openstack-helm-infra/mariadb/values.yaml
Vasyl Saienko 174f6f5bd5 [mariadb] Refactor liveness/readiness probes
* Move all probes into single script to reduce code duplication
* Check free disk percent, fail when we consume 99% to avoid
  data corruption
* Do not restart container when SST is in progress

Change-Id: I6efc7596753dc988aa9edd7ade4d57107db98bdd
2024-11-13 18:37:52 +00:00

697 lines
18 KiB
YAML

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for mariadb.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
---
release_group: null
images:
tags:
mariadb: docker.io/openstackhelm/mariadb:latest-ubuntu_focal
prometheus_create_mysql_user: docker.io/library/mariadb:10.5.9-focal
prometheus_mysql_exporter: docker.io/prom/mysqld-exporter:v0.12.1
prometheus_mysql_exporter_helm_tests: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
image_repo_sync: docker.io/library/docker:17.07.0
mariadb_backup: quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_focal
ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
scripted_test: docker.io/openstackhelm/mariadb:ubuntu_focal-20210415
mariadb_controller: docker.io/openstackhelm/mariadb:latest-ubuntu_focal
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
prometheus_mysql_exporter:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
controller:
node_selector_key: openstack-control-plane
node_selector_value: enabled
pod:
env:
mariadb_controller:
MARIADB_CONTROLLER_DEBUG: 0
MARIADB_CONTROLLER_CHECK_PODS_DELAY: 10
MARIADB_CONTROLLER_PYKUBE_REQUEST_TIMEOUT: 60
probes:
server:
mariadb:
readiness:
enabled: true
disk_usage_percent: 99
params:
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 15
liveness:
enabled: true
params:
initialDelaySeconds: 120
periodSeconds: 30
timeoutSeconds: 15
security_context:
server:
pod:
runAsUser: 999
container:
perms:
runAsUser: 0
readOnlyRootFilesystem: true
mariadb:
runAsUser: 999
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
prometheus_mysql_exporter:
pod:
runAsUser: 99
container:
exporter:
runAsUser: 99
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
prometheus_create_mysql_user:
pod:
runAsUser: 0
container:
main:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
mariadb_backup:
pod:
runAsUser: 65534
container:
backup_perms:
runAsUser: 0
readOnlyRootFilesystem: true
verify_perms:
runAsUser: 0
readOnlyRootFilesystem: true
mariadb_backup:
runAsUser: 65534
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
tests:
pod:
runAsUser: 999
container:
test:
runAsUser: 999
readOnlyRootFilesystem: true
controller:
pod:
runAsUser: 65534
container:
controller:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
cluster_wait:
pod:
runAsUser: 65534
runAsNonRoot: true
container:
mariadb_cluster_wait:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
tolerations:
mariadb:
enabled: false
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
replicas:
server: 3
controller: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
mariadb:
min_available: 0
resources:
enabled: false
server:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
tests:
limits:
memory: "1024Mi"
cpu: "2000m"
requests:
memory: "128Mi"
cpu: "100m"
prometheus_create_mysql_user:
limits:
memory: "1024Mi"
cpu: "2000m"
requests:
memory: "128Mi"
cpu: "100m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
mariadb_backup:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- mariadb-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
mariadb_backup:
jobs:
- mariadb-ks-user
services:
- endpoint: internal
service: oslo_db
prometheus_create_mysql_user:
services:
- endpoint: internal
service: oslo_db
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
tests:
services:
- endpoint: internal
service: oslo_db
controller:
services: null
cluster_wait:
services:
- endpoint: internal
service: oslo_db
volume:
# this value is used for single pod deployments of mariadb to prevent losing all data
# if the pod is restarted
use_local_path_for_single_pod_cluster:
enabled: false
host_path: "/tmp/mysql-data"
chown_on_start: true
enabled: true
class_name: general
size: 5Gi
backup:
enabled: true
class_name: general
size: 5Gi
jobs:
cluster_wait:
clusterCheckWait: 30
clusterCheckRetries: 30
clusterStabilityCount: 30
clusterStabilityWait: 4
exporter_create_sql_user:
backoffLimit: 87600
activeDeadlineSeconds: 3600
mariadb_backup:
# activeDeadlineSeconds == 0 means no deadline
activeDeadlineSeconds: 0
backoffLimit: 6
cron: "0 0 * * *"
history:
success: 3
failed: 1
ks_user:
# activeDeadlineSeconds == 0 means no deadline
activeDeadlineSeconds: 0
backoffLimit: 6
conf:
tests:
