From 76578d5d594cb9fe6e5c9ef0b74ec605d1305a61 Mon Sep 17 00:00:00 2001 From: Donov Dmitriy Date: Fri, 28 Jun 2024 13:34:40 +0700 Subject: [PATCH 01/10] =?UTF-8?q?WAPI-22944=20=D0=B0=D0=B2=D1=82=D0=BE?= =?UTF-8?q?=D1=80=D0=B8=D0=B7=D0=B0=D1=86=D0=B8=D1=8F=20=D0=B2=20kafka=20?= =?UTF-8?q?=D0=BF=D0=BE=20=D0=BA=D0=BB=D1=8E=D1=87=D1=83?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- charts/keys/README.md | 65 ++++++++-- charts/keys/templates/api/deployment.yaml | 38 +++++- .../keys/templates/counter/statefulset.yaml | 89 ++++++++++++++ charts/keys/templates/helpers.tpl | 101 +++++++++++++++ charts/keys/templates/secret-deploys.yaml | 28 +++++ charts/keys/values.yaml | 115 ++++++++++++++++++ 6 files changed, 425 insertions(+), 11 deletions(-) create mode 100644 charts/keys/templates/counter/statefulset.yaml diff --git a/charts/keys/README.md b/charts/keys/README.md index f27da4a4d..812e0db75 100644 --- a/charts/keys/README.md +++ b/charts/keys/README.md @@ -154,6 +154,48 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about | `tasker.affinity` | Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). | `{}` | | `tasker.tolerations` | Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. | `{}` | +### Counter service settings + +| Name | Description | Value | +| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `counter.enabled` | Counter service is enabled. | `false` | +| `counter.replicas` | A replica count for the pod. | `1` | +| `counter.prometheus.scrape` | If Prometheus scrape is enabled. | `true` | +| `counter.resources.requests.cpu` | A CPU request. | `20m` | +| `counter.resources.requests.memory` | A memory request. | `32Mi` | +| `counter.resources.limits.cpu` | A CPU limit. | `1000m` | +| `counter.resources.limits.memory` | A memory limit. | `512Mi` | +| `counter.preloader.refreshTick` | If HPA is enabled for the service. | `1m` | +| `counter.updateStatusQueryTimeout` | Update status query timeout. | `1s` | +| `counter.buffer.size` | Buffer size | `1000` | +| `counter.buffer.delay` | Buffer delay | `1s` | +| `counter.kafka` | **Settings for read stat messages.** | | +| `counter.kafka.clientPrefix` | Client prefix name | `""` | +| `counter.kafka.brokers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | +| `counter.kafka.username` | Username for authorization (SASL/PLAINTEXT SHA-512). | `""` | +| `counter.kafka.password` | Password for authorization (SASL/PLAINTEXT SHA-512). | `""` | +| `counter.kafka.tls.enabled` | If tls connection to kafka is enabled. | `false` | +| `counter.kafka.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` | +| `counter.kafka.tls.rootCert` | Root certificate. | `""` | +| `counter.kafka.tls.cert` | Client certificate. | `""` | +| `counter.kafka.tls.key` | Client key. | `""` | +| `counter.kafka.topics.stats` | Topic to consume stat messages. | `""` | + +### Redis settings + +| Name | Description | Value | +| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | ------- | +| `counter.redis.retries` | | `5` | +| `counter.redis.minRetryBackoff` | | `100ms` | +| `counter.redis.maxRetryBackoff` | | `3s` | +| `counter.annotations` | Kubernetes [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` | +| `counter.labels` | Kubernetes [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` | +| `counter.podAnnotations` | Kubernetes [pod annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` | +| `counter.podLabels` | Kubernetes [pod labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` | +| `counter.nodeSelector` | Kubernetes [node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). | `{}` | +| `counter.affinity` | Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). | `{}` | +| `counter.tolerations` | Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. | `{}` | + ### Redis settings | Name | Description | Value | @@ -195,15 +237,20 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about ### Kafka settings -| Name | Description | Value | -| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| `kafka.audit` | **Settings for sending audit messages.** | | -| `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | -| `kafka.audit.username` | Username for authorization (SASL/PLAINTEXT SHA-512). | `""` | -| `kafka.audit.password` | Password for authorization (SASL/PLAINTEXT SHA-512). | `""` | -| `kafka.audit.topic` | Topic to produce audit messages. | `""` | -| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` | -| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` | +| Name | Description | Value | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `kafka.audit` | **Settings for sending audit messages.** | | +| `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | +| `kafka.audit.username` | Username for authorization (SASL/PLAINTEXT SHA-512). | `""` | +| `kafka.audit.password` | Password for authorization (SASL/PLAINTEXT SHA-512). | `""` | +| `kafka.audit.topic` | Topic to produce audit messages. | `""` | +| `kafka.audit.tls.enabled` | If tls connection to kafka is enabled. | `false` | +| `kafka.audit.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` | +| `kafka.audit.tls.rootCert` | Root certificate. | `""` | +| `kafka.audit.tls.cert` | Client certificate. | `""` | +| `kafka.audit.tls.key` | Client key. | `""` | +| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` | +| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` | ### LDAP connection settings diff --git a/charts/keys/templates/api/deployment.yaml b/charts/keys/templates/api/deployment.yaml index dbd6cea00..a6c9b0665 100644 --- a/charts/keys/templates/api/deployment.yaml +++ b/charts/keys/templates/api/deployment.yaml @@ -37,6 +37,25 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.counter.kafka.tls.enabled }} + initContainers: + - name: copy-kafka-audit-certs + image: '{{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: {{ .Values.imagePullPolicy }} + resources: + {{- toYaml .Values.api.resources | nindent 12 }} + command: + - /bin/sh + - -ec + - | + cp /tmp/certs/* /etc/2gis/secret/kafka-audit/ + chmod 600 /etc/2gis/secret/kafka-audit/client.key + volumeMounts: + - name: {{ include "keys.name-kafka-audit-raw" . | quote }} + mountPath: /tmp/certs + - name: {{ include "keys.name-kafka-audit" . | quote }} + mountPath: /etc/2gis/secret/kafka-audit + {{- end }} containers: - name: keys-api image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }} @@ -61,13 +80,28 @@ spec: {{- if .Values.customCAs.bundle }} {{- include "keys.env.custom.ca.path" . | nindent 12 }} {{- end }} - {{- if .Values.customCAs.bundle }} + {{- if or .Values.customCAs.bundle .Values.kafka.audit.tls.enabled }} volumeMounts: + {{- if .Values.customCAs.bundle }} {{- include "keys.custom.ca.volumeMounts" . | nindent 12 }} + {{- end }} + {{- if .Values.kafka.audit.tls.enabled }} + - name: {{ printf "%s-kafka-audit" (include "keys.name" .) | quote }} + mountPath: /etc/2gis/secret/kafka-audit + {{- end }} {{- end }} - {{- if .Values.customCAs.bundle }} + {{- if or .Values.customCAs.bundle .Values.kafka.audit.tls.enabled }} volumes: + {{- if .Values.customCAs.bundle }} {{- include "keys.custom.ca.deploys.volumes" . | nindent 8 }} + {{- end }} + {{- if .Values.kafka.audit.tls.enabled }} + - name: {{ include "keys.name-kafka-audit-raw" . | quote }} + secret: + secretName: {{ include "keys.name-kafka-audit" . | quote }} + - name: {{ include "keys.name-kafka-audit" . | quote }} + emptyDir: {} + {{- end }} {{- end }} {{- with .Values.api.nodeSelector }} nodeSelector: diff --git a/charts/keys/templates/counter/statefulset.yaml b/charts/keys/templates/counter/statefulset.yaml new file mode 100644 index 000000000..b949b8836 --- /dev/null +++ b/charts/keys/templates/counter/statefulset.yaml @@ -0,0 +1,89 @@ +{{- if .Values.counter.enabled }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "keys.counter.name" . }} + labels: + {{- include "keys.counter.labels" . | nindent 4 }} + {{- with .Values.counter.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "keys.counter.name" . }} + replicas: {{ .Values.counter.replicas }} + selector: + matchLabels: + {{- include "keys.counter.