336 lines
12 KiB
YAML
336 lines
12 KiB
YAML
global:
|
|
defaultStorageClass: "freeleaps-node-local"
|
|
storageClass: "freeleaps-node-local"
|
|
security:
|
|
allowInsecureImages: false
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnami/rabbitmq
|
|
tag: 4.0.6-debian-12-r0
|
|
pullPolicy: IfNotPresent
|
|
debug: true
|
|
namespaceOverride: "freeleaps-alpha"
|
|
clusterDomain: freeleaps.cluster
|
|
automountServiceAccountToken: true
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
limits:
|
|
cpu: 300m
|
|
memory: 512Mi
|
|
auth:
|
|
username: user
|
|
password: ""
|
|
securePassword: true
|
|
updatePassword: true
|
|
enableLoopbackUser: false
|
|
tls:
|
|
enabled: false
|
|
logs: "-"
|
|
ulimitNofiles: "65535"
|
|
plugins: "rabbitmq_management rabbitmq_peer_discovery_k8s"
|
|
queue_master_locator: min-masters
|
|
clustering:
|
|
## @param clustering.enabled Enable RabbitMQ clustering
|
|
##
|
|
enabled: true
|
|
## @param clustering.name RabbitMQ cluster name
|
|
## If not set, a name is generated using the common.names.fullname template
|
|
##
|
|
name: "freeleaps-alpha"
|
|
addressType: hostname
|
|
rebalance: false
|
|
forceBoot: false
|
|
partitionHandling: autoheal
|
|
# See: https://github.com/bitnami/charts/issues/25698#issuecomment-2110562416
|
|
podManagementPolicy: Parallel
|
|
terminationGracePeriodSeconds: 120
|
|
volumePermissions:
|
|
enabled: true
|
|
containerPorts:
|
|
amqp: 5672
|
|
amqpTls: 5671
|
|
dist: 25672
|
|
manager: 15672
|
|
epmd: 4369
|
|
metrics: 9419
|
|
tcpListenOptions:
|
|
enabled: true
|
|
backlog: 128
|
|
nodelay: true
|
|
linger:
|
|
lingerOn: true
|
|
timeout: 0
|
|
keepalive: false
|
|
configuration: |-
|
|
## Username and password
|
|
default_user = {{ .Values.auth.username }}
|
|
{{- if and (not .Values.auth.securePassword) .Values.auth.password }}
|
|
default_pass = {{ .Values.auth.password }}
|
|
{{- end }}
|
|
{{- if .Values.clustering.enabled }}
|
|
## Clustering
|
|
##
|
|
cluster_name = {{ default (include "common.names.fullname" .) .Values.clustering.name }}
|
|
cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s
|
|
cluster_formation.k8s.host = kubernetes.default
|
|
cluster_formation.k8s.address_type = {{ .Values.clustering.addressType }}
|
|
{{- $svcName := printf "%s-%s" (include "common.names.fullname" .) (default "headless" .Values.servicenameOverride) }}
|
|
cluster_formation.k8s.service_name = {{ $svcName }}
|
|
cluster_formation.k8s.hostname_suffix = .{{ $svcName }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}
|
|
cluster_formation.node_cleanup.interval = 10
|
|
cluster_formation.node_cleanup.only_log_warning = true
|
|
cluster_partition_handling = {{ .Values.clustering.partitionHandling }}
|
|
{{- end }}
|
|
{{ if and .Values.clustering.enabled .Values.loadDefinition.enabled }}
|
|
cluster_formation.target_cluster_size_hint = {{ .Values.replicaCount }}
|
|
{{ end }}
|
|
{{- if .Values.loadDefinition.enabled }}
|
|
load_definitions = {{ .Values.loadDefinition.file }}
|
|
{{- end }}
|
|
