Patch Library
Although Instabase sends you base configurations, you can modify or add to your configuration with patches. The following are examples of patches you may use to modify your configuration.
Contents
- Aws Access Key As Secret
- Aws Secret Access Key As Secret
- Basic Operations Patches
- Database Patches
- Disable Pdb
- File Tservice Storage Params Localfs
- Managed Mq Patches
- Managed Redis Patches
- Metrics Patches
- Model Service Taint
- Mount Tservice Storage Params Localfs
- Mount Tservice Storage Params S3
- Msft Async Patches
- Network Policy Patches
- Ocr Patches
- Opensearch Patches
- Pyroscope Patches
- Rmq Ha Revert Patches
- Sa Regcred
- Stats Adapter Rbac Dogfood
- Telescope Import Patches
Aws Access Key As Secret
This patch reads the AWS Access Key for S3 mounts from a secret instead of the default env var.
# target: deployment-core-platform-service
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
env:
- name: AWS_ACCESS_KEY_ID
$patch: replace
valueFrom:
secretKeyRef:
name: aws-access-key
key: access-key
Aws Secret Access Key As Secret
This patch reads the AWS Secret Access Key for S3 mounts from a secret instead of the default env var.
# target: deployment-core-platform-service
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
env:
- name: AWS_SECRET_ACCESS_KEY
$patch: replace
valueFrom:
secretKeyRef:
name: aws-access-key
key: secret-access-key
Basic Operations Patches
Delete
You can delete sections of your configuration using “$patch: delete”. The following patch deletes rollingUpdate while changing type to Recreate, effectively changing the strategy for the deployment.
# target: <target name>
kind: Deployment
spec:
strategy:
type: Recreate
$patch: delete
rollingUpdate:
Replace
You can replace sections of your configuration using “$patch: replace”. The following patch replaces the current values under SOME_API_KEY with the new values specified under “$patch: replace”.
# target: <target name>
kind: Deployment
spec:
template:
spec:
containers:
- name: my-deployment
env:
- name: SOME_API_KEY
$patch: replace
valueFrom:
secretKeyRef:
name: instabase-secrets
key: some_api_key
Database Patches
Database Connection Params
This patch configures the database connection string for a given environment. It should be applied to the database resource label, which maps to all deployment objects that need to connect to the database. Before applying this patch, you should fill in the value for the database connection string.
# target: database
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
env:
- name: INSTABASE_BACKEND_DB_PARAMS
value: ""
Database Connection String As Secret
# target: database
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
env:
- name: INSTABASE_BACKEND_DB_PARAMS
$patch: replace
valueFrom:
secretKeyRef:
name: database-conn-params
key: db_conn_string
Mysql Database Tls Params
This patch configures the database connection string for a given environment along with the relevant TLS environment variables and volume mount for the certificates for MySQL. If not using a secret for the certificates, feel free to remove the volume mount sections. It should be applied to the database resource label, which maps to all deployment objects that need to connect to the database. Before applying this patch, you should fill in the value for the database connection string.
# target: database
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
env:
- name: INSTABASE_BACKEND_DB_PARAMS
value: ""
- name: DB_TLS_ENABLE
value: ""
- name: DB_TLS_ENABLE_CLIENT_CERT
value: ""
- name: DB_TLS_CLIENT_KEY_PATH
value: ""
- name: DB_TLS_CLIENT_CERT_PATH
value: ""
- name: DB_TLS_ROOT_CERT_PATH
value: ""
- name: DB_TLS_CERT_HOSTNAME
value: ""
- name: DB_TLS_SKIP_VERIFY
value: ""
volumeMounts:
- name: db-tls-metadata
mountPath: /etc/secrets/db/tls
readOnly: true
volumes:
- name: db-tls-metadata
secret:
secretName: db-tls-metadata
Disable Pdb
Pdb Api Server
This patch disables PDB.
# target: pdb-api-server
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: pdb-api-server
spec:
maxUnavailable: 100%
Pdb Apps Server
This patch disables PDB.
# target: pdb-apps-server
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: pdb-apps-server
spec:
maxUnavailable: 100%
Pdb Core Platoform Service
This patch disables PDB.
# target: pdb-core-platform-service
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: pdb-core-platform-service
spec:
maxUnavailable: 100%
Pdb File Tservice
This patch disables PDB.