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + prometheus.io/path: "/metrics" + prometheus.io/port: "8090" + prometheus.io/scrape: "{{ .Values.counter.prometheus.scrape }}" + labels: + {{- include "keys.counter.selectorLabels" . | nindent 8 }} + spec: + {{- if .Values.counter.kafka.tls.enabled }} + initContainers: + - name: copy-counter-kafka-certs + image: '{{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: {{ .Values.imagePullPolicy }} + resources: + {{- toYaml .Values.counter.resources | nindent 12 }} + command: + - /bin/sh + - -ec + - | + cp /tmp/certs/* /etc/2gis/secret/kafka-counter/ + chmod 600 /etc/2gis/secret/kafka-counter/client.key + volumeMounts: + - name: {{ include "keys.counter.name-kafka-raw" . | quote }} + mountPath: /tmp/certs + - name: {{ include "keys.counter.name-kafka" . | quote }} + mountPath: /etc/2gis/secret/kafka-counter + {{- end }} + containers: + - name: counter + image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: [ "keys-counter" ] + ports: + - name: http + containerPort: 8090 + resources: + {{- toYaml .Values.counter.resources | nindent 12 }} + env: + {{- include "keys.env.db.deploys" . | nindent 12 }} + {{- include "keys.env.redis" . | nindent 12 }} + {{- include "keys.env.counter" . | nindent 12 }} + {{- if .Values.counter.kafka.tls.enabled }} + volumeMounts: + - name: {{ printf "%s-kafka" (include "keys.counter.name" .) | quote }} + mountPath: /etc/2gis/secret/kafka-counter + {{- end }} + {{- if .Values.counter.kafka.tls.enabled }} + volumes: + - name: {{ include "keys.counter.name-kafka-raw" . | quote }} + secret: + secretName: {{ include "keys.counter.name-kafka" . | quote }} + - name: {{ include "keys.counter.name-kafka" . | quote }} + emptyDir: {} + {{- end }} + {{- with .Values.counter.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.counter.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.counter.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/keys/templates/helpers.tpl b/charts/keys/templates/helpers.tpl index 97c148dff..a9eca10c6 100644 --- a/charts/keys/templates/helpers.tpl +++ b/charts/keys/templates/helpers.tpl @@ -10,6 +10,10 @@ {{ include "keys.name" . }}-tasker {{- end }} +{{- define "keys.counter.name" -}} +{{ include "keys.name" . }}-counter +{{- end }} + {{- define "keys.migrate.name" -}} {{ include "keys.name" . }}-migrate {{- end }} @@ -34,6 +38,39 @@ {{ include "keys.name" . }}-jobs {{- end }} +{{- /* +Name for kafka counter intermediate volume for copy secrets +*/ -}} + +{{- define "keys.counter.name-kafka-raw" -}} +{{- printf "%s-kafka-raw" (include "keys.counter.name" .) -}} +{{- end }} + +{{- /* +Name for kafka counter secret and volume +*/ -}} + +{{- define "keys.counter.name-kafka" -}} +{{- printf "%s-kafka" (include "keys.counter.name" .) -}} +{{- end }} + +{{- /* +Name for kafka audit intermediate volume for copy secrets +*/ -}} + +{{- define "keys.name-kafka-audit-raw" -}} +{{- printf "%s-kafka-audit-raw" (include "keys.name" .) -}} +{{- end }} + +{{- /* +Name for kafka audit secret and volume +*/ -}} + +{{- define "keys.name-kafka-audit" -}} +{{- printf "%s-kafka-audit" (include "keys.name" .) -}} +{{- end }} + + {{- define "keys.selectorLabels" -}} app.kubernetes.io/name: {{ .Chart.Name }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -80,6 +117,16 @@ app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} +{{- define "keys.counter.selectorLabels" -}} +app.kubernetes.io/name: {{ .Chart.Name }}-counter +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{- define "keys.counter.labels" -}} +{{ include "keys.counter.selectorLabels" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} + {{- define "keys.import.labels" -}} app.kubernetes.io/name: {{ .Chart.Name }}-import app.kubernetes.io/instance: {{ .Release.Name }} @@ -266,6 +313,48 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} value: "{{ .Values.admin.badge.backgroundColor }}" {{- end }} +{{- define "keys.env.counter" -}} +- name: KEYS_COUNTER_BUFFER_SIZE + value: "{{ .Values.counter.buffer.size }}" +- name: KEYS_COUNTER_BUFFER_DELAY + value: "{{ .Values.counter.buffer.delay }}" +- name: KEYS_COUNTER_PRELOADER_REFRESH_TICK + value: "{{ .Values.counter.preloader.refreshTick }}" +- name: KEYS_COUNTER_UPDATE_STATUS_QUERY_TIMEOUT + value: "{{ .Values.counter.updateStatusQueryTimeout }}" +- name: KEYS_KAFKA_MAIN_BROKERS + value: "{{ .Values.counter.kafka.brokers }}" +- name: KEYS_KAFKA_MAIN_CLIENT_PREFIX + value: "{{ .Values.counter.kafka.clientPrefix }}" +- name: KEYS_KAFKA_MAIN_STATS_TOPIC + value: "{{ .Values.counter.kafka.topics.stats }}" +- name: KEYS_KAFKA_MAIN_USERNAME + value: "{{ .Values.counter.kafka.username }}" +- name: KEYS_KAFKA_MAIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "keys.secret.deploys.name" . }} + key: kafkaPassword +- name: KEYS_REDIS_RETRIES + value: "{{ .Values.counter.redis.retries }}" +- name: KEYS_REDIS_MIN_RETRY_BACKOFF + value: "{{ .Values.counter.redis.minRetryBackoff }}" +- name: KEYS_REDIS_MAX_RETRY_BACKOFF + value: "{{ .Values.counter.redis.maxRetryBackoff }}" +- name: KEYS_KAFKA_MAIN_TLS_ENABLED + value: "{{ .Values.counter.kafka.tls.enabled }}" +{{- if .Values.counter.kafka.tls.enabled }} +- name: KEYS_KAFKA_MAIN_TLS_SKIP_SERVER_CERTIFICATE_VERIFY + value: "{{ .Values.counter.kafka.tls.skipServerCertificateVerify }}" +- name: KEYS_KAFKA_MAIN_TLS_CLIENT_CERTIFICATE_PATH + value: "/etc/2gis/secret/kafka-counter/client.crt" +- name: KEYS_KAFKA_MAIN_TLS_CLIENT_KEY_PATH + value: "/etc/2gis/secret/kafka-counter/client.key" +- name: KEYS_KAFKA_MAIN_TLS_CA_CERT_PATH + value: "/etc/2gis/secret/kafka-counter/ca.crt" +{{- end }} +{{- end }} + {{- define "keys.env.predef" -}} {{ range $service, $key := .Values.predefined.service.keys }} - name: KEYS_PREDEF_SERVICE_KEY_{{ $service | upper }} @@ -309,6 +398,18 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} value: "{{ .Values.kafka.audit.username }}" - name: KEYS_KAFKA_AUDIT_PASSWORD value: "{{ .Values.kafka.audit.password }}" +- name: KEYS_KAFKA_AUDIT_TLS_ENABLED + value: "{{ .Values.kafka.audit.tls.enabled }}" +{{- if .Values.counter.kafka.tls.enabled }} +- name: KEYS_KAFKA_AUDIT_TLS_SKIP_SERVER_CERTIFICATE_VERIFY + value: "{{ .Values.kafka.audit.tls.skipServerCertificateVerify }}" +- name: KEYS_KAFKA_AUDIT_TLS_CLIENT_CERTIFICATE_PATH + value: "/etc/2gis/secret/kafka-audit/client.crt" +- name: KEYS_KAFKA_AUDIT_TLS_CLIENT_KEY_PATH + value: "/etc/2gis/secret/kafka-audit/client.key" +- name: KEYS_KAFKA_AUDIT_TLS_CA_CERT_PATH + value: "/etc/2gis/secret/kafka-audit/ca.crt" +{{- end }} - name: KEYS_KAFKA_AUDIT_TOPIC value: "{{ .Values.kafka.audit.topic }}" - name: KEYS_KAFKA_AUDIT_PRODUCE_RETRY_COUNT diff --git a/charts/keys/templates/secret-deploys.yaml b/charts/keys/templates/secret-deploys.yaml index 03176dfa3..954403153 100644 --- a/charts/keys/templates/secret-deploys.yaml +++ b/charts/keys/templates/secret-deploys.yaml @@ -18,3 +18,31 @@ data: {{- if .Values.redis.password }} redisPassword: {{ .Values.redis.password | b64enc }} {{- end }} +{{- if .Values.counter.kafka.tls.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "keys.counter.name-kafka" . | quote }} + labels: + {{- include "keys.counter.labels" . | nindent 4 }} +type: Opaque +data: + client.crt: {{ required "A valid counter.kafka.tls.cert entry required" .Values.counter.kafka.tls.cert | b64enc | quote }} + client.key: {{ required "A valid counter.kafka.tls.key entry required" .Values.counter.kafka.tls.key | b64enc | quote }} + ca.crt: {{ required "A valid counter.kafka.tls.rootCert entry required" .Values.counter.kafka.tls.rootCert | b64enc | quote }} +{{- end }} +{{- if .Values.kafka.audit.tls.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "keys.name-kafka-audit" . | quote }} + labels: + {{- include "keys.labels" . | nindent 4 }} +type: Opaque +data: + client.crt: {{ required "A valid kafka.audit.tls.cert entry required" .Values.kafka.audit.tls.cert | b64enc | quote }} + client.key: {{ required "A valid kafka.audit.tls.key entry required" .Values.kafka.audit.tls.key | b64enc | quote }} + ca.crt: {{ required "A valid kafka.audit.tls.rootCert entry required" .Values.kafka.audit.tls.rootCert | b64enc | quote }} +{{- end }} diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index 889e84e5d..8992ec352 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -330,6 +330,110 @@ tasker: tolerations: {} +# @section Counter service settings + +counter: + + # @param counter.enabled Counter service is enabled. + + enabled: false + + # @param counter.replicas A replica count for the pod. + + replicas: 1 + + # @param counter.prometheus.scrape If Prometheus scrape is enabled. + + prometheus: + scrape: true + + # @param counter.resources.requests.cpu A CPU request. + # @param counter.resources.requests.memory A memory request. + # @param counter.resources.limits.cpu A CPU limit. + # @param counter.resources.limits.memory A memory limit. + + resources: + requests: + cpu: 20m + memory: 32Mi + limits: + cpu: 1000m + memory: 512Mi + + # @param counter.preloader.refreshTick If HPA is enabled for the service. + + preloader: + refreshTick: 1m + + # @param counter.updateStatusQueryTimeout Update status query timeout. + + updateStatusQueryTimeout: 1s + + # @param counter.buffer.size Buffer size + # @param counter.buffer.delay Buffer delay + + buffer: + size: 1000 + delay: 1s + + # @extra counter.kafka **Settings for read stat messages.