPath: /tmp/readiness.sh
|
||||||
|
subPath: readiness.sh
|
||||||
|
readOnly: true
|
||||||
|
- name: mariadb-etc
|
||||||
|
mountPath: /etc/mysql/my.cnf
|
||||||
|
subPath: my.cnf
|
||||||
|
readOnly: true
|
||||||
|
- name: mariadb-etc
|
||||||
|
mountPath: /etc/mysql/conf.d/00-base.cnf
|
||||||
|
subPath: 00-base.cnf
|
||||||
|
readOnly: true
|
||||||
|
- name: mariadb-etc
|
||||||
|
mountPath: /etc/mysql/conf.d/20-override.cnf
|
||||||
|
subPath: 20-override.cnf
|
||||||
|
readOnly: true
|
||||||
|
- name: mariadb-etc
|
||||||
|
mountPath: /etc/mysql/conf.d/99-force.cnf
|
||||||
|
subPath: 99-force.cnf
|
||||||
|
readOnly: true
|
||||||
|
- name: mariadb-secrets
|
||||||
|
mountPath: /etc/mysql/admin_user.cnf
|
||||||
|
subPath: admin_user.cnf
|
||||||
|
readOnly: true
|
||||||
|
- name: mysql-data
|
||||||
|
mountPath: /var/lib/mysql
|
||||||
|
volumes:
|
||||||
|
- name: mycnfd
|
||||||
|
emptyDir: {}
|
||||||
|
- name: mariadb-bin
|
||||||
|
configMap:
|
||||||
|
name: mariadb-bin
|
||||||
|
defaultMode: 0555
|
||||||
|
- name: mariadb-etc
|
||||||
|
configMap:
|
||||||
|
name: mariadb-etc
|
||||||
|
defaultMode: 0444
|
||||||
|
- name: mariadb-secrets
|
||||||
|
secret:
|
||||||
|
secretName: mariadb-secrets
|
||||||
|
defaultMode: 0444
|
||||||
|
{{- if not .Values.volume.enabled }}
|
||||||
|
- name: mysql-data
|
||||||
|
emptyDir: {}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.volume.enabled }}
|
||||||
|
volumeClaimTemplates:
|
||||||
|
- metadata:
|
||||||
|
name: mysql-data
|
||||||
|
spec:
|
||||||
|
accessModes: [ "ReadWriteOnce" ]
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: {{ .Values.volume.size }}
|
||||||
|
storageClassName: {{ .Values.volume.class_name }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
289
mariadb/values.yaml
Normal file
289
mariadb/values.yaml
Normal file
@ -0,0 +1,289 @@
|
|||||||
|
# Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
# Default values for mariadb.
|
||||||
|
# This is a YAML-formatted file.
|
||||||
|
# Declare name/value pairs to be passed into your templates.
|
||||||
|
# name: value
|
||||||
|
|
||||||
|
release_group: null
|
||||||
|
|
||||||
|
images:
|
||||||
|
tags:
|
||||||
|
# NOTE: if you update from 10.2.13 please look at
|
||||||
|
# https://review.openstack.org/#/q/Ifd09d7effe7d382074ca9e6678df36bdd4bce0af
|
||||||
|
# and check whether it's still needed
|
||||||
|
mariadb: docker.io/mariadb:10.2.13
|
||||||
|
ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0
|
||||||
|
error_pages: gcr.io/google_containers/defaultbackend:1.0
|
||||||
|
prometheus_create_mysql_user: docker.io/mariadb:10.2.13
|
||||||
|
prometheus_mysql_exporter: docker.io/prom/mysqld-exporter:v0.10.0
|
||||||
|
prometheus_mysql_exporter_helm_tests: docker.io/openstackhelm/heat:newton
|
||||||
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
||||||
|
image_repo_sync: docker.io/docker:17.07.0
|
||||||
|
pull_policy: "IfNotPresent"
|
||||||
|
local_registry:
|
||||||
|
active: false
|
||||||
|
exclude:
|
||||||
|
- dep_check
|
||||||
|
- image_repo_sync
|
||||||
|
|
||||||
|
labels:
|
||||||
|
server:
|
||||||
|
node_selector_key: openstack-control-plane
|
||||||
|
node_selector_value: enabled
|
||||||
|
ingress:
|
||||||
|
node_selector_key: openstack-control-plane
|
||||||
|
node_selector_value: enabled
|
||||||
|
prometheus_mysql_exporter:
|
||||||
|
node_selector_key: openstack-control-plane
|
||||||
|
node_selector_value: enabled
|
||||||
|
error_server:
|
||||||
|
node_selector_key: openstack-control-plane
|
||||||
|
node_selector_value: enabled
|
||||||
|
|
||||||
|
pod:
|
||||||
|
affinity:
|
||||||
|
anti:
|
||||||
|
type:
|
||||||
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
||||||
|
topologyKey:
|
||||||
|
default: kubernetes.io/hostname
|
||||||
|
replicas:
|
||||||
|
server: 1
|
||||||
|
ingress: 1
|
||||||
|
error_page: 1
|
||||||
|
prometheus_mysql_exporter: 1
|
||||||
|
lifecycle:
|
||||||
|
upgrades:
|
||||||
|
deployments:
|
||||||
|
revision_history: 3
|
||||||
|
pod_replacement_strategy: RollingUpdate
|
||||||
|
rolling_update:
|
||||||
|
max_unavailable: 1
|
||||||
|
max_surge: 3
|
||||||
|
termination_grace_period:
|
||||||
|
prometheus_mysql_exporter:
|
||||||
|
timeout: 30
|
||||||
|
error_pages:
|
||||||
|
timeout: 10
|
||||||
|
disruption_budget:
|
||||||
|
mariadb:
|
||||||
|
min_available: 0
|
||||||
|
resources:
|
||||||
|
enabled: false
|
||||||
|
prometheus_mysql_exporter:
|
||||||
|
limits:
|
||||||
|
memory: "1024Mi"
|
||||||
|
cpu: "2000m"
|
||||||
|
requests:
|
||||||
|
memory: "128Mi"
|
||||||
|
cpu: "500m"
|
||||||
|
server:
|
||||||
|
requests:
|
||||||
|
memory: "128Mi"
|
||||||
|
cpu: "100m"
|
||||||
|
limits:
|
||||||
|
memory: "1024Mi"
|
||||||
|
cpu: "2000m"
|
||||||
|
jobs:
|
||||||
|
tests:
|
||||||
|
limits:
|
||||||
|
memory: "1024Mi"
|
||||||
|
cpu: "2000m"
|
||||||
|
requests:
|
||||||
|
memory: "128Mi"
|
||||||
|
cpu: "100m"
|
||||||
|
prometheus_create_mysql_user:
|
||||||
|
limits:
|
||||||
|
memory: "1024Mi"
|
||||||
|
cpu: "2000m"
|
||||||
|
requests:
|
||||||
|
memory: "128Mi"
|
||||||
|
cpu: "100m"
|
||||||
|
image_repo_sync:
|
||||||
|
requests:
|
||||||
|
memory: "128Mi"
|
||||||
|
cpu: "100m"
|
||||||
|
limits:
|
||||||
|
memory: "1024Mi"
|
||||||
|
cpu: "2000m"
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
dynamic:
|
||||||
|
common:
|
||||||
|
local_image_registry:
|
||||||
|
jobs:
|
||||||
|
- mariadb-image-repo-sync
|
||||||
|
services:
|
||||||
|
- endpoint: node
|
||||||
|
service: local_image_registry
|
||||||
|
static:
|
||||||
|
error_pages:
|
||||||
|
jobs: null
|
||||||
|
ingress:
|
||||||
|
jobs: null
|
||||||
|
services:
|
||||||
|
- endpoint: error_pages
|
||||||
|
service: oslo_db
|
||||||
|
mariadb:
|
||||||
|
jobs: null
|
||||||
|
services: null
|
||||||
|
prometheus_create_mysql_user:
|
||||||
|
services:
|
||||||
|
- endpoint: internal
|
||||||
|
service: oslo_db
|
||||||
|
prometheus_mysql_exporter:
|
||||||
|
jobs:
|
||||||
|
- exporter-create-sql-user
|
||||||
|
services:
|
||||||
|
- endpoint: internal
|
||||||
|
service: oslo_db
|
||||||
|
prometheus_mysql_exporter_tests:
|
||||||
|
services:
|
||||||
|
- endpoint: internal
|
||||||
|
service: prometheus_mysql_exporter
|
||||||
|
- endpoint: internal
|
||||||
|
service: monitoring
|
||||||
|
image_repo_sync:
|
||||||
|
services:
|
||||||
|
- endpoint: internal
|
||||||
|
service: local_image_registry
|
||||||
|
|
||||||
|
force_bootstrap: false
|
||||||
|
|
||||||
|
volume:
|
||||||
|
chown_on_start: true
|
||||||
|
enabled: true
|
||||||
|
class_name: general
|
||||||
|
size: 5Gi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
conf:
|
||||||
|
ingress: null
|
||||||
|
|
||||||
|
database:
|
||||||
|
config_override: null
|
||||||
|
# Any configuration here will override the base config.
|
||||||
|
# config_override: |-
|
||||||
|
# [mysqld]
|
||||||
|
# wsrep_slave_threads=1
|
||||||
|
|
||||||
|
monitoring:
|
||||||
|
prometheus:
|
||||||
|
enabled: false
|
||||||
|
mysqld_exporter:
|
||||||
|
scrape: true
|
||||||
|
|
||||||
|
network:
|
||||||
|
prometheus_mysql_exporter:
|
||||||
|
port: 9104
|
||||||
|
|
||||||
|
# typically overridden by environmental
|
||||||
|
# values, but should include all endpoints
|
||||||
|
# required by this chart
|
||||||
|
endpoints:
|
||||||
|
cluster_domain_suffix: cluster.local
|
||||||
|
local_image_registry:
|
||||||
|
name: docker-registry
|
||||||
|
namespace: docker-registry
|
||||||
|
hosts:
|
||||||
|
default: localhost
|
||||||
|
internal: docker-registry
|
||||||
|
node: localhost
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
port:
|
||||||
|
registry:
|
||||||
|
node: 5000
|
||||||
|
monitoring:
|
||||||
|
name: prometheus
|
||||||
|
namespace: null
|
||||||
|
hosts:
|
||||||
|
default: prom-metrics
|
||||||
|
public: prometheus
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: null
|
||||||
|
scheme:
|
||||||
|
default: 'http'
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
default: 9090
|
||||||
|
public: 80
|
||||||
|
prometheus_mysql_exporter:
|
||||||
|
namespace: null
|
||||||
|
auth:
|
||||||
|
user:
|
||||||
|
username: exporter
|
||||||
|
password: password
|
||||||
|
hosts:
|
||||||
|
default: mysql-exporter
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: /metrics
|
||||||
|
scheme:
|
||||||
|
default: 'http'
|
||||||
|
port:
|
||||||
|
metrics:
|
||||||
|
default: 9104
|
||||||
|
oslo_db:
|
||||||
|
namespace: null
|
||||||
|
auth:
|
||||||
|
admin:
|
||||||
|
username: root
|
||||||
|
password: password
|
||||||
|
exporter:
|
||||||
|
username: exporter
|
||||||
|
password: password
|
||||||
|
hosts:
|
||||||
|
default: mariadb
|
||||||
|
direct: mariadb-server
|
||||||
|
discovery: mariadb-discovery
|
||||||
|
error_pages: mariadb-ingress-error-pages
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path: null
|
||||||
|
scheme: mysql+pymysql
|
||||||
|
port:
|
||||||
|
mysql:
|
||||||
|
default: 3306
|
||||||
|
wsrep:
|
||||||
|
default: 4567
|
||||||
|
|
||||||
|
manifests:
|
||||||
|
configmap_bin: true
|
||||||
|
configmap_etc: true
|
||||||
|
configmap_services_tcp: true
|
||||||
|
deployment_error: true
|
||||||
|
deployment_ingress: true
|
||||||
|
job_image_repo_sync: true
|
||||||
|
monitoring:
|
||||||
|
prometheus:
|
||||||
|
configmap_bin: true
|
||||||
|
deployment_exporter: true
|
||||||
|
job_user_create: true
|
||||||
|
secret_etc: true
|
||||||
|
service_exporter: true
|
||||||
|
pdb_server: true
|
||||||
|
secret_db: true
|
||||||
|
secret_etc: true
|
||||||
|
service_discovery: true
|
||||||
|
service_ingress: true
|
||||||
|
service_error: true
|
||||||
|
service: true
|
||||||
|
statefulset: true
|
@ -60,6 +60,12 @@
|
|||||||
./tools/deployment/developer/ceph/040-ldap.sh
|
./tools/deployment/developer/ceph/040-ldap.sh
|
||||||
args:
|
args:
|
||||||
chdir: "{{ zuul.project.src_dir }}"
|
chdir: "{{ zuul.project.src_dir }}"
|
||||||
|
- name: Deploy MariaDB
|
||||||
|
shell: |
|
||||||
|
set -xe;
|
||||||
|