# target: pdb-file-tservice
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: pdb-file-tservice
spec:
maxUnavailable: 100%
Pdb Server Nginx
This patch disables PDB.
# target: pdb-server-nginx
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: pdb-server-nginx
spec:
maxUnavailable: 100%
Pdb Webapp
This patch disables PDB.
# target: pdb-webapp
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: pdb-webapp
spec:
maxUnavailable: 100%
File Tservice Storage Params Localfs
This patch configures the LocalFS storage parameters for a given environment. It should be applied to the file-tservice container. Before applying these patches, you should fill in the values below.
# target: file-tservice
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
volumeMounts:
- name: persistent-storage
value: ""
volumes:
- name: persistent-storage
persistentVolumeClaim:
claimName: ""
Managed Mq Patches
Deployment Rabbitmq
This patch configures resources to connect to ane external instance of RabbitMQ using SSL. <AMAZON_MQ_USERNAME> should be replaced by the Amazon MQ user. <AMAZON_MQ_PASSWORD> should be replaced by the Amazon MQ password. <AMAZON_MQ_ENDPOINT> should be replaced by the Amazon MQ endpoint.
# target: amqp
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
env:
- name: BROKER_URL
value: "amqps://<AMAZON_MQ_USERNAME>:<AMAZON_MQ_PASSWORD>@<AMAZON_MQ_ENDPOINT>:5671"
- name: RABBIT_MQ_URL
value: "<AMAZON_MQ_ENDPOINT>"
- name: RABBIT_MQ_PORT
value: "5671"
- name: RABBIT_MQ_USERNAME
value: "<AMAZON_MQ_USERNAME>"
- name: RABBIT_MQ_PASSWORD
value: "<AMAZON_MQ_PASSWORD>"
External Amqp Network Policy
Open up port for external RabbitMQ.
{
"comment": "Open up port for external RabbitMQ.",
"target": "amqp-client-egress-policies",
"kind": "NetworkPolicy",
"patch": [
{
"op": "add",
"path": "/spec/egress/-",
"value": {
"ports": [
{
"protocol": "TCP",
"port": 5671
}
]
}
}
]
}
Managed Redis Patches
Cache_Deployments
This patch configures resources to connect to an external instance of Redis - usually Elasticache. <ELASTICACHE_URL> should be replaced by the Elasticache primary endpoint. If Elasticache is deployed with in-transit encryption, the value of CACHE_ENABLE_TLS should be changed to True.
# target: cache
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
env:
- name: CACHE_HOST
value: <ELASTICACHE_URL>
- name: CACHE_PERSISTENT_HOST
value: <ELASTICACHE_URL>
- name: CACHE_PERSISTENT_PORT
value: 6379
- name: CACHE_ENABLE_TLS
value: "False" # if in-transit encryption is enabled
- name: CACHE_SSL_KEYFILE
value: "" # always empty
- name: CACHE_SSL_CERTFILE
value: "" # always empty
- name: CACHE_SSL_CACERTFILE
value: "" # always empty
- name: CACHE_PASSWORD
value: "" # Redis AUTH token, if used
Deployment Redis
This patch can be used to shut down the self-hosted instance of Redis.
# target: deployment-redis
apiVersion: apps/v1
kind: Deployment
spec:
replicas: 0
External Cache Network Policy
Open up port for external redis.
{
"comment": "Open up port for external redis.",
"target": "cache-client-egress-policies",
"kind": "NetworkPolicy",
"patch": [
{
"op": "add",
"path": "/spec/egress/-",
"value": {
"ports": [
{
"protocol": "TCP",
"port": 6379
}
]
}
}
]
}
Statefulset Redis Persistent
This patch can be used to shut down the self-hosted instance of Redis persistent.
# target: statefulset-redis-persistent
apiVersion: apps/v1
kind: StatefulSet
spec:
replicas: 0
Metrics Patches
Metrics Audit Logs Black Hole
This patch sets the value for metrics and audit logs.
# target: metrics-audit-logs
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
env:
- name: AUDIT_LOGS_EXPORT_ENDPOINT
value: "BLACK_HOLE"
- name: METRICS_EXPORT_ENDPOINT
value: "BLACK_HOLE"
- name: LOGGING_EXPORT_ENDPOINT
value: "BLACK_HOLE"
Model Service Taint
Sets a deployment to schedule on a specific node taint, used with model-service.
