Merge pull request #2860 from lsst-sqre/tickets/DM-42352

[DM-42352] Refactor InfluxDB Enterprise configuration

applications/sasquatch/README.md

@@ -94,12 +94,16 @@ Rubin Observatory's telemetry service.
 | influxdb-enterprise.data.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0] | string | `"data"` |  |
 | influxdb-enterprise.data.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` |  |
 | influxdb-enterprise.data.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight | int | `1` |  |
+| influxdb-enterprise.data.config.anti_entropy.enabled | bool | `false` |  |
+| influxdb-enterprise.data.config.cluster.log-queries-after | string | `"15s"` |  |
+| influxdb-enterprise.data.config.cluster.max-concurrent-queries | int | `1000` |  |
+| influxdb-enterprise.data.config.cluster.query-timeout | string | `"300s"` |  |
+| influxdb-enterprise.data.config.continuous_queries.enabled | bool | `false` |  |
+| influxdb-enterprise.data.config.data.trace-logging-enabled | bool | `true` |  |
+| influxdb-enterprise.data.config.http.auth-enabled | bool | `true` |  |
+| influxdb-enterprise.data.config.http.flux-enabled | bool | `true` |  |
+| influxdb-enterprise.data.config.logging.level | string | `"debug"` |  |
 | influxdb-enterprise.data.env | object | `{}` |  |
-| influxdb-enterprise.data.flux.enabled | bool | `true` |  |
-| influxdb-enterprise.data.https.enabled | bool | `false` |  |
-| influxdb-enterprise.data.https.insecure | bool | `true` |  |
-| influxdb-enterprise.data.https.secret.name | string | `"influxdb-tls"` |  |
-| influxdb-enterprise.data.https.useCertManager | bool | `false` |  |
 | influxdb-enterprise.data.image | object | `{}` |  |
 | influxdb-enterprise.data.ingress.annotations."nginx.ingress.kubernetes.io/proxy-read-timeout" | string | `"300"` |  |
 | influxdb-enterprise.data.ingress.annotations."nginx.ingress.kubernetes.io/proxy-send-timeout" | string | `"300"` |  |
@@ -122,10 +126,6 @@ Rubin Observatory's telemetry service.
 | influxdb-enterprise.meta.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` |  |
 | influxdb-enterprise.meta.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight | int | `1` |  |
 | influxdb-enterprise.meta.env | object | `{}` |  |
-| influxdb-enterprise.meta.https.enabled | bool | `false` |  |
-| influxdb-enterprise.meta.https.insecure | bool | `true` |  |
-| influxdb-enterprise.meta.https.secret.name | string | `"influxdb-tls"` |  |
-| influxdb-enterprise.meta.https.useCertManager | bool | `false` |  |
 | influxdb-enterprise.meta.image | object | `{}` |  |
 | influxdb-enterprise.meta.ingress.annotations."nginx.ingress.kubernetes.io/proxy-read-timeout" | string | `"300"` |  |
 | influxdb-enterprise.meta.ingress.annotations."nginx.ingress.kubernetes.io/proxy-send-timeout" | string | `"300"` |  |

applications/sasquatch/charts/influxdb-enterprise/README.md

@@ -17,12 +17,16 @@ Run InfluxDB Enterprise on Kubernetes
 | data.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0] | string | `"data"` |  |
 | data.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` |  |
 | data.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight | int | `1` |  |
+| data.config.anti_entropy.enabled | bool | `false` |  |
+| data.config.cluster.log-queries-after | string | `"15s"` |  |
+| data.config.cluster.max-concurrent-queries | int | `1000` |  |
+| data.config.cluster.query-timeout | string | `"300s"` |  |
+| data.config.continuous_queries.enabled | bool | `false` |  |
+| data.config.data.trace-logging-enabled | bool | `true` |  |
+| data.config.http.auth-enabled | bool | `true` |  |
+| data.config.http.flux-enabled | bool | `true` |  |
+| data.config.logging.level | string | `"debug"` |  |
 | data.env | object | `{}` |  |
-| data.flux.enabled | bool | `true` |  |
-| data.https.enabled | bool | `false` |  |
-| data.https.insecure | bool | `true` |  |
-| data.https.secret.name | string | `"influxdb-tls"` |  |
-| data.https.useCertManager | bool | `false` |  |
 | data.image | object | `{}` |  |
 | data.ingress.annotations."nginx.ingress.kubernetes.io/proxy-read-timeout" | string | `"300"` |  |
 | data.ingress.annotations."nginx.ingress.kubernetes.io/proxy-send-timeout" | string | `"300"` |  |
@@ -45,10 +49,6 @@ Run InfluxDB Enterprise on Kubernetes
 | meta.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` |  |
 | meta.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight | int | `1` |  |
 | meta.env | object | `{}` |  |
-| meta.https.enabled | bool | `false` |  |
-| meta.https.insecure | bool | `true` |  |
-| meta.https.secret.name | string | `"influxdb-tls"` |  |
-| meta.https.useCertManager | bool | `false` |  |
 | meta.image | object | `{}` |  |
 | meta.ingress.annotations."nginx.ingress.kubernetes.io/proxy-read-timeout" | string | `"300"` |  |
 | meta.ingress.annotations."nginx.ingress.kubernetes.io/proxy-send-timeout" | string | `"300"` |  |

