# Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Default values for mariadb. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value --- release_group: null images: tags: agent: ghcr.io/mariadb-operator/agent:v0.0.3 initContainer: ghcr.io/mariadb-operator/init:v0.0.6 mariadb: docker.io/library/mariadb:10.6.14-focal prometheus_mysql_exporter: docker.io/prom/mysqld-exporter:v0.12.1 prometheus_mysql_exporter_helm_tests: docker.io/openstackhelm/heat:wallaby-ubuntu_focal dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 image_repo_sync: docker.io/library/docker:17.07.0 scripted_test: docker.io/library/mariadb:10.6.14-focal mariadb_cluster_refresh_statefulset: quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_focal pull_policy: "IfNotPresent" local_registry: active: false exclude: - dep_check - image_repo_sync labels: server: node_selector_key: openstack-control-plane node_selector_value: enabled job: node_selector_key: openstack-control-plane node_selector_value: enabled test: node_selector_key: openstack-control-plane node_selector_value: enabled pod: probes: server: mariadb: readiness: enabled: true params: initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 15 liveness: enabled: true params: initialDelaySeconds: 120 periodSeconds: 30 timeoutSeconds: 15 security_context: server: pod: runAsUser: 0 container: init-0: runAsUser: 0 readOnlyRootFilesystem: true init: runAsUser: 0 allowPrivilegeEscalation: false readOnlyRootFilesystem: false agent: runAsUser: 0 allowPrivilegeEscalation: false readOnlyRootFilesystem: false mariadb: runAsUser: 0 allowPrivilegeEscalation: false readOnlyRootFilesystem: false mariadb_cluster_refresh_statefulset: pod: runAsUser: 0 container: main: allowPrivilegeEscalation: false readOnlyRootFilesystem: true tests: pod: runAsUser: 999 container: test: runAsUser: 999 readOnlyRootFilesystem: true affinity: anti: type: default: preferredDuringSchedulingIgnoredDuringExecution topologyKey: default: kubernetes.io/hostname weight: default: 10 tolerations: mariadb: enabled: false tolerations: - key: node-role.kubernetes.io/master operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/control-plane operator: Exists effect: NoSchedule replicas: server: 3 prometheus_mysql_exporter: 1 lifecycle: upgrades: deployments: revision_history: 3 pod_replacement_strategy: RollingUpdate rolling_update: max_unavailable: 1 max_surge: 3 termination_grace_period: prometheus_mysql_exporter: timeout: 30 disruption_budget: mariadb: min_available: 0 resources: enabled: false server: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: tests: limits: memory: "1024Mi" cpu: "2000m" requests: memory: "128Mi" cpu: "100m" mariadb_cluster_refresh_statefulset: limits: memory: "1024Mi" cpu: "2000m" requests: memory: "128Mi" cpu: "100m" image_repo_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" dependencies: dynamic: common: local_image_registry: jobs: - mariadb-server-image-repo-sync services: - endpoint: node service: local_image_registry static: image_repo_sync: services: - endpoint: internal service: local_image_registry tests: services: - endpoint: internal service: oslo_db volume: enabled: true class_name: general size: 5Gi backup: enabled: true class_name: general size: 5Gi galera: enabled: true class_name: general size: 300Mi jobs: mariadb_cluster_refresh_statefulset: backoffLimit: 87600 activeDeadlineSeconds: 3600 conf: galera: enabled: true primary: podIndex: 0 automaticFailover: true sst: mariabackup replicaThreads: 1 agent: port: 5555 kubernetesAuth: enabled: true gracefulShutdownTimeout: 5s recovery: enabled: true clusterHealthyTimeout: 3m clusterBootstrapTimeout: 10m podRecoveryTimeout: 5m podSyncTimeout: 5m tests: # This may either be: # * internal: which will hit the endpoint exposed by the ingress controller # * direct: which will hit the backends directly via a k8s service ip # Note, deadlocks and failure are to be expected with concurrency if # hitting the `direct` endpoint. endpoint: internal # This is a list of tuning params passed to mysqlslap: params: - --auto-generate-sql - --concurrency=100 - --number-of-queries=1000 - --number-char-cols=1 - --number-int-cols=1 mariadb_server: setup_wait: iteration: 30 duration: 5 database: auto_upgrade: enabled: true disable_upgrade_backup: false mysql_histfile: "/dev/null" init_script: | #!/usr/bin/env bash {{/* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} set -x chown -R "mysql:mysql" /var/lib/mysql; chmod 771 /var/lib/mysql; galera: | [mariadb] bind-address=0.0.0.0 default_storage_engine=InnoDB binlog_format=row innodb_autoinc_lock_mode=2 max_allowed_packet=256M ######################## # ######################## ignore-db-dirs=lost+found # Charset character_set_server=utf8 collation_server=utf8_general_ci skip-character-set-client-handshake # Logging slow_query_log=off slow_query_log_file=/var/log/mysql/mariadb-slow.log log_warnings=2 # General logging has huge performance penalty therefore is disabled by default general_log=off general_log_file=/var/log/mysql/mariadb-error.log long_query_time=3 log_queries_not_using_indexes=on # Networking bind_address=0.0.0.0 port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} # When a client connects, the server will perform hostname resolution, # and when DNS is slow, establishing the connection will become slow as well. # It is therefore recommended to start the server with skip-name-resolve to # disable all DNS lookups. The only limitation is that the GRANT