# target: deployment-model-service
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: model-service
- operator: In
- values:
- - "true"
- tolerations:
- - key: "model-service"
- operator: "Equal"
- value: "true"
- effect: "NoSchedule"
Mount Tservice Storage Params Localfs
This patch configures the LocalFS storage parameters for a given environment. It should be applied to the mount-tservice container. Before applying these patches, you should fill in the value below.
# target: mount-tservice
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
env:
- name: LOCAL_MOUNT_DIR
value: ""
Mount Tservice Storage Params S3
This patch configures the S3 storage parameters for a given environment. It should be applied to the mount-tservice container. Before applying this patch, you should fill in the values for the S3 environemnt variables below.
# target: mount-tservice
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
env:
- name: S3_SERVER_URL
value: ""
- name: S3_SERVER_IS_SECURE
value: ""
- name: AWS_ACCESS_KEY_ID
value: ""
- name: AWS_SECRET_ACCESS_KEY
value: ""
- name: S3_AWS_REGION
value: ""
- name: HOSTING_BUCKET
value: ""
- name: INSTABASE_BUCKET
value: ""
- name: HOSTED_S3_ENCRYPTION_TYPE
value: ""
Msft Async Patches
Celery App Tasks Async
This patch sets celery-app-tasks to use async mode. To switch to ocr-msft async mode, please apply all patches under the directory deployment-configs/patch-library/msft-async-patches. To switch back to sync mode, simple delete all the applied patches.
# target: deployment-celery-app-tasks
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: celery-app-tasks
env:
- name: OCR_MSFT_PROVIDER
value: "ocr-msft-async"
Ocr Msft Envoy Config Async
This patch sets ocr-msft envoy sidecar to accommodate async mode. To switch to ocr-msft async mode, please apply all patches under the directory deployment-configs/patch-library/msft-async-patches. To switch back to sync mode, simple delete all the applied patches.
# target: ocr-msft-envoy-config
apiVersion: v1
kind: ConfigMap
metadata:
name: ocr-msft-envoy-config
namespace: ${ib.namespace}
data:
envoy.yaml: |
static_resources:
# A listener is a network location that can be connected to by
# downstream clients. The port_value 6000 is the envoy container port.
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 6000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
- name: service
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: local_service
timeout: 0s
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
# Routing the incoming requests to the service in the local cluster.
# port_value 5000 is the ocr-msft container port.
clusters:
- name: local_service
connect_timeout: 0.25s
type: STRICT_DNS
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: local_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 5000
# Maximum requests for a single upstream connection.
max_requests_per_connection: 1
circuit_breakers:
thresholds:
- priority: "DEFAULT"
# The maximum number of requests that can be outstanding to all
# hosts in a cluster at any given time. Setting to default value
# 1024 in async mode.
max_requests: 1024
max_retries: 0
admin:
access_log_path: /dev/null
address:
socket_address:
address: 0.0.0.0
port_value: 6001
Ocr Msft Lite Async
This patch sets ocr-msft-lite to use async mode. To switch to ocr-msft async mode, please apply all patches under the directory deployment-configs/patch-library/msft-async-patches. To switch back to sync mode, simple delete all the applied patches.
# target: deployment-ocr-msft-lite
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: ocr-msft-lite
env:
- name: Queue__RabbitMQ__Username
value: "guest"
- name: Queue__RabbitMQ__Password
value: "guest"
- name: Queue__RabbitMQ__HostName
value: "localhost"
volumes:
- name: share-dir
$patch: replace
persistentVolumeClaim:
claimName: msft-v3-lite-nfs
Ocr Msft V3 Async
This patch sets ocr-msft-v3 to use async mode. To switch to ocr-msft async mode, please apply all patches under the directory deployment-configs/patch-library/msft-async-patches. To switch back to sync mode, simple delete all the applied patches.
