Skip to content

Commit

Permalink
testing
Browse files Browse the repository at this point in the history
  • Loading branch information
@givanovexpe
givanovexpe committed Jun 29, 2024
1 parent 5a6bba2 commit e84a1e3
Show file tree
Hide file tree
Showing 5 changed files with 13 additions and 93 deletions.
2 changes: 1 addition & 1 deletion VARIABLES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@
| datadog_key_secret_name | Name of the secret containing the DataDog API key. This needs to be created manually in AWS secrets manager. This is only applicable to ECS deployments. | string | null | no |
| datadog_agent_version | Version of the Datadog Agent running in the ECS cluster. This is only applicable to ECS deployments. | string | 7.50.3-jmx | no |
| datadog_agent_enabled | Whether to include the datadog-agent container. This is only applicable to ECS deployments. | string | false | no |
| enable_tcp_keepalive_podsecurity_policy | Enable Podsecurity Policy for using setting tcp_keepalive settings on HMS pods. To use this you need to enable sysctl configuration on your kubernetes cluster. For EKS you need to allow this on your cluster (https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ check EKS version for details). Also see tcp_keepalive_* variables." You only need to use this setting up to kubernetes 1.24 as from 1.25 onwards podsecurity policies are deprecated as per https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes | bool | false | no |
| enable_tcp_keepalive | tcp_keepalive settings on HMS pods. To use this you need to enable the ability to cahnge sysctl settings on your kubernetes cluster. For EKS you need to allow this on your cluster (https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ check EKS version for details). If your EKS version is below 1.24 you need to create a PodSecurityPolicy allowing the following sysctls "net.ipv4.tcp_keepalive_time", "net.ipv4.tcp_keepalive_intvl","net.ipv4.tcp_keepalive_probes" and a ClusterRole + Rolebinding for the service account running the HMS pods or all services accounts in the namespace where Apiary is running so that kubernetes can apply the tcp)keepalive configuration. For EKS 1.25 and above check this https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes. Also see tcp_keepalive_* variables. | bool | false | no |
| tcp_keepalive_time | Sets net.ipv4.tcp_keepalive_time (seconds). | number | `200` | no |
| tcp_keepalive_intvl | Sets net.ipv4.tcp_keepalive_intvl (seconds) | number | `30` | no |
| tcp_keepalive_probes | Sets net.ipv4.tcp_keepalive_probes (seconds) | number | `2` | no |
Expand Down
12 changes: 6 additions & 6 deletions k8s-readonly.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,16 +46,16 @@ resource "kubernetes_deployment_v1" "apiary_hms_readonly" {
for_each = var.enable_tcp_keepalive ? ["enabled"] : []
content {
sysctl {
name="net.ipv4.tcp_keepalive_time"
value= var.tcp_keepalive_time
name = "net.ipv4.tcp_keepalive_time"
value = var.tcp_keepalive_time
}
sysctl {
name="net.ipv4.tcp_keepalive_intvl"
value= var.tcp_keepalive_intvl
name = "net.ipv4.tcp_keepalive_intvl"
value = var.tcp_keepalive_intvl
}
sysctl {
name="net.ipv4.tcp_keepalive_probes"
value= var.tcp_keepalive_probes
name = "net.ipv4.tcp_keepalive_probes"
value = var.tcp_keepalive_probes
}
}
}
Expand Down
12 changes: 6 additions & 6 deletions k8s-readwrite.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,16 +46,16 @@ resource "kubernetes_deployment_v1" "apiary_hms_readwrite" {
for_each = var.enable_tcp_keepalive ? ["enabled"] : []
content {
sysctl {
name="net.ipv4.tcp_keepalive_time"
value= var.tcp_keepalive_time
name = "net.ipv4.tcp_keepalive_time"
value = var.tcp_keepalive_time
}
sysctl {
name="net.ipv4.tcp_keepalive_intvl"
value= var.tcp_keepalive_intvl
name = "net.ipv4.tcp_keepalive_intvl"
value = var.tcp_keepalive_intvl
}
sysctl {
name="net.ipv4.tcp_keepalive_probes"
value= var.tcp_keepalive_probes
name = "net.ipv4.tcp_keepalive_probes"
value = var.tcp_keepalive_probes
}
}
}
Expand Down
66 changes: 0 additions & 66 deletions k8s-tcp-keepalive.tf
View file

This file was deleted.

14 changes: 0 additions & 14 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -788,20 +788,6 @@ variable "hms_rw_datanucleus_connection_pool_config" {
default = {}
}

variable "enable_tcp_keepalive_podsecurity_policy" {
description = <<EOF
Enable Podsecurity Policy for using setting tcp_keepalive settings on HMS pods. To use this you need to enable
sysctl configuration on your kubernetes cluster. For EKS you need to allow this on your cluster
(https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ check EKS version for details).
Also see tcp_keepalive_* variables."
NOTE: You only need to use this setting up to kubernetes 1.24 as from 1.25 onwards podsecurity policies are deprecated as per
https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes
EOF
type = bool
default = false
}

variable "enable_tcp_keepalive" {
description = "Enable tcp keepalive settings on the hms pods"
type = bool
Expand Down

0 comments on commit e84a1e3

Please sign in to comment.