./tools/deployment/developer/ceph/045-mariadb.sh
|
||||||
|
args:
|
||||||
|
chdir: "{{ zuul.project.src_dir }}"
|
||||||
- name: Deploy Prometheus
|
- name: Deploy Prometheus
|
||||||
shell: |
|
shell: |
|
||||||
set -xe;
|
set -xe;
|
||||||
|
@ -54,6 +54,12 @@
|
|||||||
./tools/deployment/developer/nfs/040-ldap.sh
|
./tools/deployment/developer/nfs/040-ldap.sh
|
||||||
args:
|
args:
|
||||||
chdir: "{{ zuul.project.src_dir }}"
|
chdir: "{{ zuul.project.src_dir }}"
|
||||||
|
- name: Deploy MariaDB
|
||||||
|
shell: |
|
||||||
|
set -xe;
|
||||||
|
./tools/deployment/developer/nfs/045-mariadb.sh
|
||||||
|
args:
|
||||||
|
chdir: "{{ zuul.project.src_dir }}"
|
||||||
- name: Deploy Prometheus
|
- name: Deploy Prometheus
|
||||||
shell: |
|
shell: |
|
||||||
set -xe;
|
set -xe;
|
||||||
|
@ -44,6 +44,12 @@
|
|||||||
./tools/deployment/multinode/040-ldap.sh
|
./tools/deployment/multinode/040-ldap.sh
|
||||||
args:
|
args:
|
||||||
chdir: "{{ zuul.project.src_dir }}"
|
chdir: "{{ zuul.project.src_dir }}"
|
||||||
|
- name: Deploy MariaDB
|
||||||
|
shell: |
|
||||||
|
set -xe;
|
||||||
|
./tools/deployment/multinode/045-mariadb.sh
|
||||||
|
args:
|
||||||
|
chdir: "{{ zuul.project.src_dir }}"
|
||||||
- name: Deploy Prometheus
|
- name: Deploy Prometheus
|
||||||
shell: |
|
shell: |
|
||||||
set -xe;
|
set -xe;
|
||||||
|
@ -60,3 +60,9 @@
|
|||||||
./tools/deployment/openstack-support/030-memcached.sh
|
./tools/deployment/openstack-support/030-memcached.sh
|
||||||
args:
|
args:
|
||||||
chdir: "{{ zuul.project.src_dir }}"
|
chdir: "{{ zuul.project.src_dir }}"
|
||||||
|
- name: Deploy Mariadb
|
||||||
|
shell: |
|
||||||
|
set -xe;
|
||||||
|
./tools/deployment/openstack-support/035-mariadb.sh
|
||||||
|
args:
|
||||||
|
chdir: "{{ zuul.project.src_dir }}"
|
||||||
|
1
tools/deployment/developer/ceph/045-mariadb.sh
Symbolic link
1
tools/deployment/developer/ceph/045-mariadb.sh
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../common/045-mariadb.sh
|
34
tools/deployment/developer/common/045-mariadb.sh
Executable file
34
tools/deployment/developer/common/045-mariadb.sh
Executable file
@ -0,0 +1,34 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
#NOTE: Lint and package chart
|
||||||
|
make mariadb
|
||||||
|
|
||||||
|
#NOTE: Deploy command
|
||||||
|
: ${OSH_INFRA_EXTRA_HELM_ARGS:=""}
|
||||||
|
helm upgrade --install mariadb ./mariadb \
|
||||||
|
--namespace=osh-infra \
|
||||||
|
--set pod.replicas.server=1 \
|
||||||
|
${OSH_INFRA_EXTRA_HELM_ARGS} \
|
||||||
|
${OSH_INFRA_EXTRA_HELM_ARGS_MARIADB}
|
||||||
|
|
||||||
|
#NOTE: Wait for deploy
|
||||||
|
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||||
|
|
||||||
|
#NOTE: Validate Deployment info
|
||||||
|
helm status mariadb
|
@ -20,29 +20,8 @@ set -xe
|
|||||||
make grafana
|
make grafana
|
||||||
|
|
||||||
#NOTE: Deploy command
|
#NOTE: Deploy command
|
||||||
tee /tmp/grafana.yaml << EOF
|
|
||||||
dependencies:
|
|
||||||
static:
|
|
||||||
grafana:
|
|
||||||
jobs: null
|
|
||||||
services: null
|
|
||||||
manifests:
|
|
||||||
job_db_init: false
|
|
||||||
job_db_init_session: false
|
|
||||||
job_db_session_sync: false
|
|
||||||
secret_db: false
|
|
||||||
secret_db_session: false
|
|
||||||
conf:
|
|
||||||
grafana:
|
|
||||||
database:
|
|
||||||
type: sqlite3
|
|
||||||