# queue master locator
|
|
queue_master_locator = {{ .Values.queue_master_locator }}
|
|
# enable loopback user
|
|
{{- if not (empty .Values.auth.username) }}
|
|
loopback_users.{{ .Values.auth.username }} = {{ .Values.auth.enableLoopbackUser }}
|
|
{{- else}}
|
|
loopback_users.guest = {{ .Values.auth.enableLoopbackUser }}
|
|
{{- end }}
|
|
{{ template "rabbitmq.extraConfiguration" . }}
|
|
{{- if .Values.auth.tls.enabled }}
|
|
ssl_options.verify = {{ .Values.auth.tls.sslOptionsVerify }}
|
|
listeners.ssl.default = {{ .Values.service.ports.amqpTls }}
|
|
ssl_options.fail_if_no_peer_cert = {{ .Values.auth.tls.failIfNoPeerCert }}
|
|
ssl_options.cacertfile = /opt/bitnami/rabbitmq/certs/ca_certificate.pem
|
|
ssl_options.certfile = /opt/bitnami/rabbitmq/certs/server_certificate.pem
|
|
ssl_options.keyfile = /opt/bitnami/rabbitmq/certs/server_key.pem
|
|
{{- if .Values.auth.tls.sslOptionsPassword.enabled }}
|
|
ssl_options.password = {{ include "common.secrets.passwords.manage" (dict "secret" .Values.auth.tls.sslOptionsPassword.existingSecret "key" .Values.auth.tls.sslOptionsPassword.key "providedValues" (list "auth.tls.sslOptionsPassword.password") "skipB64enc" true "failOnNew" false "context" $) }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.ldap.enabled }}
|
|
auth_backends.1.authn = ldap
|
|
auth_backends.1.authz = {{ ternary "ldap" "internal" .Values.ldap.authorisationEnabled }}
|
|
auth_backends.2 = internal
|
|
{{- $host := list }}
|
|
{{- $port := ternary 636 389 .Values.ldap.tls.enabled }}
|
|
{{- if .Values.ldap.uri }}
|
|
{{- $hostPort := get (urlParse .Values.ldap.uri) "host" }}
|
|
{{- $host = list (index (splitList ":" $hostPort) 0) -}}
|
|
{{- if (contains ":" $hostPort) }}
|
|
{{- $port = index (splitList ":" $hostPort) 1 -}}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- range $index, $server := concat $host .Values.ldap.servers }}
|
|
auth_ldap.servers.{{ add $index 1 }} = {{ $server }}
|
|
{{- end }}
|
|
auth_ldap.port = {{ coalesce .Values.ldap.port $port }}
|
|
{{- if or .Values.ldap.user_dn_pattern .Values.ldap.userDnPattern }}
|
|
auth_ldap.user_dn_pattern = {{ coalesce .Values.ldap.user_dn_pattern .Values.ldap.userDnPattern }}
|
|
{{- end }}
|
|
{{- if .Values.ldap.basedn }}
|
|
auth_ldap.dn_lookup_base = {{ .Values.ldap.basedn }}
|
|
{{- end }}
|
|
{{- if .Values.ldap.uidField }}
|
|
auth_ldap.dn_lookup_attribute = {{ .Values.ldap.uidField }}
|
|
{{- end }}
|
|
{{- if .Values.ldap.binddn }}
|
|
auth_ldap.dn_lookup_bind.user_dn = {{ .Values.ldap.binddn }}
|
|
auth_ldap.dn_lookup_bind.password = {{ required "'ldap.bindpw' is required when 'ldap.binddn' is defined" .Values.ldap.bindpw }}
|
|
{{- end }}
|
|
{{- if .Values.ldap.tls.enabled }}
|
|
auth_ldap.use_ssl = {{ not .Values.ldap.tls.startTls }}
|
|
auth_ldap.use_starttls = {{ .Values.ldap.tls.startTls }}
|
|
{{- if .Values.ldap.tls.CAFilename }}
|
|
auth_ldap.ssl_options.cacertfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ .Values.ldap.tls.CAFilename }}
|
|
{{- end }}
|
|