applications/sasquatch/charts/influxdb-enterprise/templates/bootstrap-job.yaml

@@ -49,12 +49,6 @@ spec:
         command:
           - influx
         args:
-        {{- if .Values.data.https.enabled }}
-          - -ssl
-        {{- if .Values.data.https.insecure }}
-          - -unsafeSsl
-        {{ end }}
-        {{ end }}
           - -host
           - {{ include "influxdb-enterprise.fullname" . }}-data
           - -execute
@@ -90,12 +84,6 @@ spec:
         command:
           - influx
         args:
-        {{- if .Values.data.https.enabled }}
-          - -ssl
-        {{- if .Values.data.https.insecure }}
-          - -unsafeSsl
-        {{ end }}
-        {{ end }}
           - -host
           - {{ include "influxdb-enterprise.fullname" . }}-data
           - -import
@@ -127,12 +115,6 @@ spec:
         command:
           - influx
         args:
-        {{- if .Values.data.https.enabled }}
-          - -ssl
-        {{- if .Values.data.https.insecure }}
-          - -unsafeSsl
-        {{ end }}
-        {{ end }}
           - -host
           - {{ include "influxdb-enterprise.fullname" . }}-data
           - -import

applications/sasquatch/charts/influxdb-enterprise/templates/data-configmap.yaml

@@ -10,17 +10,15 @@ data:
     bind-address = ":8088"
     reporting-disabled = false
 
-    {{ if .Values.data.https.enabled }}
-    https-enabled = true
-
-    https-certificate = "/var/run/secrets/tls/tls.crt"
-    https-private-key = "/var/run/secrets/tls/tls.key"
-
-    {{ end }}
-
-    {{ if .Values.data.flux.enabled }}
-    flux-enabled = true
-    {{ end }}
+    [http]
+      {{- range $key, $value := index .Values.data.config.http }}
+      {{- $tp := typeOf $value }}
+      {{- if eq $tp "string" }}
+      {{ $key }} = {{ $value | quote }}
+      {{- else }}
+      {{ $key }} = {{ $value }}
+      {{- end }}
+      {{- end }}
 
     [enterprise]
       {{ if .Values.license.key }}
@@ -31,36 +29,64 @@ data:
       license-path = "/var/run/secrets/influxdb/license.json"
       {{ end }}
 
-    [cluster]
-    {{ if .Values.data.https.enabled }}
-    https-enabled = true
-
-    https-certificate = "/var/run/secrets/tls/tls.crt"
-    https-private-key = "/var/run/secrets/tls/tls.key"
-
-    {{ if .Values.data.https.insecure }}
-    https-insecure-tls = true
-    {{ end }}
-    {{ end }}
-
     [meta]
       dir = "/var/lib/influxdb/meta"
 
-      {{ if and .Values.meta.https.enabled }}
-      meta-tls-enabled = true
-
-      {{ if .Values.meta.https.insecure }}
-      meta-insecure-tls = true
-      {{ end }}
-
-      {{ end }}
-
     [hinted-handoff]
       dir = "/var/lib/influxdb/hh"
 
     [data]
       dir = "/var/lib/influxdb/data"
       wal-dir = "/var/lib/influxdb/wal"
+      {{- range $key, $value := index .Values.data.config.data }}
+      {{- $tp := typeOf $value }}
+      {{- if eq $tp "string" }}
+      {{ $key }} = {{ $value | quote }}
+      {{- else }}
+      {{ $key }} = {{ $value }}
+      {{- end }}
+      {{- end }}
+
+    [anti-entropy]
+      {{- range $key, $value := index .Values.data.config.anti_entropy }}
+      {{- $tp := typeOf $value }}
+      {{- if eq $tp "string" }}
+      {{ $key }} = {{ $value | quote }}
+      {{- else }}
+      {{ $key }} = {{ $value }}
+      {{- end }}
+      {{- end }}
+
+    [cluster]
+      {{- range $key, $value := index .Values.data.config.cluster }}
+      {{- $tp := typeOf $value }}
+      {{- if eq $tp "string" }}
+      {{ $key }} = {{ $value | quote }}
+      {{- else }}
+      {{ $key }} = {{ $value }}
+      {{- end  }}
+      {{- end }}
+
+    [continuous_queries]
+      {{- range $key, $value := index .Values.data.config.continuous_queries }}
+      {{- $tp := typeOf $value }}
+      {{- if eq $tp "string" }}
+      {{ $key }} = {{ $value | quote }}
+      {{- else }}
+      {{ $key }} = {{ $value }}
+      {{- end  }}
+      {{- end }}
+
+    [logging]
+      {{- range $key, $value := index .Values.data.config.logging }}
+      {{- $tp := typeOf $value }}
+      {{- if eq $tp "string" }}
+      {{ $key }} = {{ $value | quote }}
+      {{- else }}
+      {{ $key }} = {{ $value }}
+      {{- end  }}
+      {{- end }}
+
 
   entrypoint.pl: |+
     #!/usr/bin/env perl
@@ -90,21 +116,15 @@ data:
     $SIG{KILL} = sub { kill 'KILL', $pid };
 
