diff --git a/templates/composer.yml b/templates/composer.yml deleted file mode 100644 index 267a082ad..000000000 --- a/templates/composer.yml +++ /dev/null @@ -1,503 +0,0 @@ -apiVersion: v1 -kind: Template -metadata: - name: composer - annotations: - openshift.io/display-name: Image-Builder composer service - description: Composer component of the image-builder serivce - tags: golang - iconClass: icon-shadowman - template.openshift.io/provider-display-name: Red Hat, Inc. -labels: - template: composer -objects: -- apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - service: image-builder - name: composer - spec: - replicas: ${{REPLICAS}} - selector: - matchLabels: - app: composer - strategy: - # Update pods 1 at a time - type: RollingUpdate - rollingUpdate: - # Create at most 0 extra pod over .spec.replicas - maxSurge: 0 - # At all times there should be .spec.replicas - 1 available - maxUnavailable: 1 - template: - metadata: - labels: - app: composer - spec: - serviceAccountName: image-builder - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app: composer - topologyKey: kubernetes.io/hostname - containers: - - image: "${IMAGE_NAME}:${IMAGE_TAG}" - name: composer - livenessProbe: - failureThreshold: 3 - exec: - command: - - cat - - /tmp/osbuild-composer-live - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: ${READINESS_URI} - port: ${{COMPOSER_API_PORT}} - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: "${CPU_REQUEST}" - memory: "${MEMORY_REQUEST}" - limits: - cpu: "${CPU_LIMIT}" - memory: "${MEMORY_LIMIT}" - env: - - name: PGHOST - valueFrom: - secretKeyRef: - name: composer-db - key: db.host - - name: PGPORT - valueFrom: - secretKeyRef: - name: composer-db - key: db.port - - name: PGDATABASE - valueFrom: - secretKeyRef: - name: composer-db - key: db.name - - name: PGUSER - valueFrom: - secretKeyRef: - name: composer-db - key: db.user - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: composer-db - key: db.password - - name: PGSSLMODE - value: "${PGSSLMODE}" - - name: PGMAXCONNS - value: "${PGMAXCONNS}" - # Splunk forwarding - - name: SPLUNK_HEC_TOKEN - valueFrom: - secretKeyRef: - name: splunk - key: token - optional: true - - name: SPLUNK_HEC_HOST - valueFrom: - secretKeyRef: - name: splunk - key: url - optional: true - - name: SPLUNK_HEC_PORT - value: "${SPLUNK_HEC_PORT}" - - name: GLITCHTIP_DSN - valueFrom: - secretKeyRef: - key: dsn - name: "${GLITCHTIP_DSN_NAME}" - optional: true - - name: DISTRO_ALIASES - value: ${DISTRO_ALIASES} - ports: - - name: composer-api - protocol: TCP - containerPort: ${{COMPOSER_API_PORT}} - - name: prometheus - protocol: TCP - containerPort: ${{PROMETHEUS_PORT}} - - name: worker-api - protocol: TCP - containerPort: ${{WORKER_API_PORT}} - volumeMounts: - - name: composer-config - mountPath: "${COMPOSER_CONFIG_DIR}" - readOnly: true - - name: state-directory - mountPath: "/var/lib/osbuild-composer" - - name: cache-directory - mountPath: "/var/cache/osbuild-composer" - volumes: - - name: composer-config - configMap: - name: composer-config - - name: state-directory - emptyDir: {} - - name: cache-directory - emptyDir: {} - initContainers: - - name: composer-migrate - image: "${IMAGE_NAME}:${IMAGE_TAG}" - command: [ "/opt/migrate/tern", "migrate", "-m", "/opt/migrate/schemas" ] - resources: - requests: - cpu: "${CPU_REQUEST}" - memory: "${MEMORY_REQUEST}" - limits: - cpu: "${CPU_LIMIT}" - memory: "${MEMORY_LIMIT}" - env: - - name: PGHOST - valueFrom: - secretKeyRef: - name: composer-db - key: db.host - - name: PGPORT - valueFrom: - secretKeyRef: - name: composer-db - key: db.port - - name: PGDATABASE - valueFrom: - secretKeyRef: - name: composer-db - key: db.name - - name: PGUSER - valueFrom: - secretKeyRef: - name: composer-db - key: db.user - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: composer-db - key: db.password - - name: PGSSLMODE - value: "${PGSSLMODE}" - -- apiVersion: v1 - kind: ServiceAccount - metadata: - name: image-builder - imagePullSecrets: - - name: quay.io - -- apiVersion: v1 - kind: Service - metadata: - name: image-builder-composer - labels: - app: composer - port: composer-api - spec: - ports: - - name: composer-api - protocol: TCP - port: 80 - targetPort: ${{COMPOSER_API_PORT}} - - name: prometheus - protocol: TCP - port: 8008 - targetPort: ${{PROMETHEUS_PORT}} - selector: - app: composer - -- apiVersion: v1 - kind: Service - metadata: - name: image-builder-worker - labels: - app: composer - port: worker-api - spec: - ports: - - name: worker-api - protocol: TCP - port: 80 - targetPort: ${{WORKER_API_PORT}} - selector: - app: composer - -# This map should probably move to app-intf -- apiVersion: v1 - kind: ConfigMap - metadata: - name: composer-config - data: - acl.yml: | - - claim: rh-org-id - pattern: ^(${ACL_ORG_ID_TENANTS})$ - - claim: account_id - pattern: ^(${ACL_ACCOUNT_ID_TENANTS})$ - osbuild-composer.toml: | - log_level = "info" - [koji] - enable_tls = false - enable_mtls = false - enable_jwt = true - jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs"] - jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml" - jwt_tenant_provider_fields = ["rh-org-id", "account_id"] - [worker] - request_job_timeout = "20s" - base_path = "/api/image-builder-worker/v1" - enable_artifacts = false - enable_tls = false - enable_mtls = false - enable_jwt = true - jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs"] - jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml" - jwt_tenant_provider_fields = ["rh-org-id", "account_id"] - worker_heartbeat_timeout = "5m" -- apiVersion: batch/v1 - kind: CronJob - metadata: - labels: - service: image-builder - name: composer-maintenance - spec: - # run maintenance job at midnight - schedule: 0 0 * * * - concurrencyPolicy: Forbid - # don't run if the job doesn't get scheduled within 30 minutes - startingDeadlineSeconds: 1800 - jobTemplate: - spec: - template: - spec: - serviceAccountName: image-builder - restartPolicy: Never - containers: - - image: "${MAINTENANCE_IMAGE_NAME}:${IMAGE_TAG}" - name: composer-maintenance - resources: - requests: - cpu: "${MAINTENANCE_CPU_REQUEST}" - memory: "${MEMORY_REQUEST}" - limits: - cpu: "${MAINTENANCE_CPU_LIMIT}" - memory: "${MEMORY_LIMIT}" - env: - - name: PGHOST - valueFrom: - secretKeyRef: - name: composer-db - key: db.host - - name: PGPORT - valueFrom: - secretKeyRef: - name: composer-db - key: db.port - - name: PGDATABASE - valueFrom: - secretKeyRef: - name: composer-db - key: db.name - - name: PGUSER - valueFrom: - secretKeyRef: - name: composer-db - key: db.user - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: composer-db - key: db.password - - name: PGSSLMODE - value: "${PGSSLMODE}" - - name: GCP_AUTH_PROVIDER_X509_CERT_URL - valueFrom: - secretKeyRef: - name: gcp-service-account - key: auth_provider_x509_cert_url - - name: GCP_AUTH_URI - valueFrom: - secretKeyRef: - name: gcp-service-account - key: auth_uri - - name: GCP_CLIENT_EMAIL - valueFrom: - secretKeyRef: - name: gcp-service-account - key: client_email - - name: GCP_CLIENT_ID - valueFrom: - secretKeyRef: - name: gcp-service-account - key: client_id - - name: GCP_CLIENT_X509_CERT_URL - valueFrom: - secretKeyRef: - name: gcp-service-account - key: client_x509_cert_url - - name: GCP_PRIVATE_KEY - valueFrom: - secretKeyRef: - name: gcp-service-account - key: private_key - - name: GCP_PRIVATE_KEY_ID - valueFrom: - secretKeyRef: - name: gcp-service-account - key: private_key_id - - name: GCP_PROJECT_ID - valueFrom: - secretKeyRef: - name: gcp-service-account - key: project_id - - name: GCP_TOKEN_URI - valueFrom: - secretKeyRef: - name: gcp-service-account - key: token_uri - - name: GCP_TYPE - valueFrom: - secretKeyRef: - name: gcp-service-account - key: type - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: aws-account - key: access_key_id - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: aws-account - key: secret_access_key - - name: DRY_RUN - value: "${MAINTENANCE_DRY_RUN}" - - name: ENABLE_AWS_MAINTENANCE - value: "${ENABLE_AWS_MAINTENANCE}" - - name: ENABLE_GCP_MAINTENANCE - value: "${ENABLE_GCP_MAINTENANCE}" - - name: ENABLE_DB_MAINTENANCE - value: "${ENABLE_DB_MAINTENANCE}" - - name: MAX_CONCURRENT_REQUESTS - value: "${MAINTENANCE_MAX_CONCURRENT_REQUESTS}" - -parameters: - - description: composer image name - name: IMAGE_NAME - value: quay.io/app-sre/composer - required: true - - description: composer image tag - name: IMAGE_TAG - required: true - - description: postgres sslmode to use when connecting to the db - name: PGSSLMODE - value: "require" - - description: postgres maximum connections per pod - name: PGMAXCONNS - value: "20" - - description: number of pods to spin up - name: REPLICAS - value: "3" - required: true - - description: base sso url - name: RH_SSO_BASE_URL - required: true - value: "https://sso.redhat.com/auth/realms/redhat-external" - - description: base sso url - name: COMPOSER_CONFIG_DIR - required: true - value: "/etc/osbuild-composer" - - description: Allowed tenants based on org id - name: ACL_ORG_ID_TENANTS - value: "15842261|15877963|15885990|16057323" - - description: Allowed tenants based on account id - name: ACL_ACCOUNT_ID_TENANTS - value: "15842261|16057323" - - description: composer-api port - name: COMPOSER_API_PORT - required: true - value: "8080" - - description: prometheus port - name: PROMETHEUS_PORT - value: "8008" - - description: worker-api port - name: WORKER_API_PORT - required: true - value: "8700" - - name: READINESS_URI - description: URI to query for the readiness check - value: "/api/image-builder-composer/v2/openapi" - - name: CPU_REQUEST - description: CPU request per container - value: "500m" - - name: CPU_LIMIT - description: CPU limit per container - value: "1" - - name: FLUENTD_CPU_REQUEST - description: CPU request per container - value: "50m" - - name: FLUENTD_CPU_LIMIT - description: CPU limit per container - value: "100m" - - name: MAINTENANCE_CPU_REQUEST - description: CPU request per container - value: "50m" - - name: MAINTENANCE_CPU_LIMIT - description: CPU limit per container - value: "100m" - - name: MEMORY_REQUEST - description: Memory request per container - value: "256Mi" - - name: MEMORY_LIMIT - description: Memory limit per container - value: "512Mi" - # maintenance image variables - - description: composer-maintenance image name - name: MAINTENANCE_IMAGE_NAME - value: quay.io/app-sre/composer-maintenance - required: true - - description: composer-maintenance dry run - name: MAINTENANCE_DRY_RUN - # don't change this value, overwrite it in app-interface for a specific namespace - value: "true" - required: true - - description: Enable AWS maintenance - name: ENABLE_AWS_MAINTENANCE - # don't change this value, overwrite it in app-interface for a specific namespace - value: "false" - required: true - - description: Enable GPC maintenance - name: ENABLE_GCP_MAINTENANCE - # don't change this value, overwrite it in app-interface for a specific namespace - value: "false" - required: true - - description: Enable DB maintenance - name: ENABLE_DB_MAINTENANCE - # don't change this value, overwrite it in app-interface for a specific namespace - value: "false" - required: true - - description: composer-maintenance max concurrent requests - name: MAINTENANCE_MAX_CONCURRENT_REQUESTS - value: "10" - required: true - - description: Splunk HTTP Event Collector port - name: SPLUNK_HEC_PORT - value: "443" - - name: GLITCHTIP_DSN_NAME - value: "composer-stage-dsn" - description: Name of the secret for connecting to sentry/glitchtip - - description: Distro name aliases - name: DISTRO_ALIASES - value: "rhel-7=rhel-7.9,rhel-8=rhel-8.9,rhel-9=rhel-9.3" diff --git a/templates/composer.yml b/templates/composer.yml new file mode 120000 index 000000000..ec9d58b31 --- /dev/null +++ b/templates/composer.yml @@ -0,0 +1 @@ +openshift/composer.yml \ No newline at end of file diff --git a/templates/openshift/composer.yml b/templates/openshift/composer.yml new file mode 100644 index 000000000..267a082ad --- /dev/null +++ b/templates/openshift/composer.yml @@ -0,0 +1,503 @@ +apiVersion: v1 +kind: Template +metadata: + name: composer + annotations: + openshift.io/display-name: Image-Builder composer service + description: Composer component of the image-builder serivce + tags: golang + iconClass: icon-shadowman + template.openshift.io/provider-display-name: Red Hat, Inc. +labels: + template: composer +objects: +- apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + service: image-builder + name: composer + spec: + replicas: ${{REPLICAS}} + selector: + matchLabels: + app: composer + strategy: + # Update pods 1 at a time + type: RollingUpdate + rollingUpdate: + # Create at most 0 extra pod over .spec.replicas + maxSurge: 0 + # At all times there should be .spec.replicas - 1 available + maxUnavailable: 1 + template: + metadata: + labels: + app: composer + spec: + serviceAccountName: image-builder + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app: composer + topologyKey: kubernetes.io/hostname + containers: + - image: "${IMAGE_NAME}:${IMAGE_TAG}" + name: composer + livenessProbe: + failureThreshold: 3 + exec: + command: + - cat + - /tmp/osbuild-composer-live + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: ${READINESS_URI} + port: ${{COMPOSER_API_PORT}} + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: "${CPU_REQUEST}" + memory: "${MEMORY_REQUEST}" + limits: + cpu: "${CPU_LIMIT}" + memory: "${MEMORY_LIMIT}" + env: + - name: PGHOST + valueFrom: + secretKeyRef: + name: composer-db + key: db.host + - name: PGPORT + valueFrom: + secretKeyRef: + name: composer-db + key: db.port + - name: PGDATABASE + valueFrom: + secretKeyRef: + name: composer-db + key: db.name + - name: PGUSER + valueFrom: + secretKeyRef: + name: composer-db + key: db.user + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: composer-db + key: db.password + - name: PGSSLMODE + value: "${PGSSLMODE}" + - name: PGMAXCONNS + value: "${PGMAXCONNS}" + # Splunk forwarding + - name: SPLUNK_HEC_TOKEN + valueFrom: + secretKeyRef: + name: splunk + key: token + optional: true + - name: SPLUNK_HEC_HOST + valueFrom: + secretKeyRef: + name: splunk + key: url + optional: true + - name: SPLUNK_HEC_PORT + value: "${SPLUNK_HEC_PORT}" + - name: GLITCHTIP_DSN + valueFrom: + secretKeyRef: + key: dsn + name: "${GLITCHTIP_DSN_NAME}" + optional: true + - name: DISTRO_ALIASES + value: ${DISTRO_ALIASES} + ports: + - name: composer-api + protocol: TCP + containerPort: ${{COMPOSER_API_PORT}} + - name: prometheus + protocol: TCP + containerPort: ${{PROMETHEUS_PORT}} + - name: worker-api + protocol: TCP + containerPort: ${{WORKER_API_PORT}} + volumeMounts: + - name: composer-config + mountPath: "${COMPOSER_CONFIG_DIR}" + readOnly: true + - name: state-directory + mountPath: "/var/lib/osbuild-composer" + - name: cache-directory + mountPath: "/var/cache/osbuild-composer" + volumes: + - name: composer-config + configMap: + name: composer-config + - name: state-directory + emptyDir: {} + - name: cache-directory + emptyDir: {} + initContainers: + - name: composer-migrate + image: "${IMAGE_NAME}:${IMAGE_TAG}" + command: [ "/opt/migrate/tern", "migrate", "-m", "/opt/migrate/schemas" ] + resources: + requests: + cpu: "${CPU_REQUEST}" + memory: "${MEMORY_REQUEST}" + limits: + cpu: "${CPU_LIMIT}" + memory: "${MEMORY_LIMIT}" + env: + - name: PGHOST + valueFrom: + secretKeyRef: + name: composer-db + key: db.host + - name: PGPORT + valueFrom: + secretKeyRef: + name: composer-db + key: db.port + - name: PGDATABASE + valueFrom: + secretKeyRef: + name: composer-db + key: db.name + - name: PGUSER + valueFrom: + secretKeyRef: + name: composer-db + key: db.user + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: composer-db + key: db.password + - name: PGSSLMODE + value: "${PGSSLMODE}" + +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: image-builder + imagePullSecrets: + - name: quay.io + +- apiVersion: v1 + kind: Service + metadata: + name: image-builder-composer + labels: + app: composer + port: composer-api + spec: + ports: + - name: composer-api + protocol: TCP + port: 80 + targetPort: ${{COMPOSER_API_PORT}} + - name: prometheus + protocol: TCP + port: 8008 + targetPort: ${{PROMETHEUS_PORT}} + selector: + app: composer + +- apiVersion: v1 + kind: Service + metadata: + name: image-builder-worker + labels: + app: composer + port: worker-api + spec: + ports: + - name: worker-api + protocol: TCP + port: 80 + targetPort: ${{WORKER_API_PORT}} + selector: + app: composer + +# This map should probably move to app-intf +- apiVersion: v1 + kind: ConfigMap + metadata: + name: composer-config + data: + acl.yml: | + - claim: rh-org-id + pattern: ^(${ACL_ORG_ID_TENANTS})$ + - claim: account_id + pattern: ^(${ACL_ACCOUNT_ID_TENANTS})$ + osbuild-composer.toml: | + log_level = "info" + [koji] + enable_tls = false + enable_mtls = false + enable_jwt = true + jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs"] + jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml" + jwt_tenant_provider_fields = ["rh-org-id", "account_id"] + [worker] + request_job_timeout = "20s" + base_path = "/api/image-builder-worker/v1" + enable_artifacts = false + enable_tls = false + enable_mtls = false + enable_jwt = true + jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs"] + jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml" + jwt_tenant_provider_fields = ["rh-org-id", "account_id"] + worker_heartbeat_timeout = "5m" +- apiVersion: batch/v1 + kind: CronJob + metadata: + labels: + service: image-builder + name: composer-maintenance + spec: + # run maintenance job at midnight + schedule: 0 0 * * * + concurrencyPolicy: Forbid + # don't run if the job doesn't get scheduled within 30 minutes + startingDeadlineSeconds: 1800 + jobTemplate: + spec: + template: + spec: + serviceAccountName: image-builder + restartPolicy: Never + containers: + - image: "${MAINTENANCE_IMAGE_NAME}:${IMAGE_TAG}" + name: composer-maintenance + resources: + requests: + cpu: "${MAINTENANCE_CPU_REQUEST}" + memory: "${MEMORY_REQUEST}" + limits: + cpu: "${MAINTENANCE_CPU_LIMIT}" + memory: "${MEMORY_LIMIT}" + env: + - name: PGHOST + valueFrom: + secretKeyRef: + name: composer-db + key: db.host + - name: PGPORT + valueFrom: + secretKeyRef: + name: composer-db + key: db.port + - name: PGDATABASE + valueFrom: + secretKeyRef: + name: composer-db + key: db.name + - name: PGUSER + valueFrom: + secretKeyRef: + name: composer-db + key: db.user + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: composer-db + key: db.password + - name: PGSSLMODE + value: "${PGSSLMODE}" + - name: GCP_AUTH_PROVIDER_X509_CERT_URL + valueFrom: + secretKeyRef: + name: gcp-service-account + key: auth_provider_x509_cert_url + - name: GCP_AUTH_URI + valueFrom: + secretKeyRef: + name: gcp-service-account + key: auth_uri + - name: GCP_CLIENT_EMAIL + valueFrom: + secretKeyRef: + name: gcp-service-account + key: client_email + - name: GCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: gcp-service-account + key: client_id + - name: GCP_CLIENT_X509_CERT_URL + valueFrom: + secretKeyRef: + name: gcp-service-account + key: client_x509_cert_url + - name: GCP_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: gcp-service-account + key: private_key + - name: GCP_PRIVATE_KEY_ID + valueFrom: + secretKeyRef: + name: gcp-service-account + key: private_key_id + - name: GCP_PROJECT_ID + valueFrom: + secretKeyRef: + name: gcp-service-account + key: project_id + - name: GCP_TOKEN_URI + valueFrom: + secretKeyRef: + name: gcp-service-account + key: token_uri + - name: GCP_TYPE + valueFrom: + secretKeyRef: + name: gcp-service-account + key: type + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: aws-account + key: access_key_id + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: aws-account + key: secret_access_key + - name: DRY_RUN + value: "${MAINTENANCE_DRY_RUN}" + - name: ENABLE_AWS_MAINTENANCE + value: "${ENABLE_AWS_MAINTENANCE}" + - name: ENABLE_GCP_MAINTENANCE + value: "${ENABLE_GCP_MAINTENANCE}" + - name: ENABLE_DB_MAINTENANCE + value: "${ENABLE_DB_MAINTENANCE}" + - name: MAX_CONCURRENT_REQUESTS + value: "${MAINTENANCE_MAX_CONCURRENT_REQUESTS}" + +parameters: + - description: composer image name + name: IMAGE_NAME + value: quay.io/app-sre/composer + required: true + - description: composer image tag + name: IMAGE_TAG + required: true + - description: postgres sslmode to use when connecting to the db + name: PGSSLMODE + value: "require" + - description: postgres maximum connections per pod + name: PGMAXCONNS + value: "20" + - description: number of pods to spin up + name: REPLICAS + value: "3" + required: true + - description: base sso url + name: RH_SSO_BASE_URL + required: true + value: "https://sso.redhat.com/auth/realms/redhat-external" + - description: base sso url + name: COMPOSER_CONFIG_DIR + required: true + value: "/etc/osbuild-composer" + - description: Allowed tenants based on org id + name: ACL_ORG_ID_TENANTS + value: "15842261|15877963|15885990|16057323" + - description: Allowed tenants based on account id + name: ACL_ACCOUNT_ID_TENANTS + value: "15842261|16057323" + - description: composer-api port + name: COMPOSER_API_PORT + required: true + value: "8080" + - description: prometheus port + name: PROMETHEUS_PORT + value: "8008" + - description: worker-api port + name: WORKER_API_PORT + required: true + value: "8700" + - name: READINESS_URI + description: URI to query for the readiness check + value: "/api/image-builder-composer/v2/openapi" + - name: CPU_REQUEST + description: CPU request per container + value: "500m" + - name: CPU_LIMIT + description: CPU limit per container + value: "1" + - name: FLUENTD_CPU_REQUEST + description: CPU request per container + value: "50m" + - name: FLUENTD_CPU_LIMIT + description: CPU limit per container + value: "100m" + - name: MAINTENANCE_CPU_REQUEST + description: CPU request per container + value: "50m" + - name: MAINTENANCE_CPU_LIMIT + description: CPU limit per container + value: "100m" + - name: MEMORY_REQUEST + description: Memory request per container + value: "256Mi" + - name: MEMORY_LIMIT + description: Memory limit per container + value: "512Mi" + # maintenance image variables + - description: composer-maintenance image name + name: MAINTENANCE_IMAGE_NAME + value: quay.io/app-sre/composer-maintenance + required: true + - description: composer-maintenance dry run + name: MAINTENANCE_DRY_RUN + # don't change this value, overwrite it in app-interface for a specific namespace + value: "true" + required: true + - description: Enable AWS maintenance + name: ENABLE_AWS_MAINTENANCE + # don't change this value, overwrite it in app-interface for a specific namespace + value: "false" + required: true + - description: Enable GPC maintenance + name: ENABLE_GCP_MAINTENANCE + # don't change this value, overwrite it in app-interface for a specific namespace + value: "false" + required: true + - description: Enable DB maintenance + name: ENABLE_DB_MAINTENANCE + # don't change this value, overwrite it in app-interface for a specific namespace + value: "false" + required: true + - description: composer-maintenance max concurrent requests + name: MAINTENANCE_MAX_CONCURRENT_REQUESTS + value: "10" + required: true + - description: Splunk HTTP Event Collector port + name: SPLUNK_HEC_PORT + value: "443" + - name: GLITCHTIP_DSN_NAME + value: "composer-stage-dsn" + description: Name of the secret for connecting to sentry/glitchtip + - description: Distro name aliases + name: DISTRO_ALIASES + value: "rhel-7=rhel-7.9,rhel-8=rhel-8.9,rhel-9=rhel-9.3"