{{- if .Values.ldap.tls.certFilename }}
|
|
auth_ldap.ssl_options.certfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ .Values.ldap.tls.certFilename }}
|
|
auth_ldap.ssl_options.keyfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ required "'ldap.tls.certKeyFilename' is required when 'ldap.tls.certFilename' is defined" .Values.ldap.tls.certKeyFilename }}
|
|
{{- end }}
|
|
{{- if .Values.ldap.tls.skipVerify }}
|
|
auth_ldap.ssl_options.verify = verify_none
|
|
auth_ldap.ssl_options.fail_if_no_peer_cert = false
|
|
{{- else if .Values.ldap.tls.verify }}
|
|
auth_ldap.ssl_options.verify = {{ .Values.ldap.tls.verify }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
## Prometheus metrics
|
|
##
|
|
prometheus.tcp.port = {{ .Values.containerPorts.metrics }}
|
|
{{- if .Values.memoryHighWatermark.enabled }}
|
|
## Memory Threshold
|
|
##
|
|
{{- if (dig "limits" "memory" "" .Values.resources) }}
|
|
total_memory_available_override_value = {{ include "rabbitmq.toBytes" (dig "limits" "memory" "" .Values.resources) }}
|
|
{{- end }}
|
|
{{- if (eq .Values.memoryHighWatermark.type "absolute") }}
|
|
vm_memory_high_watermark.{{ .Values.memoryHighWatermark.type }} = {{ include "rabbitmq.toBytes" .Values.memoryHighWatermark.value }}
|
|
{{- else if (eq .Values.memoryHighWatermark.type "relative") }}
|
|
vm_memory_high_watermark.{{ .Values.memoryHighWatermark.type }} = {{ .Values.memoryHighWatermark.value }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.tcpListenOptions.enabled }}
|
|
## TCP Listen Options
|
|
##
|
|
tcp_listen_options.backlog = {{ .Values.tcpListenOptions.backlog }}
|
|
tcp_listen_options.nodelay = {{ .Values.tcpListenOptions.nodelay }}
|
|
tcp_listen_options.linger.on = {{ .Values.tcpListenOptions.linger.lingerOn }}
|
|
tcp_listen_options.linger.timeout = {{ .Values.tcpListenOptions.linger.timeout }}
|
|
tcp_listen_options.keepalive = {{ .Values.tcpListenOptions.keepalive }}
|
|
{{- end }}
|
|
extraConfiguration: |-
|
|
#default_vhost = {{ .Release.Namespace }}-vhost
|
|
#disk_free_limit.absolute = 50MB
|
|
replicaCount: 1
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroupChangePolicy: Always
|
|
sysctls: []
|
|
supplementalGroups: []
|
|
fsGroup: 1001
|
|
containerSecurityContext:
|
|
enabled: true
|
|
seLinuxOptions: {}
|
|
runAsUser: 1001
|
|
runAsGroup: 1001
|
|
runAsNonRoot: true
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
resourcesPreset: "medium"
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 120
|
|
timeoutSeconds: 20
|
|
periodSeconds: 30
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 120
|
|
timeoutSeconds: 20
|
|
periodSeconds: 30
|
|
failureThreshold: 3
|
|
successThreshold: 1
|
|
pdb:
|
|
create: true
|
|
minAvailable: "1"
|
|
persistence:
|
|
enabled: true
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
mountPath: /opt/bitnami/rabbitmq/.rabbitmq/mnesia
|
|
size: 8Gi
|
|
service:
|
|
type: ClusterIP
|
|
portEnabled: true
|
|
distPortEnabled: true
|
|
managerPortEnabled: true
|
|
epmdPortEnabled: true
