airship
/
treasuremap
Code Issues Proposed changes
treasuremap/global/software/charts/osh/openstack-mariadb/mariadb.yaml

314 lines
10 KiB
YAML
Raw Blame History

---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: openstack-mariadb
labels:
name: openstack-mariadb-global
component: mariadb
layeringDefinition:
abstract: false
layer: global
storagePolicy: cleartext
substitutions:
# Chart source
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .charts.osh.mariadb
dest:
path: .source
# Images
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .images.osh.mariadb
dest:
path: .values.images.tags
# Endpoints
- src:
schema: pegleg/EndpointCatalogue/v1
name: osh_endpoints
path: .osh.oslo_db
dest:
path: .values.endpoints.oslo_db
- src:
schema: pegleg/EndpointCatalogue/v1
name: osh_endpoints
path: .osh.prometheus_mysql_exporter
dest:
path: .values.endpoints.prometheus_mysql_exporter
# Accounts
- src:
schema: pegleg/AccountCatalogue/v1
name: osh_service_accounts
path: .osh.oslo_db.admin
dest:
path: .values.endpoints.oslo_db.auth.admin
- src:
schema: pegleg/AccountCatalogue/v1
name: osh_service_accounts
path: .osh.oslo_db.sst
dest:
path: .values.endpoints.oslo_db.auth.sst
- src:
schema: pegleg/AccountCatalogue/v1
name: osh_service_accounts
path: .osh.oslo_db.audit
dest:
path: .values.endpoints.oslo_db.auth.audit
- src:
schema: pegleg/AccountCatalogue/v1
name: osh_service_accounts
path: .osh.prometheus_mysql_exporter.user
dest:
path: .values.endpoints.oslo_db.auth.exporter
- src:
schema: pegleg/AccountCatalogue/v1
name: osh_service_accounts
path: .osh.prometheus_mysql_exporter.user
dest:
path: .values.endpoints.prometheus_mysql_exporter.auth.user
# Secrets
- dest:
path: .values.endpoints.oslo_db.auth.admin.password
src:
schema: deckhand/Passphrase/v1
name: osh_oslo_db_admin_password
path: .
- dest:
path: .values.endpoints.oslo_db.auth.sst.password
src:
schema: deckhand/Passphrase/v1
name: osh_oslo_db_sst_password
path: .
- dest:
path: .values.endpoints.oslo_db.auth.audit.password
src:
schema: deckhand/Passphrase/v1
name: osh_oslo_db_audit_password
path: .
- dest:
path: .values.endpoints.oslo_db.auth.exporter.password
src:
schema: deckhand/Passphrase/v1
name: osh_oslo_db_exporter_password
path: .
- dest:
path: .values.endpoints.prometheus_mysql_exporter.auth.user.password
src:
schema: deckhand/Passphrase/v1
name: osh_oslo_db_exporter_password
path: .
data:
chart_name: openstack-mariadb
release: openstack-mariadb
namespace: openstack
wait:
timeout: 1800
labels:
release_group: clcp-openstack-mariadb
resources:
- type: job
- type: statefulset
min_ready: 66%
native:
enabled: false
install:
no_hooks: false
upgrade:
no_hooks: false
options:
force: true
pre:
delete:
- type: job
labels:
release_group: clcp-openstack-mariadb
values:
volume:
size: 30Gi
backup:
size: 50Gi
conf:
database:
00_base: |
[mysqld]
