We do not use service proxy to comminicate to memcached.
All services has exact number of endpoints to communicate.
Having max_surge is useless as clients will never use it.
Change-Id: I74a665c96cfc99cbb8d31c4a17700c467c746c9e
Use required* antiaffinity to make sure we do not have
two pods sitting on same node as it does not make any
sense.
Change-Id: I6c0c55733b75eb1bd53eee855907533d672dbf22
For effective cache use all endpoints should be specified
explicitly as memcache client use specific algorithm to
identify on which cache server key is stored based on
servers availability and key name.
If memcached deployed behind the service unless same key is
stored on all memcached instances clients will always got
cache misses and will require to use heavy calls to database.
So in the end all keys will be stored on all memcached instances.
Furthermore delete operations such as revoke token or remove
keystone group call logic in service to remove data from cache
if Loadbalancer is used this functionality can't work as we
can't remove keys from all backends behind LB with single call.
Change-Id: I253cfa2740fed5e1c70ced7308a489568e0f10b9
Use the following structure in values to define addtional service
parameters:
Values: network:
memcached:
service:
type: loadBalancer
loadBalancerIP: 1.1.1.1
Change-Id: I94c87e530d90f603949ccacbf0602273feec741a
Use quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
by default instead of 1.0.0 which is v1 formatted and
not supported any more by docker.
Change-Id: I6349a57494ed8b1e3c4b618f5bd82705bef42f7a
Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst
Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.
Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
This adds taint toleration support for openstack jobs
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: If0e02fe8df0bef5065ab99f71263b55f03ab5c3a
Instead of running the exporter as a seperate deployemnt that talks
to the service, which will NOT be reporting reliable information if
you have more than 1 replica of memcached, this patch insteads moves
things into a sidecar model that runs in the same pod and exposes
the service.
Change-Id: Ia4801b47f44df91db10886f7cb4e8e174557aded
This will ease mirroring capabilities for the docker official images.
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I0f9177b0b83e4fad599ae0c3f3820202bf1d450d
Memcached stats cachedump is enabled by default. Changes in this
pathset provide an option to configure stats cachedump as desired
during deployment i.e. the stats cachedump can be disabled to
prevent user obtaining sensitive info via the cachedump data.
Change-Id: Ic6254f89b1478a414ac275436ddd659b16b75f98
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintained
Change-Id: I5bfdc156ae228ab16da57569ac6b05a9a125cb6a
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This change adds egress rules to the following charts:
- ingress
- memcache
- libvirt
- rabbitmq
These rules will be tightend down in future changes
Change-Id: I6f297d50ca4c06234c7c79986a12cccf3beb5efb
This ps exposes the anti-affinity weight value, including
default, that will be consumed by the updated htk function.
Change-Id: Id8eb303674764ef8b0664f62040723aaf77e0a54
securityContext with readOnlyRootFilesystem is implemented at container
level and leveraged the helm-toolkit snippet
Change-Id: I8b16e9c17154a2bac162f31939b510fcd773126b
Implement a pod security context for the following Memcached resources:
- Memcached server deployment
Change-Id: I8628ceb246e7c435a2ddd20bf1bcecd94db8ea26
This adds the security context to the memcached prometheus
exporter pod, which changes the default user from root to the
nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: I3401c1a67f17cef49a478be98f9ab42691b84d66
This PS implements the helm toolkit function to generate the
Egress in kubernetes network policy manifest based on overrideable values.
It also enbale the K8s network policy at Osh-infra gate.
Change-Id: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
This patch set implements the helm toolkit function to generate a
kubernetes network policy manifest based on overrideable values.
This also adds a chart that shuts down all the ingress and egress
traffics in the namespace. This can be used to ensure the
whitelisted network policy works as intended.
Additionally, implementation is done for some infrastructure charts.
Change-Id: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This PS moves the Memcached chart to OSH-Infra
Story: 2002204
Task: 21727
Change-Id: I47a226ba90a84cddcbf4911af4bf23257827e79e
Signed-off-by: Pete Birley <pete@port.direct>