     # Register data node with meta leader
-    {{ if .Values.meta.https.enabled }}
-    my $protocol = "https";
-    {{ else }}
     my $protocol = "http";
-    {{ end }}
     my $meta_service = $ENV{RELEASE_NAME} . "-meta";
 
     # We're not going to define an exit strategy for failure here.
     # This should be handled by the probes on the pods
     while (true) {
       # There's no LWP/Simple available in our images, so forking out to curl 😥
       print "\n\n\nREGISTER WITH META SERVICE\n\n\n";
-      $exit_code = system('curl', {{ if .Values.meta.https.insecure }}'-k',{{ end }} '-XPOST', '--silent', '--fail', '--retry', '5', '--retry-delay', '0', "-Faddr=$ENV{INFLUXDB_HOSTNAME}:8088", "$protocol://$meta_service:8091/add-data");
-      # $exit_code = system('curl', {{ if .Values.meta.https.insecure }}'-k',{{ end }} '-XPOST', '-v', '--silent', '--fail', '--retry', '5', '--retry-delay', '0', "-Faddr=$ENV{INFLUXDB_HOSTNAME}:8088", "$protocol://$meta_service:8091/add-data");
-
+      $exit_code = system('curl', '-XPOST', '--silent', '--fail', '--retry', '5', '--retry-delay', '0', "-Faddr=$ENV{INFLUXDB_HOSTNAME}:8088", "$protocol://$meta_service:8091/add-data");
 
       if ($exit_code == 0) {
         $| = 1;

applications/sasquatch/charts/influxdb-enterprise/templates/data-statefulset.yaml

@@ -45,36 +45,6 @@ spec:
           - key: {{ .Values.license.secret.key }}
             path: license.json
       {{- end }}
-      {{- if .Values.data.https.enabled }}
-      - name: tls
-        secret:
-          {{- if .Values.data.https.useCertManager }}
-          secretName: {{ include "influxdb-enterprise.fullname" . }}-data-tls
-          {{ else }}
-          secretName: {{ .Values.data.https.secret.name }}
-          {{ if or .Values.data.https.secret.crt .Values.data.https.secret.key }}
-          items:
-            - key: {{ .Values.data.https.secret.crt }}
-              path: tls.crt
-            - key: {{ .Values.data.https.secret.key }}
-              path: tls.key
-          {{ end }}
-          {{ end }}
-      {{ end }}
-      {{- if and .Values.data.https.enabled .Values.data.https.secret }}
-      {{- if .Values.data.https.secret.ca -}}
-      - name: tls-ca
-        secret:
-          {{ if .Values.data.https.secret.caSecret -}}
-          secretName: {{ .Values.data.https.secret.caSecret }}
-          {{ else }}
-          secretName: {{ .Values.data.https.secret.name }}
-          {{ end }}
-          items:
-            - key: {{ .Values.data.https.secret.ca }}
-              path: ca.crt
-      {{ end }}
-      {{ end }}
       containers:
         - name: {{ .Chart.Name }}
           command:
@@ -119,17 +89,11 @@ spec:
             httpGet:
               path: /ping
               port: http
-              {{- if .Values.data.https.enabled }}
-              scheme: HTTPS
-              {{- end }}
           readinessProbe:
             initialDelaySeconds: 30
             httpGet:
               path: /ping
               port: http
-              {{- if .Values.data.https.enabled }}
-              scheme: HTTPS
-              {{- end }}
           volumeMounts:
           - name: config
             mountPath: /etc/influxdb
@@ -139,17 +103,6 @@ spec:
           - name: license
             mountPath: /var/run/secrets/influxdb/
           {{- end }}
-          {{- if .Values.data.https.enabled }}
-          - name: tls
-            mountPath: /var/run/secrets/tls/
-          {{ end }}
-          {{- if and .Values.data.https.enabled .Values.data.https.secret }}
-          {{- if .Values.data.https.secret.ca -}}
-          - name: tls-ca
-            mountPath: /usr/share/ca-certificates/selfsigned/ca.crt
-            subPath: ca.crt
-          {{ end }}
-          {{ end }}
           resources:
             {{- toYaml .Values.data.resources | nindent 12 }}
       {{- with .Values.data.nodeSelector }}