statements # must then use IP addresses only. skip_name_resolve # Tuning user=mysql max_allowed_packet=256M open_files_limit=10240 max_connections=8192 max-connect-errors=1000000 # General security settings # Reference: https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/general-security-issues.html # secure_file_priv is set to '/home' because it is read-only, which will # disable this feature completely. secure_file_priv=/home local_infile=0 symbolic_links=0 sql_mode="STRICT_ALL_TABLES,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" ## Generally, it is unwise to set the query cache to be larger than 64-128M ## as the costs associated with maintaining the cache outweigh the performance ## gains. ## The query cache is a well known bottleneck that can be seen even when ## concurrency is moderate. The best option is to disable it from day 1 ## by setting query_cache_size=0 (now the default on MySQL 5.6) ## and to use other ways to speed up read queries: good indexing, adding ## replicas to spread the read load or using an external cache. query_cache_size=0 query_cache_type=0 sync_binlog=0 thread_cache_size=16 table_open_cache=2048 table_definition_cache=1024 # # InnoDB # # The buffer pool is where data and indexes are cached: having it as large as possible # will ensure you use memory and not disks for most read operations. # Typical values are 50..75% of available RAM. # TODO(tomasz.paszkowski): This needs to by dynamic based on available RAM. innodb_buffer_pool_size=1024M innodb_doublewrite=0 innodb_file_per_table=1 innodb_flush_method=O_DIRECT innodb_io_capacity=500 innodb_log_file_size=128M innodb_old_blocks_time=1000 innodb_read_io_threads=8 innodb_write_io_threads=8 {{ if .Values.manifests.certificates }} # TLS ssl_ca=/etc/mysql/certs/ca.crt ssl_key=/etc/mysql/certs/tls.key ssl_cert=/etc/mysql/certs/tls.crt # tls_version = TLSv1.2,TLSv1.3 {{ end }} [mysqldump] max-allowed-packet=16M [client] default_character_set=utf8 {{ if .Values.manifests.certificates }} # TLS ssl_ca=/etc/mysql/certs/ca.crt ssl_key=/etc/mysql/certs/tls.key ssl_cert=/etc/mysql/certs/tls.crt # tls_version = TLSv1.2,TLSv1.3 {{ end }} my: | [mysqld] datadir=/var/lib/mysql basedir=/usr ignore-db-dirs=lost+found [client-server] !includedir /etc/mysql/conf.d/ config_override: null # Any configuration here will override the base config. # config_override: |- # [mysqld] # wsrep_slave_threads=1 monitoring: prometheus: enabled: false mysqld_exporter: scrape: true secrets: identity: admin: keystone-admin-user oci_image_registry: mariadb: mariadb-oci-image-registry-key tls: oslo_db: server: public: mariadb-tls-server internal: mariadb-tls-direct # typically overridden by environmental # values, but should include all endpoints # required by this chart endpoints: cluster_domain_suffix: cluster.local local_image_registry: name: docker-registry namespace: docker-registry hosts: default: localhost internal: docker-registry node: localhost host_fqdn_override: default: null port: registry: node: 5000 oci_image_registry: name: oci-image-registry namespace: oci-image-registry auth: enabled: false mariadb: username: mariadb password: password hosts: default: localhost host_fqdn_override: default: null port: registry: default: null monitoring: name: prometheus namespace: null hosts: default: prom-metrics public: prometheus host_fqdn_override: default: null path: default: null scheme: default: 'http' port: api: default: 9090 public: 80 prometheus_mysql_exporter: namespace: null hosts: default: mysql-exporter host_fqdn_override: default: null path: default: /metrics scheme: default: 'http' port: metrics: default: 9104 oslo_db: namespace: null auth: admin: username: root password: password sst: username: sst password: password audit: username: audit password: password exporter: username: exporter password: password hosts: default: mariadb-server-primary direct: mariadb-server-internal discovery: mariadb-discovery server: mariadb-server host_fqdn_override: default: null path: null scheme: mysql+pymysql port: mysql: default: 3306 wsrep: default: 4567 kube_dns: namespace: kube-system name: kubernetes-dns hosts: default: kube-dns host_fqdn_override: default: null path: default: null scheme: http port: dns_tcp: default: 53 dns: default: 53 protocol: UDP identity: name: backup-storage-auth namespace: openstack auth: admin: # Auth URL of null indicates local authentication # HTK will form the URL unless specified here auth_url: null region_name: RegionOne username: admin password: password project_name: admin user_domain_name: default project_domain_name: default mariadb-server: # Auth URL of null indicates local authentication # HTK will form the URL unless specified here auth_url: null role: admin region_name: RegionOne username: mariadb-backup-user password: password project_name: service user_domain_name: service project_domain_name: service hosts: default: keystone internal: keystone-api host_fqdn_override: default: null path: default: /v3 scheme: default: 'http' port: api: default: 80 internal: 5000 network_policy: mariadb: ingress: - {} egress: - {} # Helm hook breaks for helm2. # Set helm3_hook: false in case helm2 is used. helm3_hook: true manifests: certificates: false configmap_bin: true configmap_etc: true job_image_repo_sync: true network_policy: false pod_test: true secret_dbadmin_password: true secret_sst_password: true secret_dbaudit_password: true secret_etc: true secret_registry: true service_primary: true mariadb: true ...