session:
|
|
||||||
provider: file
|
|
||||||
provider_config: sessions
|
|
||||||
EOF
|
|
||||||
helm upgrade --install grafana ./grafana \
|
helm upgrade --install grafana ./grafana \
|
||||||
--namespace=osh-infra \
|
--namespace=osh-infra
|
||||||
--values=/tmp/grafana.yaml
|
|
||||||
|
|
||||||
#NOTE: Wait for deploy
|
#NOTE: Wait for deploy
|
||||||
./tools/deployment/common/wait-for-pods.sh osh-infra
|
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||||
|
1
tools/deployment/developer/nfs/045-mariadb.sh
Symbolic link
1
tools/deployment/developer/nfs/045-mariadb.sh
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../common/045-mariadb.sh
|
33
tools/deployment/multinode/045-mariadb.sh
Executable file
33
tools/deployment/multinode/045-mariadb.sh
Executable file
@ -0,0 +1,33 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
#NOTE: Lint and package chart
|
||||||
|
make mariadb
|
||||||
|
|
||||||
|
#NOTE: Deploy command
|
||||||
|
: ${OSH_INFRA_EXTRA_HELM_ARGS:=""}
|
||||||
|
helm upgrade --install mariadb ./mariadb \
|
||||||
|
--namespace=osh-infra \
|
||||||
|
${OSH_INFRA_EXTRA_HELM_ARGS} \
|
||||||
|
${OSH_INFRA_EXTRA_HELM_ARGS_MARIADB}
|
||||||
|
|
||||||
|
#NOTE: Wait for deploy
|
||||||
|
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||||
|
|
||||||
|
#NOTE: Validate Deployment info
|
||||||
|
helm status mariadb
|
@ -20,32 +20,9 @@ set -xe
|
|||||||
make grafana
|
make grafana
|
||||||
|
|
||||||
#NOTE: Deploy command
|
#NOTE: Deploy command
|
||||||
tee /tmp/grafana.yaml << EOF
|
|
||||||
dependencies:
|
|
||||||
static:
|
|
||||||
grafana:
|
|
||||||
jobs: null
|
|
||||||
services: null
|
|
||||||
manifests:
|
|
||||||
job_db_init: false
|
|
||||||
job_db_init_session: false
|
|
||||||
job_db_session_sync: false
|
|
||||||
secret_db: false
|
|
||||||
secret_db_session: false
|
|
||||||
conf:
|
|
||||||
grafana:
|
|
||||||
database:
|
|
||||||
type: sqlite3
|
|
||||||
session:
|
|
||||||
provider: file
|
|
||||||
provider_config: sessions
|
|
||||||
pod:
|
|
||||||
replicas:
|
|
||||||
grafana: 2
|
|
||||||
EOF
|
|
||||||
helm upgrade --install grafana ./grafana \
|
helm upgrade --install grafana ./grafana \
|
||||||
--namespace=osh-infra \
|
--namespace=osh-infra \
|
||||||
--values=/tmp/grafana.yaml
|
--set pod.replicas.grafana=2
|
||||||
|
|
||||||
#NOTE: Wait for deploy
|
#NOTE: Wait for deploy
|
||||||
./tools/deployment/common/wait-for-pods.sh osh-infra
|
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||||
|
34
tools/deployment/openstack-support/035-mariadb.sh
Executable file
34
tools/deployment/openstack-support/035-mariadb.sh
Executable file
@ -0,0 +1,34 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
#NOTE: Lint and package chart
|
||||||
|
make mariadb
|
||||||
|
|
||||||
|
#NOTE: Deploy command
|
||||||
|
: ${OSH_INFRA_EXTRA_HELM_ARGS:=""}
|
||||||
|
helm upgrade --install mariadb ./mariadb \
|
||||||
|
--namespace=openstack \
|
||||||
|
--set pod.replicas.server=1 \
|
||||||
|
${OSH_INFRA_EXTRA_HELM_ARGS} \
|
||||||
|
${OSH_INFRA_EXTRA_HELM_ARGS_MARIADB}
|
||||||
|
|
||||||
|
#NOTE: Wait for deploy
|
||||||
|
./tools/deployment/common/wait-for-pods.sh openstack
|
||||||
|
|
||||||
|
#NOTE: Validate Deployment info
|
||||||
|
helm status mariadb
|
Loading…
Reference in New Issue
Block a user