** + + # @param counter.kafka.clientPrefix Client prefix name + # @param counter.kafka.brokers Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). + # @param counter.kafka.username Username for authorization (SASL/PLAINTEXT SHA-512). + # @param counter.kafka.password Password for authorization (SASL/PLAINTEXT SHA-512). + # @param counter.kafka.tls.enabled If tls connection to kafka is enabled. + # @param counter.kafka.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name + # @param counter.kafka.tls.rootCert Root certificate. + # @param counter.kafka.tls.cert Client certificate. + # @param counter.kafka.tls.key Client key. + # @param counter.kafka.topics.stats Topic to consume stat messages. + + kafka: + clientPrefix: '' + brokers: '' + username: '' + password: '' + tls: + enabled: false + skipServerCertificateVerify: false + rootCert: '' + cert: '' + key: '' + topics: + stats: '' + + # @section Redis settings + + # @param counter.redis.retries + # @param counter.redis.minRetryBackoff + # @param counter.redis.maxRetryBackoff + + redis: + retries: 5 + minRetryBackoff: 100ms + maxRetryBackoff: 3s + + # @param counter.annotations Kubernetes [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). + # @param counter.labels Kubernetes [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). + + annotations: {} + labels: {} + + # @param counter.podAnnotations Kubernetes [pod annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). + # @param counter.podLabels Kubernetes [pod labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). + + podAnnotations: {} + podLabels: {} + + # @param counter.nodeSelector Kubernetes [node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). + # @param counter.affinity Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). + # @param counter.tolerations Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. + + nodeSelector: {} + affinity: {} + tolerations: {} + # @section Redis settings redis: @@ -437,6 +541,11 @@ kafka: # @param kafka.audit.username Username for authorization (SASL/PLAINTEXT SHA-512). # @param kafka.audit.password Password for authorization (SASL/PLAINTEXT SHA-512). # @param kafka.audit.topic Topic to produce audit messages. + # @param kafka.audit.tls.enabled If tls connection to kafka is enabled. + # @param kafka.audit.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name + # @param kafka.audit.tls.rootCert Root certificate. + # @param kafka.audit.tls.cert Client certificate. + # @param kafka.audit.tls.key Client key. # @param kafka.audit.produce.retryCount Number of retries to produce a message. # @param kafka.audit.produce.idempotentWrite Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). @@ -445,6 +554,12 @@ kafka: username: '' password: '' topic: '' + tls: + enabled: false + skipServerCertificateVerify: false + rootCert: '' + cert: '' + key: '' produce: retryCount: 5 idempotentWrite: true From 183fd88e990c24c864a9636296f8cb868c0ee41c Mon Sep 17 00:00:00 2001 From: Donov Dmitriy Date: Tue, 23 Jul 2024 16:48:12 +0700 Subject: [PATCH 02/10] =?UTF-8?q?WAPI-22944=20=D0=B0=D0=B2=D1=82=D0=BE?= =?UTF-8?q?=D1=80=D0=B8=D0=B7=D0=B0=D1=86=D0=B8=D1=8F=20=D0=B2=20kafka=20?= =?UTF-8?q?=D0=BF=D0=BE=20=D0=BA=D0=BB=D1=8E=D1=87=D1=83?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- charts/keys/README.md | 21 +++++++++--------- .../keys/templates/counter/statefulset.yaml | 4 ---- charts/keys/values.yaml | 22 ++++++++++--------- 3 files changed, 23 insertions(+), 24 deletions(-) diff --git a/charts/keys/README.md b/charts/keys/README.md index 812e0db75..9db821543 100644 --- a/charts/keys/README.md +++ b/charts/keys/README.md @@ -154,26 +154,27 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about | `tasker.affinity` | Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). | `{}` | | `tasker.tolerations` | Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. | `{}` | -### Counter service settings +### Counter worker settings | Name | Description | Value | | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `counter.enabled` | Counter service is enabled. | `false` | +| `counter.enabled` | Counter worker is enabled. | `false` | | `counter.replicas` | A replica count for the pod. | `1` | | `counter.prometheus.scrape` | If Prometheus scrape is enabled. | `true` | | `counter.resources.requests.cpu` | A CPU request. | `20m` | | `counter.resources.requests.memory` | A memory request. | `32Mi` | | `counter.resources.limits.cpu` | A CPU limit. | `1000m` | | `counter.resources.limits.memory` | A memory limit. | `512Mi` | -| `counter.preloader.refreshTick` | If HPA is enabled for the service. | `1m` | -| `counter.updateStatusQueryTimeout` | Update status query timeout. | `1s` | -| `counter.buffer.size` | Buffer size | `1000` | -| `counter.buffer.delay` | Buffer delay | `1s` | +| `counter.preloader.refreshTick` | Preloader refresh tick. | `1m` | +| `counter.updateStatusQueryTimeout` | Timeout for database queries to update key status. | `1s` | +| `counter.buffer` | **Settings for in-memory buffer for statistics data.** | | +| `counter.buffer.size` | The maximum size of the buffer. When the limit is reached, the data from the buffer is transferred to Redis. | `1000` | +| `counter.buffer.delay` | The maximum interval between data transfer operations from the buffer to Redis. | `1s` | | `counter.kafka` | **Settings for read stat messages.** | | | `counter.kafka.clientPrefix` | Client prefix name | `""` | | `counter.kafka.brokers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | -| `counter.kafka.username` | Username for authorization (SASL/PLAINTEXT SHA-512). | `""` | -| `counter.kafka.password` | Password for authorization (SASL/PLAINTEXT SHA-512). | `""` | +| `counter.kafka.username` | Username for authorization (SASL/SCRAM SHA-512). | `""` | +| `counter.kafka.password` | Password for authorization (SASL/SCRAM SHA-512). | `""` | | `counter.kafka.tls.enabled` | If tls connection to kafka is enabled. | `false` | | `counter.kafka.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` | | `counter.kafka.tls.rootCert` | Root certificate. | `""` | @@ -241,8 +242,8 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about | --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | `kafka.audit` | **Settings for sending audit messages.** | | | `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | -| `kafka.audit.username` | Username for authorization (SASL/PLAINTEXT SHA-512). | `""` | -| `kafka.audit.password` | Password for authorization (SASL/PLAINTEXT SHA-512). | `""` | +| `kafka.audit.username` | Username for authorization (SASL/SCRAM SHA-512). | `""` | +| `kafka.audit.password` | Password for authorization (SASL/SCRAM SHA-512). | `""` | | `kafka.audit.topic` | Topic to produce audit messages. | `""` | | `kafka.audit.tls.enabled` | If tls connection to kafka is enabled. | `false` | | `kafka.audit.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` | diff --git a/charts/keys/templates/counter/statefulset.yaml b/charts/keys/templates/counter/statefulset.yaml index b949b8836..b65336e98 100644 --- a/charts/keys/templates/counter/statefulset.yaml +++ b/charts/keys/templates/counter/statefulset.yaml @@ -17,10 +17,6 @@ spec: {{- include "keys.counter.selectorLabels" . | nindent 6 }} template: metadata: - annotations: - prometheus.io/path: "/metrics" - prometheus.io/port: "8090" - prometheus.io/scrape: "{{ .Values.counter.prometheus.scrape }}" labels: {{- include "keys.counter.selectorLabels" . | nindent 8 }} spec: diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index 8992ec352..65b7af8a8 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -330,11 +330,11 @@ tasker: tolerations: {} -# @section Counter service settings +# @section Counter worker settings counter: - # @param counter.enabled Counter service is enabled. + # @param counter.enabled Counter worker is enabled. enabled: false @@ -360,17 +360,19 @@ counter: cpu: 1000m memory: 512Mi - # @param counter.preloader.refreshTick If HPA is enabled for the service. + # @param counter.preloader.refreshTick Preloader refresh tick. preloader: refreshTick: 1m - # @param counter.updateStatusQueryTimeout Update status query timeout. + # @param counter.updateStatusQueryTimeout Timeout for database queries to update key status. updateStatusQueryTimeout: 1s - # @param counter.buffer.size Buffer size - # @param counter.buffer.delay Buffer delay + # @extra counter.buffer **Settings for in-memory buffer for statistics data.