# target: deployment-ocr-msft-v3
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: ocr-msft-v3
env:
- name: Queue__RabbitMQ__Username
value: "guest"
- name: Queue__RabbitMQ__Password
value: "guest"
- name: Queue__RabbitMQ__HostName
value: "localhost"
volumes:
- name: share-dir
$patch: replace
persistentVolumeClaim:
claimName: msft-v3-nfs
Network Policy Patches
Add Network Policy
The following patch adds a port to test-service-egress
{
"comment": "The following patch adds a port to test-service-egress",
"kind": "NetworkPolicy",
"target": "test-service-egress",
"patch": [
{
"op": "add",
"path": "/spec/egress/1/ports/-",
"value": {
"protocol": "TCP",
"port": 9001
}
}
]
}
Ocr Patches
Ocr Msft Lite Online
This patch sets the Billing and API Key config for ocr-msft-lite.
# target: deployment-ocr-msft-lite
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: ocr-msft-lite
env:
- name: BILLING
value: "https://instabaseinternalocr.cognitiveservices.azure.com/"
- name: APIKEY
value: ""
- name: Mounts__License
value: ""
- name: Mounts__Output
value: ""
- name: LICENSE_FILE
value: ""
Ocr Msft V3 Online
This patch sets the BILLING, APIKEY for ocr-msft-v3.
# target: deployment-ocr-msft-v3
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: ocr-msft-v3
env:
- name: BILLING
value: "https://instabaseinternalocr.cognitiveservices.azure.com/"
- name: APIKEY
value: ""
- name: Mounts__License
value: ""
- name: Mounts__Output
value: ""
- name: LICENSE_FILE
value: ""
Opensearch Patches
Deployment Jaeger
This patch configures AWS opensearch without using index management System/ILM/ISM in jaeger <ES_K8S_SERVER> should be replaced by the OpenSearch primary endpoint. <OPENSEARCH_USERNAME> and <OPENSEARCH_PASSWORD> should be replaced by the OpenSearch Username and password resp.
# target: deployment-jaeger
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: jaeger
env:
- name: ES_SERVER_URLS
value: https://<OPENSEARCH_URL>:443
- name: ES_USE_ILM
value: "false"
- name: ES_USE_ALIASES
value: "false"
Search Tservice
This patch configures AWS opensearch without using index management System/ILM/ISM. <ES_K8S_SERVER> should be replaced by the OpenSearch primary endpoint. <OPENSEARCH_USERNAME> and <OPENSEARCH_PASSWORD> should be replaced by the OpenSearch Username and password resp.
# target: deployment-search-tservice
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: search-tservice
env:
- name: ES_URL_SCHEME
value: https
- name: ES_K8S_SERVER
value: <OPENSEARCH_URL>
- name: ES_K8S_PORT
value: 443
- name: ES_LIFECYCLE_USE_ILM_INDICES
value: "False"
- name: ES_USERNAME
value: <OPENSEARCH_USERNAME>
- name: ES_PASSWORD
value: <OPENSEARCH_PASSWORD>
Pyroscope Patches
Grafana Datasource Config
This patch configures grafana datasources.
# target: grafana-datasource-config
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-datasource-config
data:
datasources.yaml: |-
apiVersion: 1
datasources:
- access: proxy
isDefault: true
name: 1. Victoriametrics
orgId: 1
type: prometheus
url: http://localhost:28428
version: 1
- access: proxy
name: 2. Prometheus
orgId: 1
type: prometheus
url: http://service-prometheus-server:9090/
version: 1
- access: proxy
name: Loki
orgId: 1
type: loki
url: http://localhost:23101
- access: proxy
name: Jaeger
orgId: 1
type: jaeger
url: http://localhost:26686/jaeger
version: 1
jsonData:
nodeGraph:
enabled: true
- access: proxy
name: Pyroscope
type: pyroscope-datasource
uid: pyroscope
jsonData:
path: "http://pyroscope:4040"
Grafana Pyroscope Plugins
This patch adds the Pyroscope datasource & Pyroscope Flamegraph plugin
# target: deployment-grafana
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-grafana
spec:
template:
spec:
containers:
- name: grafana
env:
- name: GF_INSTALL_PLUGINS
value: https://github.com/pyroscope-io/grafana-panel-plugin/releases/download/v1.4.2/pyroscope-panel-1.4.2.zip;pyroscope-panel,https://github.com/pyroscope-io/grafana-datasource-plugin/releases/download/v1.2.0/pyroscope-datasource-1.2.0.zip;pyroscope-datasource
Rmq Ha Revert Patches
Api Server
This patch migrates back api-server to RMQ
# target: deployment-api-server
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: api-server
