From 10f23b4e4991c0cd1e241b7ea0e2bce474eab1d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Alejandro=20Marug=C3=A1n?= Date: Thu, 5 Sep 2024 23:46:35 +0200 Subject: [PATCH] fix: add graceful shutdown (#57) fix: add graceful shutdown --- charts/opencti/README.md | 6 +- charts/opencti/ci/ci-common-values.yaml | 65 +++++++++++++------ .../templates/connector/deployment.yaml | 5 ++ .../opencti/templates/server/deployment.yaml | 5 ++ .../opencti/templates/worker/deployment.yaml | 5 ++ charts/opencti/values.yaml | 31 +++++++++ 6 files changed, 96 insertions(+), 21 deletions(-) diff --git a/charts/opencti/README.md b/charts/opencti/README.md index db6ab44..60eae16 100644 --- a/charts/opencti/README.md +++ b/charts/opencti/README.md @@ -97,6 +97,7 @@ helm show values opencti/opencti | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | imagePullSecrets | list | `[]` | Global Docker registry secret names as an array | | ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]}` | Ingress configuration to expose app
Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ | +| lifecycle | object | `{}` | Configure lifecycle hooks
Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
Ref: https://learnk8s.io/graceful-shutdown | | livenessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":180,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | Configure liveness checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | | livenessProbeCustom | object | `{}` | Custom livenessProbe | | minio | object | `{"auth":{"rootPassword":"ChangeMe","rootUser":"ChangeMe"},"enabled":true,"mode":"standalone","persistence":{"enabled":false}}` | MinIO subchart deployment
Ref: https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml | @@ -140,11 +141,12 @@ helm show values opencti/opencti | serviceMonitor.enabled | bool | `false` | Enable or disable | | startupProbe | object | `{"enabled":true,"failureThreshold":30,"initialDelaySeconds":180,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | Configure startupProbe checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | | startupProbeCustom | object | `{}` | Custom startupProbe | +| terminationGracePeriodSeconds | int | `30` | Configure Pod termination grace period
Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination | | testConnection | bool | `false` | Enable or disable test connection | | tolerations | list | `[]` | Tolerations for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition | | volumes | list | `[]` | Additional volumes on the output Deployment definition | -| worker | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"enabled":true,"env":{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true},"envFromSecrets":{},"image":{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""},"networkPolicy":{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]},"nodeSelector":{},"podDisruptionBudget":{"enabled":false,"maxUnavailable":1,"minAvailable":null},"readyChecker":{"enabled":true,"retries":30,"timeout":5},"replicaCount":1,"resources":{},"serviceMonitor":{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"},"tolerations":[],"volumeMounts":[],"volumes":[]}` | OpenCTI worker deployment configuration
Ref: https://docs.opencti.io/latest/deployment/overview/#workers | +| worker | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"enabled":true,"env":{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true},"envFromSecrets":{},"image":{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""},"lifecycle":{},"networkPolicy":{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]},"nodeSelector":{},"podDisruptionBudget":{"enabled":false,"maxUnavailable":1,"minAvailable":null},"readyChecker":{"enabled":true,"retries":30,"timeout":5},"replicaCount":1,"resources":{},"serviceMonitor":{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"},"terminationGracePeriodSeconds":30,"tolerations":[],"volumeMounts":[],"volumes":[]}` | OpenCTI worker deployment configuration
Ref: https://docs.opencti.io/latest/deployment/overview/#workers | | worker.affinity | object | `{}` | Affinity for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | | worker.autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage
Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ | | worker.enabled | bool | `true` | Enable or disable worker | @@ -154,6 +156,7 @@ helm show values opencti/opencti | worker.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the image | | worker.image.repository | string | `"opencti/worker"` | Repository of the image | | worker.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| worker.lifecycle | object | `{}` | Configure lifecycle hooks
Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
Ref: https://learnk8s.io/graceful-shutdown | | worker.networkPolicy | object | `{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]}` | NetworkPolicy configuration
Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ | | worker.networkPolicy.enabled | bool | `false` | Enable or disable NetworkPolicy | | worker.networkPolicy.policyTypes | list | `[]` | Policy types | @@ -167,6 +170,7 @@ helm show values opencti/opencti | worker.resources | object | `{}` | The resources limits and requested
Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | worker.serviceMonitor | object | `{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"}` | Enable ServiceMonitor to get metrics
Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor | | worker.serviceMonitor.enabled | bool | `false` | Enable or disable | +| worker.terminationGracePeriodSeconds | int | `30` | Configure Pod termination grace period
Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination | | worker.tolerations | list | `[]` | Tolerations for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | worker.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition | | worker.volumes | list | `[]` | Additional volumes on the output Deployment definition | diff --git a/charts/opencti/ci/ci-common-values.yaml b/charts/opencti/ci/ci-common-values.yaml index f497b43..c9c33e8 100644 --- a/charts/opencti/ci/ci-common-values.yaml +++ b/charts/opencti/ci/ci-common-values.yaml @@ -22,6 +22,22 @@ env: testConnection: true +lifecycle: + preStop: + exec: + command: ["sh", "-c", "sleep 10"] + +terminationGracePeriodSeconds: 40 + +networkPolicy: + enabled: true + +podDisruptionBudget: + enabled: true + +autoscaling: + enabled: true + secrets: APP__ADMIN__TOKEN: "b1976749-8a53-4f49-bf04-cafa2a3458c1" RABBITMQ__PASSWORD: ChangeMe @@ -37,6 +53,30 @@ envFromSecrets: name: opencti-ci-credentials key: RABBITMQ__PASSWORD +worker: + enabled: true + + readyChecker: + enabled: true + retries: 40 + timeout: 10 + + lifecycle: + preStop: + exec: + command: ["sh", "-c", "sleep 10"] + + terminationGracePeriodSeconds: 40 + + networkPolicy: + enabled: true + + podDisruptionBudget: + enabled: true + + autoscaling: + enabled: true + connectors: - name: opencti enabled: true @@ -51,6 +91,11 @@ connectors: enabled: true retries: 40 timeout: 10 + lifecycle: + preStop: + exec: + command: ["sh", "-c", "sleep 10"] + terminationGracePeriodSeconds: 40 deploymentAnnotations: ci: "true" podAnnotations: @@ -65,26 +110,6 @@ connectors: name: opencti-ci-credentials key: APP__ADMIN__TOKEN -networkPolicy: - enabled: true - -autoscaling: - enabled: true - -worker: - enabled: true - - readyChecker: - enabled: true - retries: 40 - timeout: 10 - - networkPolicy: - enabled: false - - autoscaling: - enabled: true - elasticsearch: fullnameOverride: opencti-ci-elasticsearch master: diff --git a/charts/opencti/templates/connector/deployment.yaml b/charts/opencti/templates/connector/deployment.yaml index 5d6baf8..8bf699a 100644 --- a/charts/opencti/templates/connector/deployment.yaml +++ b/charts/opencti/templates/connector/deployment.yaml @@ -73,6 +73,10 @@ spec: {{- toYaml .securityContext | nindent 12 }} image: "{{- if and .image (hasKey .image "repository") }}{{ .image.repository }}{{- else if $.Values.global.imageRegistry }}{{ printf "%s/opencti/%s" $.Values.global.imageRegistry .name }}{{- else }}{{ printf "opencti/%s" .name }}{{- end }}:{{ if and .image (hasKey .image "tag") }}{{ .image.tag | default $.Chart.AppVersion }}{{ else }}{{ $.Chart.AppVersion }}{{ end }}" imagePullPolicy: {{ if and .image (hasKey .image "pullPolicy") }}{{ .image.pullPolicy }}{{ else }}IfNotPresent{{ end }} + lifecycle: + {{- with .lifecycle }} + {{- toYaml . | nindent 12 }} + {{- end }} env: # Variables from secrets have precedence {{- $envList := dict -}} @@ -118,6 +122,7 @@ spec: {{- end }} resources: {{- toYaml .resources | nindent 12 }} + terminationGracePeriodSeconds: {{ .terminationGracePeriodSeconds | default 30 }} {{- with .nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/opencti/templates/server/deployment.yaml b/charts/opencti/templates/server/deployment.yaml index 6e87d9f..8801efe 100644 --- a/charts/opencti/templates/server/deployment.yaml +++ b/charts/opencti/templates/server/deployment.yaml @@ -83,6 +83,10 @@ spec: containerPort: {{ .Values.env.APP__TELEMETRY__METRICS__EXPORTER_PROMETHEUS | default 14269 }} protocol: TCP {{- end }} + lifecycle: + {{- with .Values.lifecycle }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- if .Values.livenessProbe.enabled }} livenessProbe: {{- if .Values.livenessProbeCustom }} @@ -163,6 +167,7 @@ spec: volumeMounts: {{- toYaml . | nindent 12 }} {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.volumes }} volumes: {{- toYaml . | nindent 8 }} diff --git a/charts/opencti/templates/worker/deployment.yaml b/charts/opencti/templates/worker/deployment.yaml index b124658..e434eb2 100644 --- a/charts/opencti/templates/worker/deployment.yaml +++ b/charts/opencti/templates/worker/deployment.yaml @@ -74,6 +74,10 @@ spec: containerPort: {{ .Values.worker.env.WORKER_PROMETHEUS_TELEMETRY_PORT | default 14269 }} protocol: TCP {{- end }} + lifecycle: + {{- with .Values.worker.lifecycle }} + {{- toYaml . | nindent 12 }} + {{- end }} env: # Variables from secrets have precedence {{- $envList := dict -}} @@ -123,6 +127,7 @@ spec: volumeMounts: {{- toYaml . | nindent 12 }} {{- end }} + terminationGracePeriodSeconds: {{ .Values.worker.terminationGracePeriodSeconds }} {{- with .Values.worker.volumes }} volumes: {{- toYaml . | nindent 8 }} diff --git a/charts/opencti/values.yaml b/charts/opencti/values.yaml index a192683..6ddeb68 100644 --- a/charts/opencti/values.yaml +++ b/charts/opencti/values.yaml @@ -143,6 +143,18 @@ serviceMonitor: metricRelabelings: [] relabelings: [] +# -- Configure lifecycle hooks +#
Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ +#
Ref: https://learnk8s.io/graceful-shutdown +lifecycle: {} + # preStop: + # exec: + # command: ["sh", "-c", "sleep 10"] + +# -- Configure Pod termination grace period +#
Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination +terminationGracePeriodSeconds: 30 + # -- Configure liveness checker #
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes livenessProbe: @@ -352,6 +364,13 @@ connectors: [] # retries: 30 # # -- Timeout for each check # timeout: 5 +# # -- Lifecycle configuration +# lifecycle: {} +# # preStop: +# # exec: +# # command: ["sh", "-c", "sleep 10"] +# # -- Configure Pod termination grace period +# terminationGracePeriodSeconds: 30 # # -- Environment variables to configure application # env: {} # # foo: bar @@ -400,6 +419,18 @@ worker: # -- Timeout for each check timeout: 5 + # -- Configure lifecycle hooks + #
Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + #
Ref: https://learnk8s.io/graceful-shutdown + lifecycle: {} + # preStop: + # exec: + # command: ["sh", "-c", "sleep 10"] + + # -- Configure Pod termination grace period + #
Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination + terminationGracePeriodSeconds: 30 + # -- Image registry configuration for the base service image: # -- Repository of the image