-
Notifications
You must be signed in to change notification settings - Fork 20
/
application.properties
178 lines (145 loc) · 9.97 KB
/
application.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
agent.status.interval=60s
strimzi.bundle.interval=60s
strimzi.bundle.approval-delay=120s
%test.strimzi.bundle.approval-delay=0s
strimzi.clusterrolebinding-scan.interval=PT60M
quarkus.log.console.format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c{3.}] (%t) %x %s%e%n
# for quarkus 1.x compatibility
quarkus.kubernetes.ports.http.host-port=8080
# SHA for image quay.io/mk-ci-cd/kafka-admin-api:0.9.1-1
image.admin-api=quay.io/mk-ci-cd/kafka-admin-api@sha256:5fae4bda3acfbdd27c3643133ddd8c05403177d24e10e4892ca5e20354b9f81f
image.canary=quay.io/mk-ci-cd/strimzi-canary:0.2.0-220111183833
image.canary-init=quay.io/mk-ci-cd/strimzi-canary:0.2.0-220111183833
# unique label required to identify the DrainCleaner's validating webhook
drain.cleaner.webhook.label.key=olm.webhook-description-generate-name
drain.cleaner.webhook.label.value=strimzi-drain-cleaner.kb.io
%dev.quarkus.log.console.level=DEBUG
%dev.quarkus.log.category."org.bf2".level=DEBUG
%test.quarkus.log.category."org.bf2".level=DEBUG
mock.factory.interval=15s
#ingress controller resources - an alternative profile can create fewer/smaller
ingresscontroller.request-cpu=1700m
ingresscontroller.request-memory=1Gi
#ingresscontroller.default-replica-count=1
#ingresscontroller.az-replica-count=0
# depends upon the instance type. It is roughly 300Mi for m5.2xlarge,
ingresscontroller.max-ingress-throughput=300Mi
# percentage of peak throughput you actually need to meet
ingresscontroller.peak-throughput-percentage=40
# this has yet to be completely verified - this could go higher, but we should need more memory
ingresscontroller.max-ingress-connections=108000
# percentage of peak connections you actually need to meet
ingresscontroller.peak-connection-percentage=100
ingresscontroller.router-verbosity=2
# note that this variable is overridden using the downward API in the deployment.
ingresscontroller.blueprint-namespace=kas-fleetshard-operator
ingresscontroller.blueprint-selector=bf2.org/blueprint=true
# customizes the router operators command line to enable specific options that can't currently be controller from the CR.
ingresscontroller.ingress-container-command=/usr/bin/bash,-c,awk '{print $0} /^defaults$/ {print \" option contstats\"}' < $TEMPLATE_FILE > /tmp/haproxy-config.template; exec /usr/bin/openshift-router --v=${ingresscontroller.router-verbosity} --template /tmp/haproxy-config.template --commit-interval=${ingresscontroller.commit-interval} --blueprint-route-pool-size=${ingresscontroller.blueprint-route-pool-size} --max-dynamic-servers=${ingresscontroller.max-dynamic-servers} --blueprint-route-namespace=${ingresscontroller.blueprint-namespace} --blueprint-route-labels=${ingresscontroller.blueprint-selector}
# HA proxy dynamic config manager
ingresscontroller.dynamic-config-manager=true
# the following three variables are meaningful when the dynamic-config-manager=true
ingresscontroller.commit-interval=9223372036854775807ns
ingresscontroller.blueprint-route-pool-size=300
# The worst case is the bootstrap route, For 2SU, this needs to be 6. When we start supporting 3SU, we might want
# to switch to using "router.openshift.io/pool-size" on the bootstrap blueprint.
ingresscontroller.max-dynamic-servers=6
# Disconnect established connections after a haproxy reconfiguration event that *requires a restart*.
ingresscontroller.hard-stop-after=5s
# Coalesce up-to reload-interval-seconds worth of haproxy reconfiguration events before restarting.
ingresscontroller.reload-interval-seconds=60
# external configuration injection through configmap
quarkus.kubernetes-config.enabled=true
quarkus.kubernetes-config.fail-on-missing-config=false
quarkus.kubernetes-config.config-maps=kas-fleetshard-config
# Kubernetes manifest generation
quarkus.kubernetes.service-account=kas-fleetshard-operator
quarkus.kubernetes.labels.app=kas-fleetshard-operator
# deactivate CRD checking from Java Operator SDK
quarkus.operator-sdk.crd.validate=false
quarkus.operator-sdk.disable-rbac-generation=true
# increasing retries from the default max-attempts of 5
quarkus.operator-sdk.controllers."managedkafkacontroller".retry.max-attempts=20
quarkus.arc.test.disable-application-lifecycle-observers=true
# Plaform (cloud provider) configurations
platform.aws.default-storage-class=gp2
platform.azure.default-storage-class=managed-premium
platform.gcp.default-storage-class=standard
#
# Default managedkafka properties - shared by all instances,
# are not part of the KafkaInstanceConfiguration, or are interpolated
#
# Common prefix for private/internal RHOSAK/Red Hat topics, consumer groups, etc.
managedkafka.kafka.acl.private-prefix=__redhat_
managedkafka.canary.topic=${managedkafka.kafka.acl.private-prefix}strimzi_canary
managedkafka.canary.consumer-group-id=${managedkafka.kafka.acl.private-prefix}strimzi_canary_group
managedkafka.canary.client-id=${managedkafka.kafka.acl.private-prefix}strimzi_canary_client
# Default max session lifetime to 4m 59s
managedkafka.kafka.maximum-session-lifetime-default=299000
managedkafka.canary.producer-latency-buckets=50,100,150,200,250,300,350,400,450,500
managedkafka.canary.endtoend-latency-buckets=100,200,300,400,500,600,700,800,900,1000,1100,1200
managedkafka.canary.connection-check-latency-buckets=100,200,300,400,500,600,700,800,900,1000,1100,1200
managedkafka.canary.status-time-window-ms=300000
managedkafka.upgrade.consuming-percentage-threshold=90
# Static ACL static configuration for CustomAuthorizer
managedkafka.kafka.acl.authorizer-class=io.bf2.kafka.authorizer.CustomAclAuthorizer
managedkafka.kafka.acl.broker-plugins-config-prefix=kas.authorizer.