env:
- name: BROKER_URL
value: "amqp://guest:guest@localhost:45672"
- name: RABBIT_MQ_PORT
value: "45672"
- name: RABBITMQ_CONSOLE_URL
value: http://localhost:35672
- name: RABBITMQ_CONSOLE_USER
valueFrom:
secretKeyRef:
name: rabbitmq-metadata
key: console_user
- name: RABBITMQ_CONSOLE_PASS
valueFrom:
secretKeyRef:
name: rabbitmq-metadata
key: console_pass
Apps Server
This patch migrates back apps-server to RMQ
# target: deployment-apps-server
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: apps-server
env:
- name: BROKER_URL
value: "amqp://guest:guest@localhost:45672"
- name: RABBIT_MQ_PORT
value: "45672"
Celery App Tasks
This patch migrates back celery-app-tasks to rmq
# target: deployment-celery-app-tasks
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: celery-app-tasks
env:
- name: BROKER_URL
value: "amqp://guest:guest@localhost:45672"
- name: RABBIT_MQ_PORT
value: "45672"
Celery Core Tasks
This patch migrates back celery-core-tasks to rmq
# target: deployment-celery-core-tasks
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: celery-core-tasks
env:
- name: BROKER_URL
value: "amqp://guest:guest@localhost:45672"
- name: RABBIT_MQ_PORT
value: "45672"
Celery Webdriver Tasks
This patch migrates back celery-webdriver-tasks to rmq
# target: deployment-celery-webdriver-tasks
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: celery-webdriver-tasks
env:
- name: BROKER_URL
value: "amqp://guest:guest@localhost:45672"
- name: RABBIT_MQ_PORT
value: "45672"
Core Platform Service
This patch migrates back core-platform-service to rmq
# target: deployment-core-platform-service
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: core-platform-service
env:
- name: BROKER_URL
value: "amqp://guest:guest@localhost:45672"
- name: RABBIT_MQ_PORT
value: "45672"
Grpc File Service
This patch migrates back grpc-file-service to rmq
# target: deployment-file-tservice
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: grpc-file-service
env:
- name: BROKER_URL
value: "amqp://guest:guest@localhost:45672"
- name: RABBIT_MQ_PORT
value: "45672"
Job Service
This patch migrates back job-service to rmq
# target: deployment-job-service
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: job-service
env:
- name: BROKER_URL
value: "amqp://guest:guest@localhost:45672"
- name: RABBIT_MQ_PORT
value: "45672"
Model Service
This patch migrates back model-service to rmq
# target: deployment-model-service
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: model-service
env:
- name: RABBIT_MQ_PORT
value: "45672"
Rabbitmq Ha Resourcing
This patch configures the resourcing (replicas) for rmqha
# target: deployment-rabbitmq-ha
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-rabbitmq-ha
labels:
app: rabbitmq-ha
version: v1
spec:
replicas: 0
Rabbitmq Resourcing
This patch configures the resourcing (replicas) for rmq
# target: statefulset-rabbitmq
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: statefulset-rabbitmq
labels:
app: rabbitmq
version: v1
spec:
replicas: 1
Ray Head
This patch migrates model-ray-head to rmqha
# target: deployment-ray-head
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-ray-head
spec:
template:
spec:
containers:
- name: ray-head
env:
- name: RABBIT_MQ_PORT
value: "45672"
Ray Model Training Worker
This patch migrates deployment-ray-model-training-worker to rmqha
# target: deployment-ray-model-training-worker
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-ray-model-training-worker
spec:
template:
spec:
containers:
- name: ray-model-training-worker
env:
- name: RABBIT_MQ_PORT
value: "45672"
Search Tservice
This patch migrates search-tservice to rmqha
# target: deployment-search-tservice
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: search-tservice
env:
- name: RABBIT_MQ_PORT
value: "45672"
Webapp
This patch migrates webapp to rmqha
# target: deployment-webapp
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: webapp
env:
- name: BROKER_URL
value: "amqp://guest:guest@localhost:45672"
- name: RABBIT_MQ_PORT
value: "45672"
Sa Regcred
This patch configures the imagePullSecret to use regcred for service accounts.