# This may either be:
# * direct: which will hit the backends directly via a k8s service ip
# Note, deadlocks and failure are to be expected with concurrency if
# hitting the `direct` endpoint.
endpoint: internal
# This is a list of tuning params passed to mysqlslap:
params:
- --auto-generate-sql
- --concurrency=100
- --number-of-queries=1000
- --number-char-cols=1
- --number-int-cols=1
mariadb_server:
setup_wait:
iteration: 30
duration: 5
backup:
enabled: false
base_path: /var/backup
validateData:
ageOffset: 120
mysqldump_options: >
--single-transaction --quick --add-drop-database
--add-drop-table --add-locks --databases
days_to_keep: 3
remote_backup:
enabled: false
container_name: mariadb
days_to_keep: 14
storage_policy: default-placement
number_of_retries: 5
delay_range:
min: 30
max: 60
throttle_backups:
enabled: false
sessions_limit: 480
lock_expire_after: 7200
retry_after: 3600
container_name: throttle-backups-manager
galera:
cluster_leader_ttl: 60
database:
mysql_histfile: "/dev/null"
my: |
[mysqld]
datadir=/var/lib/mysql
basedir=/usr
ignore-db-dirs=lost+found
[client-server]
!includedir /etc/mysql/conf.d/
00_base: |
[mysqld]
# Charset
character_set_server=utf8
collation_server=utf8_general_ci
skip-character-set-client-handshake
# Logging
slow_query_log=off
slow_query_log_file=/var/log/mysql/mariadb-slow.log
log_warnings=2
# General logging has huge performance penalty therefore is disabled by default
general_log=off
general_log_file=/var/log/mysql/mariadb-error.log
long_query_time=3
log_queries_not_using_indexes=on
# Networking
bind_address=0.0.0.0
port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
# When a client connects, the server will perform hostname resolution,
# and when DNS is slow, establishing the connection will become slow as well.
# It is therefore recommended to start the server with skip-name-resolve to
# disable all DNS lookups. The only limitation is that the GRANT statements
# must then use IP addresses only.
skip_name_resolve
# Tuning
user=mysql
max_allowed_packet=256M
open_files_limit=10240
max_connections=8192
max-connect-errors=1000000
# General security settings
# Reference: https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/general-security-issues.html
# secure_file_priv is set to '/home' because it is read-only, which will
# disable this feature completely.
secure_file_priv=/home
local_infile=0
symbolic_links=0
sql_mode="STRICT_ALL_TABLES,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