# Charset
character_set_server=utf8
collation_server=utf8_general_ci
skip-character-set-client-handshake
# Logging
slow_query_log=off
slow_query_log_file=/var/log/mysql/mariadb-slow.log
log_warnings=2
# General logging has huge performance penalty therefore is disabled by default
general_log=off
general_log_file=/var/log/mysql/mariadb-error.log
long_query_time=3
log_queries_not_using_indexes=on
# Networking
bind_address=0.0.0.0
port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
# When a client connects, the server will perform hostname resolution,
# and when DNS is slow, establishing the connection will become slow as well.
# It is therefore recommended to start the server with skip-name-resolve to
# disable all DNS lookups. The only limitation is that the GRANT statements
# must then use IP addresses only.
skip_name_resolve
# Tuning
user=mysql
max_allowed_packet=256M
open_files_limit=10240
max_connections=8192
max-connect-errors=1000000
# General security settings
# Reference link below:
# https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/general-security-issues.html
# secure_file_priv is set to '/home' because it is read-only, which will
# disable this feature completely.
secure_file_priv=/home
local_infile=0
symbolic_links=0
sql_mode="STRICT_ALL_TABLES,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
## Generally, it is unwise to set the query cache to be larger than 64-128M
## as the costs associated with maintaining the cache outweigh the performance
## gains.
## The query cache is a well known bottleneck that can be seen even when
## concurrency is moderate. The best option is to disable it from day 1
## by setting query_cache_size=0 (now the default on MySQL 5.6)
## and to use other ways to speed up read queries: good indexing, adding
## replicas to spread the read load or using an external cache.
query_cache_size=0
query_cache_type=0
sync_binlog=0
thread_cache_size=16
table_open_cache=2048
table_definition_cache=1024
#
# InnoDB
#
# The buffer pool is where data and indexes are cached: having it as large as possible
# will ensure you use memory and not disks for most read operations.
# Typical values are 50..75% of available RAM.
# TODO(tomasz.paszkowski): This needs to by dynamic based on available RAM.
innodb_buffer_pool_size=1024M
innodb_doublewrite=0
innodb_file_format=Barracuda
innodb_file_per_table=1
innodb_flush_method=O_DIRECT
innodb_io_capacity=500
innodb_locks_unsafe_for_binlog=1
innodb_log_file_size=128M
innodb_old_blocks_time=1000
innodb_read_io_threads=8
innodb_write_io_threads=8
# Clustering
binlog_format=ROW
default-storage-engine=InnoDB
innodb_autoinc_lock_mode=2
innodb_flush_log_at_trx_commit=2
wsrep_cluster_name={{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" | replace "." "_" }}
wsrep_on=1
wsrep_provider=/usr/lib/galera/libgalera_smm.so
wsrep_provider_options="evs.suspect_timeout=PT30S; gmcast.peer_timeout=PT15S; gmcast.listen_addr=tcp://0.0.0.0:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
wsrep_slave_threads=12
wsrep_sst_auth={{ .Values.endpoints.oslo_db.auth.sst.username }}:{{ .Values.endpoints.oslo_db.auth.sst.password }}
wsrep_sst_method=mariabackup
{{ if .Values.manifests.certificates }}
# TLS
ssl_ca=/etc/mysql/certs/ca.crt
ssl_key=/etc/mysql/certs/tls.key
ssl_cert=/etc/mysql/certs/tls.crt
# tls_version = TLSv1.2,TLSv1.3
{{ end }}
[mysqldump]
max-allowed-packet=16M
[client]
default_character_set=utf8
protocol=tcp
port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.manifests.certificates }}
# TLS
ssl_ca=/etc/mysql/certs/ca.crt
ssl_key=/etc/mysql/certs/tls.key
ssl_cert=/etc/mysql/certs/tls.crt
# tls_version = TLSv1.2,TLSv1.3
ssl-verify-server-cert=false
{{ end }}
backup:
enabled: true
days_to_keep: 3
remote_backup:
enabled: true
container_name: DOMAIN
days_to_keep: 14
storage_policy: ncbackup_pt
monitoring:
prometheus:
enabled: true
pod:
replicas:
error_page: 2
affinity:
anti:
type:
server: requiredDuringSchedulingIgnoredDuringExecution
ingress: requiredDuringSchedulingIgnoredDuringExecution
ingress-error-pages: requiredDuringSchedulingIgnoredDuringExecution
lifecycle:
upgrades:
deployments:
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 50%
labels:
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
prometheus_mysql_exporter:
node_selector_key: openstack-control-plane
node_selector_value: enabled
jobs:
backup_mariadb:
cron: "0 */6 * * *"
manifests:
cron_job_mariadb_backup: true
pvc_backup: true
dependencies:
- os-mariadb-htk
...
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: os-mariadb-htk
layeringDefinition:
abstract: false
layer: global
substitutions:
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .charts.osh.mariadb-htk
dest:
path: .source
storagePolicy: cleartext
data:
chart_name: os-mariadb-htk
release: os-mariadb-htk
namespace: os-mariadb-htk
timeout: 600
wait:
timeout: 600
upgrade:
no_hooks: true
values: {}
dependencies: []
...
View Git Blame Copy Permalink