** + + # @param counter.buffer.size The maximum size of the buffer. When the limit is reached, the data from the buffer is transferred to Redis. + # @param counter.buffer.delay The maximum interval between data transfer operations from the buffer to Redis. buffer: size: 1000 @@ -380,8 +382,8 @@ counter: # @param counter.kafka.clientPrefix Client prefix name # @param counter.kafka.brokers Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). - # @param counter.kafka.username Username for authorization (SASL/PLAINTEXT SHA-512). - # @param counter.kafka.password Password for authorization (SASL/PLAINTEXT SHA-512). + # @param counter.kafka.username Username for authorization (SASL/SCRAM SHA-512). + # @param counter.kafka.password Password for authorization (SASL/SCRAM SHA-512). # @param counter.kafka.tls.enabled If tls connection to kafka is enabled. # @param counter.kafka.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name # @param counter.kafka.tls.rootCert Root certificate. @@ -538,8 +540,8 @@ kafka: # @extra kafka.audit **Settings for sending audit messages.** # @param kafka.audit.bootstrapServers Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). - # @param kafka.audit.username Username for authorization (SASL/PLAINTEXT SHA-512). - # @param kafka.audit.password Password for authorization (SASL/PLAINTEXT SHA-512). + # @param kafka.audit.username Username for authorization (SASL/SCRAM SHA-512). + # @param kafka.audit.password Password for authorization (SASL/SCRAM SHA-512). # @param kafka.audit.topic Topic to produce audit messages. # @param kafka.audit.tls.enabled If tls connection to kafka is enabled. # @param kafka.audit.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name From 2d303167334d93f9184c001a1194b5cf3e50b424 Mon Sep 17 00:00:00 2001 From: Donov Dmitriy Date: Mon, 29 Jul 2024 14:10:33 +0700 Subject: [PATCH 03/10] =?UTF-8?q?WAPI-22944=20=D0=BF=D1=80=D0=B0=D0=B2?= =?UTF-8?q?=D0=BA=D0=B8=20=D0=BF=D0=BE=D1=81=D0=BB=D0=B5=20=D1=80=D0=B5?= =?UTF-8?q?=D0=B2=D1=8C=D1=8E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- charts/keys/README.md | 80 ++++++++++--------- charts/keys/templates/api/deployment.yaml | 10 +-- .../keys/templates/counter/statefulset.yaml | 26 +++--- charts/keys/templates/helpers.tpl | 44 +++++----- charts/keys/templates/secret-deploys.yaml | 14 ++-- charts/keys/templates/secret-kafka-audit.yaml | 13 +++ charts/keys/templates/secret-kafka-main.yaml | 13 +++ charts/keys/values.yaml | 68 ++++++++-------- 8 files changed, 152 insertions(+), 116 deletions(-) create mode 100644 charts/keys/templates/secret-kafka-audit.yaml create mode 100644 charts/keys/templates/secret-kafka-main.yaml diff --git a/charts/keys/README.md b/charts/keys/README.md index 9db821543..bb4ab4dc4 100644 --- a/charts/keys/README.md +++ b/charts/keys/README.md @@ -156,31 +156,20 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about ### Counter worker settings -| Name | Description | Value | -| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `counter.enabled` | Counter worker is enabled. | `false` | -| `counter.replicas` | A replica count for the pod. | `1` | -| `counter.prometheus.scrape` | If Prometheus scrape is enabled. | `true` | -| `counter.resources.requests.cpu` | A CPU request. | `20m` | -| `counter.resources.requests.memory` | A memory request. | `32Mi` | -| `counter.resources.limits.cpu` | A CPU limit. | `1000m` | -| `counter.resources.limits.memory` | A memory limit. | `512Mi` | -| `counter.preloader.refreshTick` | Preloader refresh tick. | `1m` | -| `counter.updateStatusQueryTimeout` | Timeout for database queries to update key status. | `1s` | -| `counter.buffer` | **Settings for in-memory buffer for statistics data.** | | -| `counter.buffer.size` | The maximum size of the buffer. When the limit is reached, the data from the buffer is transferred to Redis. | `1000` | -| `counter.buffer.delay` | The maximum interval between data transfer operations from the buffer to Redis. | `1s` | -| `counter.kafka` | **Settings for read stat messages.** | | -| `counter.kafka.clientPrefix` | Client prefix name | `""` | -| `counter.kafka.brokers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | -| `counter.kafka.username` | Username for authorization (SASL/SCRAM SHA-512). | `""` | -| `counter.kafka.password` | Password for authorization (SASL/SCRAM SHA-512). | `""` | -| `counter.kafka.tls.enabled` | If tls connection to kafka is enabled. | `false` | -| `counter.kafka.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` | -| `counter.kafka.tls.rootCert` | Root certificate. | `""` | -| `counter.kafka.tls.cert` | Client certificate. | `""` | -| `counter.kafka.tls.key` | Client key. | `""` | -| `counter.kafka.topics.stats` | Topic to consume stat messages. | `""` | +| Name | Description | Value | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------- | +| `counter.enabled` | Counter worker is enabled. | `false` | +| `counter.replicas` | A replica count for the pod. | `1` | +| `counter.prometheus.scrape` | If Prometheus scrape is enabled. | `true` | +| `counter.resources.requests.cpu` | A CPU request. | `20m` | +| `counter.resources.requests.memory` | A memory request. | `32Mi` | +| `counter.resources.limits.cpu` | A CPU limit. | `1000m` | +| `counter.resources.limits.memory` | A memory limit. | `512Mi` | +| `counter.preloader.refreshTick` | Refresh interval for in-memory cache with keys info. | `1m` | +| `counter.updateStatusQueryTimeout` | Timeout for database queries to update key status. | `1s` | +| `counter.buffer` | **Settings for in-memory buffer for statistics data.** | | +| `counter.buffer.size` | The maximum size of the buffer. When the limit is reached, the data from the buffer is transferred to Redis. | `1000` | +| `counter.buffer.delay` | The maximum interval between data transfer operations from the buffer to Redis. | `1s` | ### Redis settings @@ -238,20 +227,33 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about ### Kafka settings -| Name | Description | Value | -| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `kafka.audit` | **Settings for sending audit messages.** | | -| `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | -| `kafka.audit.username` | Username for authorization (SASL/SCRAM SHA-512). | `""` | -| `kafka.audit.password` | Password for authorization (SASL/SCRAM SHA-512). | `""` | -| `kafka.audit.topic` | Topic to produce audit messages. | `""` | -| `kafka.audit.tls.enabled` | If tls connection to kafka is enabled. | `false` | -| `kafka.audit.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` | -| `kafka.audit.tls.rootCert` | Root certificate. | `""` | -| `kafka.audit.tls.cert` | Client certificate. | `""` | -| `kafka.audit.tls.key` | Client key. | `""` | -| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` | -| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` | +| Name | Description | Value | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `kafka.main` | **Settings for read stat messages.** | | +| `kafka.main.clientPrefix` | Client prefix name | `""` | +| `kafka.main.brokers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | +| `kafka.main.securityProtocol` | Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. | `PLAINTEXT` | +| `kafka.main.SASLMechanism` | Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. | `PLAIN` | +| `kafka.main.username` | Username for authorization (SASL). | `""` | +| `kafka.main.password` | Password for authorization (SASL). | `""` | +| `kafka.main.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` | +| `kafka.main.tls.rootCert` | Root certificate. | `""` | +| `kafka.main.tls.cert` | Client certificate. | `""` | +| `kafka.main.tls.key` | Client key. | `""` | +| `kafka.main.topics.stats` | Topic to consume stat messages. | `""` | +| `kafka.audit` | **Settings for sending audit messages.** | | +| `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | +| `kafka.audit.securityProtocol` | Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. | `PLAINTEXT` | +| `kafka.audit.SASLMechanism` | Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. | `PLAIN` | +| `kafka.audit.username` | Username for authorization (SASL). | `""` | +| `kafka.audit.password` | Password for authorization (SASL). | `""` | +| `kafka.audit.topic` | Topic to produce audit messages. | `""` | +| `kafka.audit.