|
|
ports:
|
|
amqp: 5672
|
|
amqpTls: 5671
|
|
dist: 25672
|
|
manager: 15672
|
|
metrics: 9419
|
|
epmd: 4369
|
|
portNames:
|
|
amqp: "amqp"
|
|
amqpTls: "amqp-tls"
|
|
dist: "dist"
|
|
manager: "http-stats"
|
|
metrics: "metrics"
|
|
epmd: "epmd"
|
|
networkPolicy:
|
|
enabled: true
|
|
kubeAPIServerPorts: [443, 6443, 8443]
|
|
allowExternal: true
|
|
allowExternalEgress: true
|
|
addExternalClientAccess: true
|
|
metrics:
|
|
enabled: true
|
|
plugins: "rabbitmq_prometheus"
|
|
podAnnotations:
|
|
prometheus.io/scrape: "true"
|
|
prometheus.io/port: "{{ .Values.service.ports.metrics }}"
|
|
serviceMonitor:
|
|
namespace: "freeleaps-monitoring-system"
|
|
default:
|
|
enabled: true
|
|
interval: 30s
|
|
perObject:
|
|
enabled: true
|
|
interval: 30s
|
|
detailed:
|
|
enabled: true
|
|
interval: 30s
|
|
prometheusRule:
|
|
enabled: true
|
|
namespace: "freeleaps-monitoring-system"
|
|
rules:
|
|
- alert: RabbitmqDown
|
|
expr: rabbitmq_up{service="{{ template "common.names.fullname" . }}"} == 0
|
|
for: 5m
|
|
labels:
|
|
severity: error
|
|
annotations:
|
|
summary: Rabbitmq down (instance {{ "{{ $labels.instance }}" }})
|
|
description: RabbitMQ node down
|
|
- alert: ClusterDown
|
|
expr: |
|
|
sum(rabbitmq_running{service="{{ template "common.names.fullname" . }}"})
|
|
< {{ .Values.replicaCount }}
|
|
for: 5m
|
|
labels:
|
|
severity: error
|
|
annotations:
|
|
summary: Cluster down (instance {{ "{{ $labels.instance }}" }})
|
|
description: |
|
|
Less than {{ .Values.replicaCount }} nodes running in RabbitMQ cluster
|
|
VALUE = {{ "{{ $value }}" }}
|
|
- alert: ClusterPartition
|
|
expr: rabbitmq_partitions{service="{{ template "common.names.fullname" . }}"} > 0
|
|
for: 5m
|
|
labels:
|
|
severity: error
|
|
annotations:
|
|
summary: Cluster partition (instance {{ "{{ $labels.instance }}" }})
|
|
description: |
|
|
Cluster partition
|
|
VALUE = {{ "{{ $value }}" }}
|
|
- alert: OutOfMemory
|
|
expr: |
|
|
rabbitmq_node_mem_used{service="{{ template "common.names.fullname" . }}"}
|
|
/ rabbitmq_node_mem_limit{service="{{ template "common.names.fullname" . }}"}
|
|
* 100 > 90
|
|
for: 5m
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: Out of memory (instance {{ "{{ $labels.instance }}" }})
|
|
description: |
|
|
Memory available for RabbmitMQ is low (< 10%)\n VALUE = {{ "{{ $value }}" }}
|
|
LABELS: {{ "{{ $labels }}" }}
|
|
- alert: TooManyConnections
|
|
expr: rabbitmq_connectionsTotal{service="{{ template "common.names.fullname" . }}"} > 1000
|
|
for: 5m
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: Too many connections (instance {{ "{{ $labels.instance }}" }})
|
|
description: |
|
|
RabbitMQ instance has too many connections (> 1000)
|
|
VALUE = {{ "{{ $value }}" }}\n LABELS: {{ "{{ $labels }}" }}
|
|
ingress:
|
|
enabled: true
|
|
path: /
|
|
pathType: ImplementationSpecific
|
|
hostname: alpha.rabbitmq.freeleaps.mathmast.com
|
|
tls: true
|
|
existingSecret: "alpha.rabbitmq.freeleaps.mathmast.com-cert"
|
|
ingressClassName: "nginx"
|