Skip to content

Commit

Permalink
add enable_tcp_keepalive variable
Browse files Browse the repository at this point in the history
  • Loading branch information
givanovexpe committed Jun 28, 2024
1 parent 5ffa8bd commit 5a6bba2
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 16 deletions.
2 changes: 1 addition & 1 deletion k8s-readonly.tf
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ resource "kubernetes_deployment_v1" "apiary_hms_readonly" {
service_account_name = kubernetes_service_account_v1.hms_readonly[0].metadata.0.name
automount_service_account_token = true
dynamic "security_context" {
for_each = var.enable_tcp_keepalive_podsecurity_policy ? ["enabled"] : []
for_each = var.enable_tcp_keepalive ? ["enabled"] : []
content {
sysctl {
name="net.ipv4.tcp_keepalive_time"
Expand Down
2 changes: 1 addition & 1 deletion k8s-readwrite.tf
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ resource "kubernetes_deployment_v1" "apiary_hms_readwrite" {
service_account_name = kubernetes_service_account_v1.hms_readwrite[0].metadata.0.name
automount_service_account_token = true
dynamic "security_context" {
for_each = var.enable_tcp_keepalive_podsecurity_policy ? ["enabled"] : []
for_each = var.enable_tcp_keepalive ? ["enabled"] : []
content {
sysctl {
name="net.ipv4.tcp_keepalive_time"
Expand Down
34 changes: 20 additions & 14 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -758,20 +758,6 @@ variable "datadog_agent_enabled" {
default = false
}

variable "enable_tcp_keepalive_podsecurity_policy" {
description = <<EOF
Enable Podsecurity Policy for using setting tcp_keepalive settings on HMS pods. To use this you need to enable
sysctl configuration on your kubernetes cluster. For EKS you need to allow this on your cluster
(https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ check EKS version for details).
Also see tcp_keepalive_* variables."
NOTE: You only need to use this setting up to kubernetes 1.24 as from 1.25 onwards podsecurity policies are deprecated as per
https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes
EOF
type = bool
default = false
}

variable "apiary_common_producer_iamroles" {
description = "AWS IAM roles allowed read-write access to managed Apiary S3 buckets."
type = list(string)
Expand Down Expand Up @@ -802,6 +788,26 @@ variable "hms_rw_datanucleus_connection_pool_config" {
default = {}
}

variable "enable_tcp_keepalive_podsecurity_policy" {
description = <<EOF
Enable Podsecurity Policy for using setting tcp_keepalive settings on HMS pods. To use this you need to enable
sysctl configuration on your kubernetes cluster. For EKS you need to allow this on your cluster
(https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ check EKS version for details).
Also see tcp_keepalive_* variables."
NOTE: You only need to use this setting up to kubernetes 1.24 as from 1.25 onwards podsecurity policies are deprecated as per
https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes
EOF
type = bool
default = false
}

variable "enable_tcp_keepalive" {
description = "Enable tcp keepalive settings on the hms pods"
type = bool
default = false
}

variable "tcp_keepalive_time" {
description = "Sets net.ipv4.tcp_keepalive_time (seconds)."
type = number
Expand Down

0 comments on commit 5a6bba2

Please sign in to comment.