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` | +| `kafka.audit.tls.rootCert` | Root certificate. | `""` | +| `kafka.audit.tls.cert` | Client certificate. | `""` | +| `kafka.audit.tls.key` | Client key. | `""` | +| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` | +| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` | ### LDAP connection settings diff --git a/charts/keys/templates/api/deployment.yaml b/charts/keys/templates/api/deployment.yaml index a6c9b0665..5510f1cb8 100644 --- a/charts/keys/templates/api/deployment.yaml +++ b/charts/keys/templates/api/deployment.yaml @@ -37,7 +37,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- if .Values.counter.kafka.tls.enabled }} + {{- if or (eq .Values.kafka.main.securityProtocol "SSL") (eq .Values.kafka.main.securityProtocol "SASL_SSL") }} initContainers: - name: copy-kafka-audit-certs image: '{{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}' @@ -80,22 +80,22 @@ spec: {{- if .Values.customCAs.bundle }} {{- include "keys.env.custom.ca.path" . | nindent 12 }} {{- end }} - {{- if or .Values.customCAs.bundle .Values.kafka.audit.tls.enabled }} + {{- if or (.Values.customCAs.bundle) (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }} volumeMounts: {{- if .Values.customCAs.bundle }} {{- include "keys.custom.ca.volumeMounts" . | nindent 12 }} {{- end }} - {{- if .Values.kafka.audit.tls.enabled }} + {{- if or (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }} - name: {{ printf "%s-kafka-audit" (include "keys.name" .) | quote }} mountPath: /etc/2gis/secret/kafka-audit {{- end }} {{- end }} - {{- if or .Values.customCAs.bundle .Values.kafka.audit.tls.enabled }} + {{- if or (.Values.customCAs.bundle) (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }} volumes: {{- if .Values.customCAs.bundle }} {{- include "keys.custom.ca.deploys.volumes" . | nindent 8 }} {{- end }} - {{- if .Values.kafka.audit.tls.enabled }} + {{- if or (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }} - name: {{ include "keys.name-kafka-audit-raw" . | quote }} secret: secretName: {{ include "keys.name-kafka-audit" . | quote }} diff --git a/charts/keys/templates/counter/statefulset.yaml b/charts/keys/templates/counter/statefulset.yaml index b65336e98..c8863356f 100644 --- a/charts/keys/templates/counter/statefulset.yaml +++ b/charts/keys/templates/counter/statefulset.yaml @@ -20,9 +20,9 @@ spec: labels: {{- include "keys.counter.selectorLabels" . | nindent 8 }} spec: - {{- if .Values.counter.kafka.tls.enabled }} + {{- if or (eq .Values.kafka.main.securityProtocol "SSL") (eq .Values.kafka.main.securityProtocol "SASL_SSL") }} initContainers: - - name: copy-counter-kafka-certs + - name: copy-kafka-main-certs image: '{{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}' imagePullPolicy: {{ .Values.imagePullPolicy }} resources: @@ -31,13 +31,13 @@ spec: - /bin/sh - -ec - | - cp /tmp/certs/* /etc/2gis/secret/kafka-counter/ - chmod 600 /etc/2gis/secret/kafka-counter/client.key + cp /tmp/certs/* /etc/2gis/secret/kafka-main/ + chmod 600 /etc/2gis/secret/kafka-main/client.key volumeMounts: - - name: {{ include "keys.counter.name-kafka-raw" . | quote }} + - name: {{ include "keys.name-kafka-main-raw" . | quote }} mountPath: /tmp/certs - - name: {{ include "keys.counter.name-kafka" . | quote }} - mountPath: /etc/2gis/secret/kafka-counter + - name: {{ include "keys.name-kafka-main" . | quote }} + mountPath: /etc/2gis/secret/kafka-main {{- end }} containers: - name: counter @@ -53,17 +53,17 @@ spec: {{- include "keys.env.db.deploys" . | nindent 12 }} {{- include "keys.env.redis" . | nindent 12 }} {{- include "keys.env.counter" . | nindent 12 }} - {{- if .Values.counter.kafka.tls.enabled }} + {{- if or (eq .Values.kafka.main.securityProtocol "SSL") (eq .Values.kafka.main.securityProtocol "SASL_SSL") }} volumeMounts: - name: {{ printf "%s-kafka" (include "keys.counter.name" .) | quote }} - mountPath: /etc/2gis/secret/kafka-counter + mountPath: /etc/2gis/secret/kafka-main {{- end }} - {{- if .Values.counter.kafka.tls.enabled }} + {{- if or (eq .Values.kafka.main.securityProtocol "SSL") (eq .Values.kafka.main.securityProtocol "SASL_SSL") }} volumes: - - name: {{ include "keys.counter.name-kafka-raw" . | quote }} + - name: {{ include "keys.name-kafka-main-raw" . | quote }} secret: - secretName: {{ include "keys.counter.name-kafka" . | quote }} - - name: {{ include "keys.counter.name-kafka" . | quote }} + secretName: {{ include "keys.name-kafka-main" . | quote }} + - name: {{ include "keys.name-kafka-main" . | quote }} emptyDir: {} {{- end }} {{- with .Values.counter.nodeSelector }} diff --git a/charts/keys/templates/helpers.tpl b/charts/keys/templates/helpers.tpl index a9eca10c6..a9755e9dc 100644 --- a/charts/keys/templates/helpers.tpl +++ b/charts/keys/templates/helpers.tpl @@ -39,19 +39,19 @@ {{- end }} {{- /* -Name for kafka counter intermediate volume for copy secrets +Name for kafka main intermediate volume for copy secrets */ -}} -{{- define "keys.counter.name-kafka-raw" -}} -{{- printf "%s-kafka-raw" (include "keys.counter.name" .) -}} +{{- define "keys.name-kafka-main-raw" -}} +{{- printf "%s-kafka-main-raw" (include "keys.name" .) -}} {{- end }} {{- /* -Name for kafka counter secret and volume +Name for kafka main secret and volume */ -}} -{{- define "keys.counter.name-kafka" -}} -{{- printf "%s-kafka" (include "keys.counter.name" .) -}} +{{- define "keys.name-kafka-main" -}} +{{- printf "%s-kafka-main" (include "keys.name" .) -}} {{- end }} {{- /* @@ -323,13 +323,13 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - name: KEYS_COUNTER_UPDATE_STATUS_QUERY_TIMEOUT value: "{{ .Values.counter.updateStatusQueryTimeout }}" - name: KEYS_KAFKA_MAIN_BROKERS - value: "{{ .Values.counter.kafka.brokers }}" + value: "{{ .Values.kafka.main.brokers }}" - name: KEYS_KAFKA_MAIN_CLIENT_PREFIX - value: "{{ .Values.counter.kafka.clientPrefix }}" + value: "{{ .Values.kafka.main.clientPrefix }}" - name: KEYS_KAFKA_MAIN_STATS_TOPIC - value: "{{ .Values.counter.kafka.topics.stats }}" + value: "{{ .Values.kafka.main.topics.stats }}" - name: KEYS_KAFKA_MAIN_USERNAME - value: "{{ .Values.counter.kafka.username }}" + value: "{{ .Values.kafka.main.username }}" - name: KEYS_KAFKA_MAIN_PASSWORD valueFrom: secretKeyRef: @@ -341,17 +341,19 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} value: "{{ .Values.counter.redis.minRetryBackoff }}" - name: KEYS_REDIS_MAX_RETRY_BACKOFF value: "{{ .Values.counter.redis.maxRetryBackoff }}" -- name: KEYS_KAFKA_MAIN_TLS_ENABLED - value: "{{ .Values.counter.kafka.tls.enabled }}" -{{- if .Values.counter.kafka.tls.enabled }} +- name: KEYS_KAFKA_MAIN_SECURITY_PROTOCOL + value: "{{ .Values.kafka.main.securityProtocol }}" +- name: KEYS_KAFKA_MAIN_SASL_MECHANISM + value: "{{ .Values.kafka.main.SASLMechanism }}" +{{- if or (eq .Values.kafka.main.securityProtocol "SSL") (eq .Values.kafka.main.securityProtocol "SASL_SSL") }} - name: KEYS_KAFKA_MAIN_TLS_SKIP_SERVER_CERTIFICATE_VERIFY - value: "{{ .Values.counter.kafka.tls.skipServerCertificateVerify }}" + value: "{{ .Values.kafka.main.tls.skipServerCertificateVerify }}" - name: KEYS_KAFKA_MAIN_TLS_CLIENT_CERTIFICATE_PATH - value: "/etc/2gis/secret/kafka-counter/client.crt" + value: "/etc/2gis/secret/kafka-main/client.crt" - name: KEYS_KAFKA_MAIN_TLS_CLIENT_KEY_PATH - value: "/etc/2gis/secret/kafka-counter/client.key" + value: "/etc/2gis/secret/kafka-main/client.key" - name: KEYS_KAFKA_MAIN_TLS_CA_CERT_PATH - value: "/etc/2gis/secret/kafka-counter/ca.crt" + value: "/etc/2gis/secret/kafka-main/ca.crt" {{- end }} {{- end }} @@ -398,9 +400,11 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} value: "{{ .Values.kafka.audit.username }}" - name: KEYS_KAFKA_AUDIT_PASSWORD value: "{{ .Values.kafka.audit.password }}" -- name: KEYS_KAFKA_AUDIT_TLS_ENABLED - value: "{{ .Values.kafka.audit.tls.enabled }}" -{{- if .Values.counter.kafka.tls.enabled }} +- name: KEYS_KAFKA_AUDIT_SECURITY_PROTOCOL + value: "{{ .Values.kafka.audit.securityProtocol }}" +- name: KEYS_KAFKA_AUDIT_SASL_MECHANISM + value: "{{ .Values.kafka.audit.SASLMechanism }}" +{{- if or (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }} - name: KEYS_KAFKA_AUDIT_TLS_SKIP_SERVER_CERTIFICATE_VERIFY value: "{{ .Values.kafka.audit.tls.skipServerCertificateVerify }}" - name: KEYS_KAFKA_AUDIT_TLS_CLIENT_CERTIFICATE_PATH diff --git a/charts/keys/templates/secret-deploys.yaml b/charts/keys/templates/secret-deploys.yaml index 954403153..6a667b8e9 100644 --- a/charts/keys/templates/secret-deploys.yaml +++ b/charts/keys/templates/secret-deploys.yaml @@ -18,21 +18,21 @@ data: {{- if .Values.redis.password }} redisPassword: {{ .Values.redis.password | b64enc }} {{- end }} -{{- if .Values.counter.kafka.tls.enabled }} +{{- if or (eq .Values.kafka.main.securityProtocol "SSL") (eq .Values.kafka.main.securityProtocol "SASL_SSL") }} --- apiVersion: v1 kind: Secret metadata: - name: {{ include "keys.counter.name-kafka" . | quote }} + name: {{ include "keys.name-kafka-main" . | quote }} labels: - {{- include "keys.counter.labels" . | nindent 4 }} + {{- include "keys.labels" . | nindent 4 }} type: Opaque data: - client.crt: {{ required "A valid counter.kafka.tls.cert entry required" .Values.counter.kafka.tls.cert | b64enc | quote }} - client.key: {{ required "A valid counter.kafka.tls.key entry required" .Values.counter.kafka.tls.key | b64enc | quote }} - ca.crt: {{ required "A valid counter.kafka.tls.rootCert entry required" .Values.counter.kafka.tls.rootCert | b64enc | quote }} + client.crt: {{ required "A valid kafka.main.tls.cert entry required" .Values.kafka.main.tls.cert | b64enc | quote }} + client.key: {{ required "A valid kafka.main.tls.key entry required" .Values.kafka.main.tls.key | b64enc | quote }} + ca.crt: {{ required "A valid kafka.main.tls.rootCert entry required" .Values.kafka.main.tls.rootCert | b64enc | quote }} {{- end }} -{{- if .Values.kafka.audit.tls.enabled }} +{{- if or (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }} --- apiVersion: v1 kind: Secret diff --git a/charts/keys/templates/secret-kafka-audit.yaml b/charts/keys/templates/secret-kafka-audit.yaml new file mode 100644 index 000000000..29d306972 --- /dev/null +++ b/charts/keys/templates/secret-kafka-audit.yaml @@ -0,0 +1,13 @@ +{{- if or (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "keys.name-kafka-audit" . | quote }} + labels: + {{- include "keys.labels" . | nindent 4 }} +type: Opaque +data: + client.crt: {{ required "A valid kafka.audit.tls.cert entry required" .Values.kafka.audit.tls.cert | b64enc | quote }} + client.key: {{ required "A valid kafka.audit.tls.key entry required" .Values.kafka.audit.tls.key | b64enc | quote }} + ca.crt: {{ required "A valid kafka.audit.tls.rootCert entry required" .Values.kafka.audit.tls.rootCert | b64enc | quote }} +{{- end }} diff --git a/charts/keys/templates/secret-kafka-main.yaml b/charts/keys/templates/secret-kafka-main.yaml new file mode 100644 index 000000000..14b480a66 --- /dev/null +++ b/charts/keys/templates/secret-kafka-main.yaml @@ -0,0 +1,13 @@ +{{- if or (eq .Values.kafka.main.securityProtocol "SSL") (eq .Values.kafka.main.securityProtocol "SASL_SSL") }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "keys.name-kafka-main" . | quote }} + labels: + {{- include "keys.labels" . | nindent 4 }} +type: Opaque +data: + client.crt: {{ required "A valid kafka.main.tls.cert entry required" .Values.kafka.main.tls.cert | b64enc | quote }} + client.key: {{ required "A valid kafka.main.tls.key entry required" .Values.kafka.main.tls.key | b64enc | quote }} + ca.crt: {{ required "A valid kafka.main.tls.rootCert entry required" .Values.kafka.main.tls.rootCert | b64enc | quote }} +{{- end }} diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index 65b7af8a8..2a4dbba27 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -360,7 +360,7 @@ counter: cpu: 1000m memory: 512Mi - # @param counter.preloader.refreshTick Preloader refresh tick. + # @param counter.preloader.refreshTick Refresh interval for in-memory cache with keys info. preloader: refreshTick: 1m @@ -378,33 +378,6 @@ counter: size: 1000 delay: 1s - # @extra counter.kafka **Settings for read stat messages.** - - # @param counter.kafka.clientPrefix Client prefix name - # @param counter.kafka.brokers Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). - # @param counter.kafka.username Username for authorization (SASL/SCRAM SHA-512). - # @param counter.kafka.password Password for authorization (SASL/SCRAM SHA-512). - # @param counter.kafka.tls.enabled If tls connection to kafka is enabled. - # @param counter.kafka.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name - # @param counter.kafka.tls.rootCert Root certificate. - # @param counter.kafka.tls.cert Client certificate. - # @param counter.kafka.tls.key Client key. - # @param counter.kafka.topics.stats Topic to consume stat messages. - - kafka: - clientPrefix: '' - brokers: '' - username: '' - password: '' - tls: - enabled: false - skipServerCertificateVerify: false - rootCert: '' - cert: '' - key: '' - topics: - stats: '' - # @section Redis settings # @param counter.redis.retries @@ -537,13 +510,43 @@ postgres: kafka: + # @extra kafka.main **Settings for read stat messages.** + + # @param kafka.main.clientPrefix Client prefix name + # @param kafka.main.brokers Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). + # @param kafka.main.securityProtocol Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. + # @param kafka.main.SASLMechanism Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. + # @param kafka.main.username Username for authorization (SASL). + # @param kafka.main.password Password for authorization (SASL). + # @param kafka.main.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name + # @param kafka.main.tls.rootCert Root certificate. + # @param kafka.main.tls.cert Client certificate. + # @param kafka.main.tls.key Client key. + # @param kafka.main.topics.stats Topic to consume stat messages. + + main: + clientPrefix: '' + brokers: '' + securityProtocol: 'PLAINTEXT' + SASLMechanism: 'PLAIN' + username: '' + password: '' + tls: + skipServerCertificateVerify: false + rootCert: '' + cert: '' + key: '' + topics: + stats: '' + # @extra kafka.audit **Settings for sending audit messages.** # @param kafka.audit.bootstrapServers Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). - # @param kafka.audit.username Username for authorization (SASL/SCRAM SHA-512). - # @param kafka.audit.password Password for authorization (SASL/SCRAM SHA-512). + # @param kafka.audit.securityProtocol Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. + # @param kafka.audit.SASLMechanism Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. + # @param kafka.audit.username Username for authorization (SASL). + # @param kafka.audit.password Password for authorization (SASL). # @param kafka.audit.topic Topic to produce audit messages. - # @param kafka.audit.tls.enabled If tls connection to kafka is enabled. # @param kafka.audit.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name # @param kafka.audit.tls.rootCert Root certificate. # @param kafka.audit.tls.cert Client certificate. @@ -553,11 +556,12 @@ kafka: audit: bootstrapServers: '' + securityProtocol: 'PLAINTEXT' + SASLMechanism: 'PLAIN' username: '' password: '' topic: '' tls: - enabled: false skipServerCertificateVerify: false rootCert: '' cert: '' From a61d1768b44279dc5581e47ded64c94da1552fec Mon Sep 17 00:00:00 2001 From: Donov Dmitriy Date: Mon, 29 Jul 2024 14:20:01 +0700 Subject: [PATCH 04/10] =?UTF-8?q?WAPI-22944=20=D0=B4=D0=BE=D0=B1=D0=B0?= =?UTF-8?q?=D0=B2=D0=B8=D0=BB=20pdb?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- charts/keys/README.md | 8 ++++++++ charts/keys/templates/api/pdb.yaml | 20 ++++++++++++++++++++ charts/keys/values.yaml | 11 +++++++++++ 3 files changed, 39 insertions(+) create mode 100644 charts/keys/templates/api/pdb.yaml diff --git a/charts/keys/README.md b/charts/keys/README.md index bb4ab4dc4..3e4ee72f0 100644 --- a/charts/keys/README.md +++ b/charts/keys/README.md @@ -37,6 +37,14 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about | `redis.image.repository` | Redis image repository. | `2gis-on-premise/keys-redis` | | `redis.image.tag` | Redis image tag. | `6.2.6-alpine3.15` | +### Kubernetes [Pod Disruption Budget](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets) settings + +| Name | Description | Value | +| -------------------- | --------------------------------------------------- | ------- | +| `pdb.enabled` | If PDB is enabled for the service | `false` | +| `pdb.minAvailable` | How many pods must be available after the eviction | `""` | +| `pdb.maxUnavailable` | How many pods can be unavailable after the eviction | `1` | + ### Flags for enabling/disabling certain features. | Name | Description | Value | diff --git a/charts/keys/templates/api/pdb.yaml b/charts/keys/templates/api/pdb.yaml new file mode 100644 index 000000000..2bd11bbff --- /dev/null +++ b/charts/keys/templates/api/pdb.yaml @@ -0,0 +1,20 @@ +{{- with .Values.pdb }} +{{- if .enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "keys.name" $ }} + labels: + {{- include "keys.labels" $ | nindent 4 }} +spec: + {{- if .minAvailable }} + minAvailable: {{ .minAvailable }} + {{- end }} + {{- if .maxUnavailable }} + maxUnavailable: {{ .maxUnavailable }} + {{- end }} + selector: + matchLabels: + {{- include "keys.selectorLabels" $ | nindent 6 }} +{{- end }} +{{- end }} diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index 2a4dbba27..6f3204c63 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -19,6 +19,17 @@ dgctlDockerRegistry: '' imagePullSecrets: [] imagePullPolicy: IfNotPresent +# @section Kubernetes [Pod Disruption Budget](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets) settings + +# @param pdb.enabled If PDB is enabled for the service +# @param pdb.minAvailable How many pods must be available after the eviction +# @param pdb.maxUnavailable How many pods can be unavailable after the eviction + +pdb: + enabled: false + minAvailable: '' + maxUnavailable: 1 + # @section Flags for enabling/disabling certain features. featureFlags: From d6b4536ad5520311998925b73223a65952028d3e Mon Sep 17 00:00:00 2001 From: Dmitriy Donov Date: Mon, 29 Jul 2024 15:57:59 +0700 Subject: [PATCH 05/10] Update charts/keys/values.yaml Co-authored-by: Kirill Salnikov --- charts/keys/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index 6f3204c63..b856be4e9 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -558,7 +558,7 @@ kafka: # @param kafka.audit.username Username for authorization (SASL). # @param kafka.audit.password Password for authorization (SASL). # @param kafka.audit.topic Topic to produce audit messages. - # @param kafka.audit.