managedkafka.kafka.acl.allowed-listeners=SRE-9096
managedkafka.kafka.acl.logging.suppression-window.duration=PT300S
managedkafka.kafka.acl.logging.suppression-window.eventCount=5000
managedkafka.kafka.acl.logging.suppression-window.apis=PRODUCE,FETCH,\
JOIN_GROUP,SYNC_GROUP,OFFSET_COMMIT,\
ADD_PARTITIONS_TO_TXN,ADD_OFFSETS_TO_TXN,TXN_OFFSET_COMMIT,END_TXN
# Global + Default ACLs
# - Default clusters to allow describe of all topics, consumer groups, and ACLs
# - Globally deny cluster operations other than idempotent_write, describe_acls, create_acls, and delete_acls
managedkafka.kafka.acl.global=\
default=true;permission=allow;topic=*;operations=describe,describe_configs \n\
default=true;permission=allow;group=*;operations=describe \n\
default=true;permission=allow;cluster=*;operations=describe \n\
permission=deny;cluster=*;operations-except=alter,describe,idempotent_write \n\
permission=deny;cluster=*;operations=alter;apis-except=create_acls,delete_acls \n\
permission=deny;cluster=*;operations=describe;apis-except=describe_acls \n\
permission=allow;cluster=*;operations=idempotent_write \n\
priority=1;permission=deny;topic=__consumer_offsets;operations=all \n\
priority=1;permission=deny;topic=__transaction_state;operations=all \n\
priority=1;permission=deny;topic=${managedkafka.kafka.acl.private-prefix}*;operations=all \n\
priority=1;permission=deny;group=${managedkafka.kafka.acl.private-prefix}*;operations=all \n\
priority=1;permission=deny;transactional_id=${managedkafka.kafka.acl.private-prefix}*;operations=all
managedkafka.kafka.acl.suspended=\
priority=1;permission=deny;topic=*;operations=all \n\
priority=1;permission=deny;group=*;operations=all \n\
priority=1;permission=deny;cluster=*;operations=all
# Allow "owner" users full control of topics, groups, transactional_ids, and cluster ACLs
managedkafka.kafka.acl.owner=\
priority=1;permission=allow;principal=%1$s;cluster=*;operations=describe;apis=describe_acls \n\
priority=1;permission=allow;principal=%1$s;cluster=*;operations=alter;apis=create_acls,delete_acls \n\
priority=1;permission=allow;principal=%1$s;topic=*;operations=all \n\
priority=1;permission=allow;principal=%1$s;group=*;operations=all \n\
priority=1;permission=allow;principal=%1$s;transactional_id=*;operations=all
# "canary" service account allowed to read/write own topic, read own consumer group
managedkafka.kafka.acl.service-accounts.canary=\
priority=0;permission=allow;principal=%1$s;cluster=*;operations=describe;apis=list_partition_reassignments \n\
priority=0;permission=allow;principal=%1$s;cluster=*;operations=alter;apis=alter_partition_reassignments \n\
priority=0;permission=allow;principal=%1$s;topic=${managedkafka.canary.topic};operations=create,describe,read,write,alter,alter_configs \n\
priority=0;permission=allow;principal=%1$s;group=${managedkafka.canary.consumer-group-id};operations=describe,read \n\
priority=1;permission=deny;principal=%1$s;topic=*;operations=all \n\
priority=1;permission=deny;principal=%1$s;group=*;operations=all \n\
priority=1;permission=deny;principal=%1$s;transactional_id=*;operations=all
# Used for validation in Admin API and custom Kafka Authorizer
managedkafka.kafka.acl.resource-operations={ "cluster": [ "describe", "alter" ], "group": [ "all", "delete", "describe", "read" ], "topic": [ "all", "alter", "alter_configs", "create", "delete", "describe", "describe_configs", "read", "write" ], "transactional_id": [ "all", "describe", "write" ] }
# ACL logging config
# Used to configure per-action log levels
managedkafka.kafka.acl.logging=\
cluster=*;listeners=(REPLICATION-9091|CONTROLPLANE-9090);operations=describe,read;level=DEBUG \n\
topic=*;listeners=(REPLICATION-9091|CONTROLPLANE-9090);operations=describe,read;level=DEBUG \n\
cluster=*;apis=fetch,list_groups,describe_configs;level=DEBUG \n\
topic=*;apis=list_offsets;level=DEBUG \n\
topic=*;operations=describe;level=DEBUG \n\
priority=1;topic=${managedkafka.kafka.acl.private-prefix}*;operations=describe,read,write;level=DEBUG \n\
group=*;apis=offset_fetch,offset_commit,heartbeat,describe_groups,list_groups;level=DEBUG
managedkafka.canary.init-enabled=true
managedkafka.canary.init-timeout-seconds=600
managedkafka.kafka.topic-config-policy-enforced=true
managedkafka.kafka.topic-config-range-rule=max.message.bytes::1048588,segment.bytes:52428800:,segment.ms:600000:
managedkafka.kafka.topic-config-mutable-rule=message.timestamp.difference.max.ms,message.timestamp.type,retention.bytes,retention.ms,min.compaction.lag.ms,cleanup.policy,max.compaction.lag.ms,delete.retention.ms,message.downconversion.enable