## Generally, it is unwise to set the query cache to be larger than 64-128M
## as the costs associated with maintaining the cache outweigh the performance
## gains.
## The query cache is a well known bottleneck that can be seen even when
## concurrency is moderate. The best option is to disable it from day 1
## by setting query_cache_size=0 (now the default on MySQL 5.6)
## and to use other ways to speed up read queries: good indexing, adding
## replicas to spread the read load or using an external cache.
query_cache_size=0
query_cache_type=0
sync_binlog=0
thread_cache_size=16
table_open_cache=2048
table_definition_cache=1024
#
# InnoDB
#
# The buffer pool is where data and indexes are cached: having it as large as possible
# will ensure you use memory and not disks for most read operations.
# Typical values are 50..75% of available RAM.
# TODO(tomasz.paszkowski): This needs to by dynamic based on available RAM.
innodb_buffer_pool_size=1024M
innodb_doublewrite=0
innodb_file_format=Barracuda
innodb_file_per_table=1
innodb_flush_method=O_DIRECT
innodb_io_capacity=500
innodb_locks_unsafe_for_binlog=1
innodb_log_file_size=128M
innodb_old_blocks_time=1000
innodb_read_io_threads=8
innodb_write_io_threads=8
# Clustering
binlog_format=ROW
default-storage-engine=InnoDB
innodb_autoinc_lock_mode=2
innodb_flush_log_at_trx_commit=2
wsrep_cluster_name={{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" | replace "." "_" }}
wsrep_on=1
wsrep_provider=/usr/lib/galera/libgalera_smm.so
wsrep_provider_options="evs.suspect_timeout=PT30S; gmcast.peer_timeout=PT15S; gmcast.listen_addr=tcp://0.0.0.0:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
wsrep_slave_threads=12
wsrep_sst_auth={{ .Values.endpoints.oslo_db.auth.sst.username }}:{{ .Values.endpoints.oslo_db.auth.sst.password }}
wsrep_sst_method=mariabackup
{{ if .Values.manifests.certificates }}
# TLS
ssl_ca=/etc/mysql/certs/ca.crt
ssl_key=/etc/mysql/certs/tls.key
ssl_cert=/etc/mysql/certs/tls.crt
# tls_version = TLSv1.2,TLSv1.3
{{ end }}
[mysqldump]
max-allowed-packet=16M
[client]
default_character_set=utf8
protocol=tcp
port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.manifests.certificates }}
# TLS
ssl_ca=/etc/mysql/certs/ca.crt
ssl_key=/etc/mysql/certs/tls.key
ssl_cert=/etc/mysql/certs/tls.crt
# tls_version = TLSv1.2,TLSv1.3
ssl-verify-server-cert
{{ end }}
config_override: null
# Any configuration here will override the base config.
# config_override: |-
# [mysqld]
# wsrep_slave_threads=1
99_force: |
[mysqld]
datadir=/var/lib/mysql
tmpdir=/tmp
monitoring:
prometheus:
enabled: false
mysqld_exporter:
scrape: true
secrets:
identity:
admin: keystone-admin-user
mariadb: mariadb-backup-user
mariadb:
backup_restore: mariadb-backup-restore
oci_image_registry:
mariadb: mariadb-oci-image-registry-key
tls:
oslo_db:
server:
public: mariadb-tls-server
internal: mariadb-tls-direct
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oci_image_registry:
name: oci-image-registry
namespace: oci-image-registry
auth:
enabled: false
mariadb:
username: mariadb
password: password
hosts:
default: localhost
host_fqdn_override:
default: null
port:
registry:
default: null
monitoring:
name: prometheus
namespace: null
hosts:
default: prom-metrics
public: prometheus
host_fqdn_override:
default: null
path:
default: null
scheme:
default: 'http'
port:
api:
default: 9090
public: 80
prometheus_mysql_exporter:
namespace: null
hosts:
default: mysql-exporter
host_fqdn_override:
default: null
path:
default: /metrics
scheme:
default: 'http'
port:
metrics:
default: 9104
oslo_db:
namespace: null
auth:
admin:
username: root
password: password
sst:
username: sst
password: password
audit:
username: audit
password: password
exporter:
username: exporter
password: password
hosts:
default: mariadb
direct: mariadb-server
discovery: mariadb-discovery
host_fqdn_override:
default: null
path: null
scheme: mysql+pymysql
port:
mysql:
default: 3306
wsrep:
default: 4567
ist:
default: 4568
sst:
default: 4444
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
identity:
name: backup-storage-auth
namespace: openstack
auth:
admin:
# Auth URL of null indicates local authentication
# HTK will form the URL unless specified here
auth_url: null
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
mariadb:
# Auth URL of null indicates local authentication
# HTK will form the URL unless specified here
auth_url: null
role: admin
region_name: RegionOne
username: mariadb-backup-user
password: password
project_name: service
user_domain_name: service
project_domain_name: service
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: 'http'
port:
api:
default: 80
internal: 5000
network:
mariadb: {}
mariadb_discovery: {}
mariadb_master: {}
network_policy:
mariadb:
ingress:
- {}
egress:
- {}
prometheus-mysql-exporter:
ingress:
- {}
egress:
- {}
# Helm hook breaks for helm2.
# Set helm3_hook: false in case helm2 is used.
helm3_hook: true
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
configmap_services_tcp: true
job_image_repo_sync: true
cron_job_mariadb_backup: false
job_ks_user: false
pvc_backup: false
monitoring:
prometheus:
configmap_bin: true
job_user_create: true
secret_etc: true
pdb_server: true
network_policy: false
pod_test: true
secret_dbadmin_password: true
secret_sst_password: true
secret_dbaudit_password: true
secret_backup_restore: false
secret_etc: true
secret_registry: true
service_discovery: true
service_error: false
service: true
statefulset: true
deployment_controller: true
service_master: true
job_cluster_wait: false
...