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name + # @param kafka.audit.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name. # @param kafka.audit.tls.rootCert Root certificate. # @param kafka.audit.tls.cert Client certificate. # @param kafka.audit.tls.key Client key. From 2d384c43aa0c46b611eaf203e9b167f3212900d4 Mon Sep 17 00:00:00 2001 From: Donov Dmitriy Date: Mon, 29 Jul 2024 16:07:39 +0700 Subject: [PATCH 06/10] =?UTF-8?q?WAPI-22944=20=D0=B2=D1=8B=D0=BF=D0=B8?= =?UTF-8?q?=D0=BB=D0=B8=D0=BB=20pdb?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- charts/keys/README.md | 8 ------- charts/keys/templates/api/pdb.yaml | 20 ---------------- charts/keys/templates/secret-deploys.yaml | 28 ----------------------- charts/keys/values.yaml | 11 --------- 4 files changed, 67 deletions(-) delete mode 100644 charts/keys/templates/api/pdb.yaml diff --git a/charts/keys/README.md b/charts/keys/README.md index 3e4ee72f0..bb4ab4dc4 100644 --- a/charts/keys/README.md +++ b/charts/keys/README.md @@ -37,14 +37,6 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about | `redis.image.repository` | Redis image repository. | `2gis-on-premise/keys-redis` | | `redis.image.tag` | Redis image tag. | `6.2.6-alpine3.15` | -### Kubernetes [Pod Disruption Budget](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets) settings - -| Name | Description | Value | -| -------------------- | --------------------------------------------------- | ------- | -| `pdb.enabled` | If PDB is enabled for the service | `false` | -| `pdb.minAvailable` | How many pods must be available after the eviction | `""` | -| `pdb.maxUnavailable` | How many pods can be unavailable after the eviction | `1` | - ### Flags for enabling/disabling certain features. | Name | Description | Value | diff --git a/charts/keys/templates/api/pdb.yaml b/charts/keys/templates/api/pdb.yaml deleted file mode 100644 index 2bd11bbff..000000000 --- a/charts/keys/templates/api/pdb.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- with .Values.pdb }} -{{- if .enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "keys.name" $ }} - labels: - {{- include "keys.labels" $ | nindent 4 }} -spec: - {{- if .minAvailable }} - minAvailable: {{ .minAvailable }} - {{- end }} - {{- if .maxUnavailable }} - maxUnavailable: {{ .maxUnavailable }} - {{- end }} - selector: - matchLabels: - {{- include "keys.selectorLabels" $ | nindent 6 }} -{{- end }} -{{- end }} diff --git a/charts/keys/templates/secret-deploys.yaml b/charts/keys/templates/secret-deploys.yaml index 6a667b8e9..03176dfa3 100644 --- a/charts/keys/templates/secret-deploys.yaml +++ b/charts/keys/templates/secret-deploys.yaml @@ -18,31 +18,3 @@ data: {{- if .Values.redis.password }} redisPassword: {{ .Values.redis.password | b64enc }} {{- end }} -{{- if or (eq .Values.kafka.main.securityProtocol "SSL") (eq .Values.kafka.main.securityProtocol "SASL_SSL") }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "keys.name-kafka-main" . | quote }} - labels: - {{- include "keys.labels" . | nindent 4 }} -type: Opaque -data: - client.crt: {{ required "A valid kafka.main.tls.cert entry required" .Values.kafka.main.tls.cert | b64enc | quote }} - client.key: {{ required "A valid kafka.main.tls.key entry required" .Values.kafka.main.tls.key | b64enc | quote }} - ca.crt: {{ required "A valid kafka.main.tls.rootCert entry required" .Values.kafka.main.tls.rootCert | b64enc | quote }} -{{- end }} -{{- if or (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "keys.name-kafka-audit" . | quote }} - labels: - {{- include "keys.labels" . | nindent 4 }} -type: Opaque -data: - client.crt: {{ required "A valid kafka.audit.tls.cert entry required" .Values.kafka.audit.tls.cert | b64enc | quote }} - client.key: {{ required "A valid kafka.audit.tls.key entry required" .Values.kafka.audit.tls.key | b64enc | quote }} - ca.crt: {{ required "A valid kafka.audit.tls.rootCert entry required" .Values.kafka.audit.tls.rootCert | b64enc | quote }} -{{- end }} diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index 6f3204c63..2a4dbba27 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -19,17 +19,6 @@ dgctlDockerRegistry: '' imagePullSecrets: [] imagePullPolicy: IfNotPresent -# @section Kubernetes [Pod Disruption Budget](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets) settings - -# @param pdb.enabled If PDB is enabled for the service -# @param pdb.minAvailable How many pods must be available after the eviction -# @param pdb.maxUnavailable How many pods can be unavailable after the eviction - -pdb: - enabled: false - minAvailable: '' - maxUnavailable: 1 - # @section Flags for enabling/disabling certain features. featureFlags: From 39261df09c725fe202b064615805aa0384dc5b22 Mon Sep 17 00:00:00 2001 From: Donov Dmitriy Date: Mon, 29 Jul 2024 16:11:19 +0700 Subject: [PATCH 07/10] =?UTF-8?q?WAPI-22944=20=D0=BF=D1=80=D0=B0=D0=B2?= =?UTF-8?q?=D0=BA=D0=B8=20=D0=BF=D0=BE=D1=81=D0=BB=D0=B5=20=D1=80=D0=B5?= =?UTF-8?q?=D0=B2=D1=8C=D1=8E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- charts/keys/README.md | 55 ++++++++++++++++--------------- charts/keys/templates/helpers.tpl | 2 ++ charts/keys/values.yaml | 8 +++-- 3 files changed, 35 insertions(+), 30 deletions(-) diff --git a/charts/keys/README.md b/charts/keys/README.md index bb4ab4dc4..f526ee9ca 100644 --- a/charts/keys/README.md +++ b/charts/keys/README.md @@ -227,33 +227,34 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about ### Kafka settings -| Name | Description | Value | -| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| `kafka.main` | **Settings for read stat messages.** | | -| `kafka.main.clientPrefix` | Client prefix name | `""` | -| `kafka.main.brokers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | -| `kafka.main.securityProtocol` | Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. | `PLAINTEXT` | -| `kafka.main.SASLMechanism` | Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. | `PLAIN` | -| `kafka.main.username` | Username for authorization (SASL). | `""` | -| `kafka.main.password` | Password for authorization (SASL). | `""` | -| `kafka.main.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` | -| `kafka.main.tls.rootCert` | Root certificate. | `""` | -| `kafka.main.tls.cert` | Client certificate. | `""` | -| `kafka.main.tls.key` | Client key. | `""` | -| `kafka.main.topics.stats` | Topic to consume stat messages. | `""` | -| `kafka.audit` | **Settings for sending audit messages.** | | -| `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | -| `kafka.audit.securityProtocol` | Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. | `PLAINTEXT` | -| `kafka.audit.SASLMechanism` | Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. | `PLAIN` | -| `kafka.audit.username` | Username for authorization (SASL). | `""` | -| `kafka.audit.password` | Password for authorization (SASL). | `""` | -| `kafka.audit.topic` | Topic to produce audit messages. | `""` | -| `kafka.audit.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` | -| `kafka.audit.tls.rootCert` | Root certificate. | `""` | -| `kafka.audit.tls.cert` | Client certificate. | `""` | -| `kafka.audit.tls.key` | Client key. | `""` | -| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` | -| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` | +| Name | Description | Value | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | +| `kafka.main` | **Settings for read stat messages.