# target: ServiceAccount
apiVersion: v1
kind: ServiceAccount
imagePullSecrets:
- name: regcred
Stats Adapter Rbac Dogfood
Adds role binding and cluster role binding for stats adapter which are required for kubernetes extension API server authentication and authorization. It also adds APIService for custom metrics
# target: <target_name>
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: stats-adapter
namespace: instabase-dogfood
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: stats-adapter
name: stats-adapter-authentication-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: stats-adapter
namespace: instabase-dogfood
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: stats-adapter
name: stats-adapter:system:auth-delegator
namespace: instabase-dogfood
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: stats-adapter
namespace: instabase-dogfood
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: stats-adapter-metrics-reader
namespace: instabase-dogfood
rules:
- apiGroups: [""]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: stats-adapter-metrics-reader-binding
namespace: instabase-dogfood
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: stats-adapter-metrics-reader
subjects:
- kind: ServiceAccount
name: stats-adapter
namespace: instabase-dogfood
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1beta1.custom.metrics.k8s.io
labels:
app: stats-adapter
spec:
group: custom.metrics.k8s.io
groupPriorityMinimum: 100
insecureSkipTLSVerify: true
version: v1beta1
versionPriority: 100
service:
name: service-stats-adapter
namespace: instabase-dogfood
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: stats-adapter-restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: stats-adapter-restricted-policy-cluster-role
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- stats-adapter-restricted
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: stats-adapter-restricted-policy-binding
subjects:
- kind: ServiceAccount
name: stats-adapter
namespace: instabase-dogfood
roleRef:
kind: ClusterRole
name: stats-adapter-restricted-policy-cluster-role
apiGroup: rbac.authorization.k8s.io
Telescope Import Patches
Grafana Bigquery Creds
This patch adds the BigQuery plugin and instabase-build.loadtest-read secret key mount to grafana. This depends on a secret named “loadtest-read-service-account-key” to be present in the environment.
# target: deployment-grafana
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-grafana
spec:
template:
spec:
containers:
- name: grafana
env:
- name: GF_INSTALL_PLUGINS
value: grafana-bigquery-datasource
volumeMounts:
- mountPath: '/etc/secrets/loadtest-read-service-account-key.pem'
name: loadtest-read-service-account-key
subPath:
loadtest-read-service-account-key.pem
readOnly: true
volumes:
- secret:
secretName: loadtest-read-service-account-key
name: loadtest-read-service-account-key
Grafana Datasource Config
This patch configures grafana datasources.
# target: grafana-datasource-config
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-datasource-config
data:
datasources.yaml: |-
apiVersion: 1
datasources:
- access: proxy
isDefault: true
name: 1. Victoriametrics
orgId: 1
type: prometheus
url: http://localhost:28428
version: 1
- access: proxy
name: 2. Prometheus
orgId: 1
type: prometheus
url: http://service-prometheus-server:9090/
version: 1
- access: proxy
name: Loki
orgId: 1
type: loki
url: http://localhost:23101
- access: proxy
name: Jaeger
orgId: 1
type: jaeger
url: http://localhost:26686/jaeger
version: 1
jsonData:
nodeGraph:
enabled: true
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: jwt
clientEmail: loadtest-read@instabase-build.iam.gserviceaccount.com
defaultProject: instabase-build
tokenUri: https://oauth2.googleapis.com/token
privateKeyPath: '/etc/secrets/loadtest-read-service-account-key.pem'
Loadtest Read Service Account Secret
This patch adds the instabase-build.loadtest-read service account to
# target: <target_name>
apiVersion: v1
kind: Secret
metadata:
name: loadtest-read-service-account-key
type: Opaque
data:
loadtest-read-service-account-key.pem: |-
LOADTEST_READ_SERVICE_ACCOUNT_KEY_BASE64
Non Obs Deployments
# target: non-obs-deployments
apiVersion: apps/v1
kind: Deployment
spec:
replicas: 0
Non Obs Statefulsets
# target: non-obs-statefulsets
apiVersion: apps/v1
kind: StatefulSet
spec:
replicas: 0
Victoriametrics Retention
This patch increases Victoriametrics retention period to 5 years.
# target: statefulset-victoriametrics
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: statefulset-victoriametrics
spec:
template:
spec:
containers:
- name: victoriametrics
args:
- --retentionPeriod=60
- --storageDataPath=/storage
- --search.disableAutoCacheReset