Installing the agent in k8s with readOnlyRootFilesystem - anodot/daria GitHub Wiki
PostgreSQL
Directories that require persistence:
/bitnami/postgresql
Directories that need to writeable (EmptyDir volumes)
/dev/shm/tmp/opt/bitnami/postgresql/tmp/opt/bitnami/postgresql/conf/opt/bitnami/postgresql/conf/conf.d
Following yaml config is generated using bitnami helm charts and altered for adding required volumes
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: agent-db-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.5.0
app.kubernetes.io/instance: agent-db
app.kubernetes.io/component: primary
annotations:
spec:
serviceName: agent-db-postgresql-headless
replicas: 1
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: agent-db
role: primary
template:
metadata:
name: agent-db-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.5.0
app.kubernetes.io/instance: agent-db
app.kubernetes.io/managed-by: Helm
role: primary
app.kubernetes.io/component: primary
spec:
affinity:
podAffinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: agent-db
app.kubernetes.io/component: primary
namespaces:
- "agent-testing"
topologyKey: kubernetes.io/hostname
weight: 1
nodeAffinity:
securityContext:
fsGroup: 10001
containers:
- name: agent-db-postgresql
image: docker.io/bitnami/postgresql:10.12.0
imagePullPolicy: "IfNotPresent"
resources:
requests:
cpu: 250m
memory: 256Mi
securityContext:
runAsUser: 10001
env:
- name: BITNAMI_DEBUG
value: "false"
- name: POSTGRESQL_PORT_NUMBER
value: "5432"
- name: POSTGRESQL_VOLUME_DIR
value: "/bitnami/postgresql"
- name: PGDATA
value: "/bitnami/postgresql/data"
- name: POSTGRES_USER
value: "postgres"
- name: POSTGRES_PASSWORD
value: "postgres"
- name: POSTGRES_DB
value: "agent"
- name: POSTGRESQL_ENABLE_LDAP
value: "no"
- name: POSTGRESQL_ENABLE_TLS
value: "no"
- name: POSTGRESQL_LOG_HOSTNAME
value: "false"
- name: POSTGRESQL_LOG_CONNECTIONS
value: "false"
- name: POSTGRESQL_LOG_DISCONNECTIONS
value: "false"
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
value: "off"
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
value: "error"
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
value: "pgaudit"
ports:
- name: tcp-postgresql
containerPort: 5432
livenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d "dbname=agent" -h 127.0.0.1 -p 5432
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
readinessProbe:
exec:
command:
- /bin/sh
- -c
- -e
- |
exec pg_isready -U "postgres" -d "dbname=agent" -h 127.0.0.1 -p 5432
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
volumeMounts:
- name: dshm
mountPath: /dev/shm
- name: data
mountPath: /bitnami/postgresql
subPath:
- name: tmp
mountPath: /tmp
- name: bitnami-tmp
mountPath: /opt/bitnami/postgresql/tmp
- name: bitnami-conf
mountPath: /opt/bitnami/postgresql/conf
- name: bitnami-confd
mountPath: /opt/bitnami/postgresql/conf/conf.d
volumes:
- name: dshm
emptyDir:
medium: Memory
- name: tmp
emptyDir: {}
- name: bitnami-tmp
emptyDir: {}
- name: bitnami-conf
emptyDir: {}
- name: bitnami-confd
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "2Gi"
storageClassName: "local-agent-storage"
volumeMode: Filesystem
volumeName: postgres-agent01
apiVersion: v1
kind: Service
metadata:
name: agent-db-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.5.0
app.kubernetes.io/instance: agent-db
annotations:
spec:
type: ClusterIP
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
selector:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: agent-db
role: primary
apiVersion: v1
kind: Service
metadata:
name: agent-db-postgresql-headless
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.5.0
app.kubernetes.io/instance: agent-db
# Use this annotation in addition to the actual publishNotReadyAddresses
# field below because the annotation will stop being respected soon but the
# field is broken in some versions of Kubernetes:
# https://github.com/kubernetes/kubernetes/issues/58662
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
type: ClusterIP
clusterIP: None
# We want all pods in the StatefulSet to have their addresses published for
# the sake of the other Postgresql pods even before they're ready, since they
# have to be able to talk to each other in order to become ready.
publishNotReadyAddresses: true
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
selector:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: agent-db
Streamsets
Directories that require persistence:
/data
Directories that need to writeable (EmptyDir volumes)
/etc/sdc/tmp
Following yaml config is generated using anodot helm charts and altered for adding required volumes
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: streamsets-agent
labels:
app.kubernetes.io/name: streamsets-agent
app.kubernetes.io/instance: RELEASE-NAME
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: streamsets-agent
app.kubernetes.io/instance: RELEASE-NAME
serviceName: streamsets-agent
template:
metadata:
labels:
app.kubernetes.io/name: streamsets-agent
app.kubernetes.io/instance: RELEASE-NAME
spec:
containers:
- name: streamsets
image: "anodot/streamsets:3.14.0"
imagePullPolicy: IfNotPresent
env:
- name: "SDC_JAVA_OPTS"
value: "-Xmx4096m -Xms4096m -server"
volumeMounts:
- mountPath: /data
name: streamsets-data
volumeMounts:
- mountPath: /etc/sdc
name: etc-sdc
subpath:
- mountPath: /tmp
name: tmp
ports:
- name: http
containerPort: 18630
protocol: TCP
livenessProbe:
httpGet:
path: /
port: 18630
initialDelaySeconds: 25
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /
port: 18630
resources:
limits:
cpu: 4
memory: 10Gi
requests:
cpu: 4
memory: 10Gi
securityContext:
runAsUser: 20159
volumes:
- name: etc-sdc
emptyDir: {}
- name: tmp
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: streamsets-data
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 2Gi
storageClassName: "local-agent-storage"
volumeMode: Filesystem
volumeName: streamsets-data
apiVersion: v1
kind: Service
metadata:
name: streamsets-agent
labels:
app.kubernetes.io/name: streamsets-agent
app.kubernetes.io/instance: RELEASE-NAME
spec:
type: NodePort
ports:
- port: 18630
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: streamsets-agent
Agent
Directories that need to writeable (EmptyDir volumes)
/tmp/var/log/agent/var/log/supervisor/var/log/nginx/etc/nginx/conf.d/etc/supervisor/conf.d/var/cache/nginx
Following yaml config is generated using anodot helm charts and altered for adding required volumes
apiVersion: apps/v1
kind: Deployment
metadata:
name: anodot-agent
labels:
app.kubernetes.io/name: anodot-agent
app.kubernetes.io/instance: anodot-agent
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: anodot-agent
app.kubernetes.io/instance: anodot-agent
template:
metadata:
labels:
app.kubernetes.io/name: anodot-agent
app.kubernetes.io/instance: anodot-agent
spec:
securityContext:
fsGroup: 10001
containers:
- name: anodot-agent
image: "anodot/daria:3.14.0"
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8080
protocol: TCP
resources:
requests:
cpu: 500m
memory: 512Mi
securityContext:
runAsUser: 10001
env:
- name: AGENT_DB_HOST
value: agent-db-postgresql
- name: AGENT_DB_USER
value: postgres
- name: AGENT_DB_PASSWORD
value: postgres
- name: AGENT_DB
value: agent
- name: LISTEN_PORT
value: '8080'
volumeMounts:
- name: log-agent
mountPath: /var/log/agent
- name: log-supervisor
mountPath: /var/log/supervisor
- name: log-nginx
mountPath: /var/log/nginx
- name: nginx-confd
mountPath: /etc/nginx/conf.d
subPath:
- name: tmp
mountPath: /tmp
- name: supervisor-confd
mountPath: /etc/supervisor/conf.d
- name: nginx-cache
mountPath: /var/cache/nginx
volumes:
- name: log-agent
emptyDir: {}
- name: log-supervisor
emptyDir: {}
- name: log-nginx
emptyDir: {}
- name: nginx
emptyDir: {}
- name: nginx-confd
emptyDir: {}
- name: tmp
emptyDir: {}
- name: supervisor-confd
emptyDir: {}
- name: nginx-cache
emptyDir: {}
apiVersion: v1
kind: Service
metadata:
name: anodot-agent
labels:
app.kubernetes.io/name: anodot-agent
app.kubernetes.io/instance: anodot-agent
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: anodot-agent