** | | +| `kafka.main.clientPrefix` | Client prefix name. | `production` | +| `kafka.main.clientId` | Client id. | `""` | +| `kafka.main.brokers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | +| `kafka.main.securityProtocol` | Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. | `PLAINTEXT` | +| `kafka.main.SASLMechanism` | Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. | `PLAIN` | +| `kafka.main.username` | Username for authorization (SASL). | `""` | +| `kafka.main.password` | Password for authorization (SASL). | `""` | +| `kafka.main.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name. | `false` | +| `kafka.main.tls.rootCert` | Root certificate. | `""` | +| `kafka.main.tls.cert` | Client certificate. | `""` | +| `kafka.main.tls.key` | Client key. | `""` | +| `kafka.main.topics.stats` | Topic to consume stat messages. | `""` | +| `kafka.audit` | **Settings for sending audit messages.** | | +| `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | +| `kafka.audit.securityProtocol` | Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. | `PLAINTEXT` | +| `kafka.audit.SASLMechanism` | Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. | `PLAIN` | +| `kafka.audit.username` | Username for authorization (SASL). | `""` | +| `kafka.audit.password` | Password for authorization (SASL). | `""` | +| `kafka.audit.topic` | Topic to produce audit messages. | `""` | +| `kafka.audit.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name. | `false` | +| `kafka.audit.tls.rootCert` | Root certificate. | `""` | +| `kafka.audit.tls.cert` | Client certificate. | `""` | +| `kafka.audit.tls.key` | Client key. | `""` | +| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` | +| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` | ### LDAP connection settings diff --git a/charts/keys/templates/helpers.tpl b/charts/keys/templates/helpers.tpl index a9755e9dc..2c30e0755 100644 --- a/charts/keys/templates/helpers.tpl +++ b/charts/keys/templates/helpers.tpl @@ -326,6 +326,8 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} value: "{{ .Values.kafka.main.brokers }}" - name: KEYS_KAFKA_MAIN_CLIENT_PREFIX value: "{{ .Values.kafka.main.clientPrefix }}" +- name: KEYS_KAFKA_MAIN_CLIENT_ID + value: "{{ .Values.kafka.main.clientId }}" - name: KEYS_KAFKA_MAIN_STATS_TOPIC value: "{{ .Values.kafka.main.topics.stats }}" - name: KEYS_KAFKA_MAIN_USERNAME diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index 012830376..ae9da6b02 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -512,20 +512,22 @@ kafka: # @extra kafka.main **Settings for read stat messages.** - # @param kafka.main.clientPrefix Client prefix name + # @param kafka.main.clientPrefix Client prefix name. + # @param kafka.main.clientId Client id. # @param kafka.main.brokers Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). # @param kafka.main.securityProtocol Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. # @param kafka.main.SASLMechanism Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. # @param kafka.main.username Username for authorization (SASL). # @param kafka.main.password Password for authorization (SASL). - # @param kafka.main.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name + # @param kafka.main.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name. # @param kafka.main.tls.rootCert Root certificate. # @param kafka.main.tls.cert Client certificate. # @param kafka.main.tls.key Client key. # @param kafka.main.topics.stats Topic to consume stat messages. main: - clientPrefix: '' + clientPrefix: 'production' + clientId: '' brokers: '' securityProtocol: 'PLAINTEXT' SASLMechanism: 'PLAIN' From bf8c356ca472cc2684db3e8ce1c491cf63a293c0 Mon Sep 17 00:00:00 2001 From: Dmitriy Donov Date: Mon, 29 Jul 2024 16:21:47 +0700 Subject: [PATCH 08/10] Update charts/keys/values.yaml Co-authored-by: Kirill Salnikov --- charts/keys/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index ae9da6b02..c8f3292fa 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -360,7 +360,7 @@ counter: cpu: 1000m memory: 512Mi - # @param counter.preloader.refreshTick Refresh interval for in-memory cache with keys info. + # @param counter.preloader.refreshTick Refresh interval for in-memory cache with keys limitations info. The smaller the interval, the faster the worker will know about changes in limitations. preloader: refreshTick: 1m From c28bd056a7dca7a055d6eb582fc29fce07872dbd Mon Sep 17 00:00:00 2001 From: Dmitriy Donov Date: Mon, 29 Jul 2024 17:02:48 +0700 Subject: [PATCH 09/10] Update charts/keys/values.yaml Co-authored-by: Kirill Salnikov --- charts/keys/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index c8f3292fa..763e0a476 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -513,7 +513,7 @@ kafka: # @extra kafka.main **Settings for read stat messages.** # @param kafka.main.clientPrefix Client prefix name. - # @param kafka.main.clientId Client id. + # @param kafka.main.clientId Client id. If empty, then hostname will be used. # @param kafka.main.brokers Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). # @param kafka.main.securityProtocol Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. # @param kafka.main.SASLMechanism Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. From 08d0ff9a5e68e592059ef85aee8f1d600b66e564 Mon Sep 17 00:00:00 2001 From: Donov Dmitriy Date: Mon, 29 Jul 2024 17:08:39 +0700 Subject: [PATCH 10/10] =?UTF-8?q?WAPI-22944=20=D0=BE=D0=B1=D0=BD=D0=BE?= =?UTF-8?q?=D0=B2=D0=B8=D0=BB=20=D0=B4=D0=BE=D0=BA=D1=83?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- charts/keys/README.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/charts/keys/README.md b/charts/keys/README.md index f526ee9ca..73c716f92 100644 --- a/charts/keys/README.md +++ b/charts/keys/README.md @@ -156,20 +156,20 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about ### Counter worker settings -| Name | Description | Value | -| ----------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------- | -| `counter.enabled` | Counter worker is enabled. | `false` | -| `counter.replicas` | A replica count for the pod. | `1` | -| `counter.prometheus.scrape` | If Prometheus scrape is enabled. | `true` | -| `counter.resources.requests.cpu` | A CPU request. | `20m` | -| `counter.resources.requests.memory` | A memory request. | `32Mi` | -| `counter.resources.limits.cpu` | A CPU limit. | `1000m` | -| `counter.resources.limits.memory` | A memory limit. | `512Mi` | -| `counter.preloader.refreshTick` | Refresh interval for in-memory cache with keys info. | `1m` | -| `counter.updateStatusQueryTimeout` | Timeout for database queries to update key status. | `1s` | -| `counter.buffer` | **Settings for in-memory buffer for statistics data.** | | -| `counter.buffer.size` | The maximum size of the buffer. When the limit is reached, the data from the buffer is transferred to Redis. | `1000` | -| `counter.buffer.delay` | The maximum interval between data transfer operations from the buffer to Redis. | `1s` | +| Name | Description | Value | +| ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `counter.enabled` | Counter worker is enabled. | `false` | +| `counter.replicas` | A replica count for the pod. | `1` | +| `counter.prometheus.scrape` | If Prometheus scrape is enabled. | `true` | +| `counter.resources.requests.cpu` | A CPU request. | `20m` | +| `counter.resources.requests.memory` | A memory request. | `32Mi` | +| `counter.resources.limits.cpu` | A CPU limit. | `1000m` | +| `counter.resources.limits.memory` | A memory limit. | `512Mi` | +| `counter.preloader.refreshTick` | Refresh interval for in-memory cache with keys limitations info. The smaller the interval, the faster the worker will know about changes in limitations. | `1m` | +| `counter.updateStatusQueryTimeout` | Timeout for database queries to update key status. | `1s` | +| `counter.buffer` | **Settings for in-memory buffer for statistics data.** | | +| `counter.buffer.size` | The maximum size of the buffer. When the limit is reached, the data from the buffer is transferred to Redis. | `1000` | +| `counter.buffer.delay` | The maximum interval between data transfer operations from the buffer to Redis. | `1s` | ### Redis settings @@ -231,7 +231,7 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about | --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | | `kafka.main` | **Settings for read stat messages.** | | | `kafka.main.clientPrefix` | Client prefix name. | `production` | -| `kafka.main.clientId` | Client id. | `""` | +| `kafka.main.clientId` | Client id. If empty, then hostname will be used. | `""` | | `kafka.main.brokers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | | `kafka.main.securityProtocol` | Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. | `PLAINTEXT` | | `kafka.main.SASLMechanism` | Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. | `PLAIN` |