Canonical Livepatch Server K8S

  • Commercial Systems
Channel Revision Published Runs on
latest/stable 43 14 Oct 2024
Ubuntu 22.04 Ubuntu 20.04
latest/candidate 44 14 Oct 2024
Ubuntu 22.04 Ubuntu 20.04
latest/beta 46 15 Oct 2024
Ubuntu 22.04 Ubuntu 20.04
latest/edge 49 22 Oct 2024
Ubuntu 22.04 Ubuntu 20.04
juju deploy canonical-livepatch-server-k8s
Show information

Platform:

Learn about configurations >

  • auth.basic.enabled | boolean

    Whether basic auth should be used.

  • auth.basic.users | string

    A comma separated list of "user:password" pairs used for authentication.

  • auth.sso.enabled | boolean

    Note: Currently not available for on-prem users!

    Whether or not OIDCSSO authentication should be enabled.

  • auth.sso.public-key | string

    Public key for the auth server

  • auth.sso.teams | string

    Note: Currently not available for on-prem users!

    A list of comma separated launchpad teams that are allowed access when connecting to the admin tool by SSO authentication.

  • auth.sso.url | string

    URL to access for SSO auth.

  • cloud_delay.default_delay_hours | int

    Default delay hours for clouds/regions/azs without predefined delay hours.

  • cloud_delay.enabled | boolean

    Whether to enable the delayed roll-out of patches based on a client's cloud.

  • contracts.ca | string

    A certificate of the CA that issued the certificate of the contracts service. Use 'include-base64://' in a bundle to include a certificate. Otherwise, pass a base64-encoded certificate (base64 of "-----BEGIN" to "-----END") as a config option in a Juju CLI invocation.

  • contracts.enabled | boolean

    Whether use of the contracts service is enabled.

  • contracts.password | string

    Password to authenticate with backend contracts service.

  • contracts.url | string

    Default: https://contracts.canonical.com

    URL to hit for the contracts service

  • contracts.user | string

    Username to authenticate with backend contracts service.

  • database.connection-lifetime-max | string

    Default: 10m

    The lifespan of an idle PostgreSQL connection.

  • database.connection-pool-max | int

    Default: 10

    The maximum pool of connections to PostgreSQL.

  • influx.bucket | string

    Bucket to send data

  • influx.enabled | boolean

    Enables influx db support for time series reporting.

  • influx.organization | string

    Organization name

  • influx.token | string

    Token to use for influx

  • influx.url | string

    URL to connect to influx DB

  • kpi-reports.enabled | string

    Note: Currently not available for on-prem users!

    Key performance index: Metrics. Enables KPI worker - sends metrics to Influx.

  • kpi-reports.interval | string

    Default: 5m

    Note: Currently not available for on-prem users!

    Specifies KPI worker frequency.

  • machine-reports.database.cleanup-interval | string

    Default: 6h

    Time between report cleanup runs.

  • machine-reports.database.cleanup-row-limit | int

    Default: 1000

    Maximum number of rows to remove with a single report cleanup row.

  • machine-reports.database.enabled | boolean

    Whether or not to enabled machine reports writes to PostgreSQL.

  • machine-reports.database.retention-days | int

    Default: 10

    A thing used by the charm.

  • machine-reports.event-bus.brokers | string

    The list of kafka brokers, comma separated to use for pushing reports.

  • machine-reports.event-bus.ca-cert | string

    The X509 intermediate or root certificate authority certificate to use for mTLS authorisation.

  • machine-reports.event-bus.client-cert | string

    The X509 client certificate to use for mTLS authorisation.

  • machine-reports.event-bus.client-key | string

    The X509 private key associated with the client certificate to use for mTLS authorisation.

  • machine-reports.event-bus.enabled | boolean

    Whether or not to enable machine reports writes to kafka.

  • machine-reports.event-bus.kafka-version | string

    The kafka version you wish to specifically bind to, when not provided, the kafka version is not validated.

  • patch-blocklist.enabled | boolean

    Whether or not to enable patch blocklist functionality for the admin tool.

  • patch-blocklist.refresh-interval | string

    Default: 5m

    How often to check for new blocklist entries.

  • patch-cache.cache-size | int

    Default: 128

    The size of the cache in patches.

  • patch-cache.cache-ttl | string

    Default: 10m

    How long to persist a patch in cache whilst it has not been actively retrieved.

  • patch-cache.enabled | boolean

    Whether or not to cache patches.

  • patch-storage.filesystem-path | string

    Default: /home/livepatchu/.livepatch/patches

    The filesystem path to store patches.

  • patch-storage.postgres-connection-string | string

    A connection string URI to a PostgreSQL database for patch storage.

    When set to an empty string, it is handled by relation and uses the same database cluster that livepatch server uses for state. The database name is 'livepatch'.

    If this is to be changed, it is expected that the database you wish to connect to is created manually.

  • patch-storage.s3-access-key | string

    AWS programmatic API access key.

  • patch-storage.s3-bucket | string

    The S3 bucket to store patches within.

  • patch-storage.s3-endpoint | string

    The S3 API presigned endpoint.

  • patch-storage.s3-region | string

    The AWS region for this S3 storage.

  • patch-storage.s3-secret-key | string

    AWS programmatic API secret key.

  • patch-storage.s3-secure | boolean

    Whether or not to perform TLS.

  • patch-storage.swift-api-key | string

    An authorisation API key for swift.

  • patch-storage.swift-auth-url | string

    The authorisation URL for swift.

  • patch-storage.swift-container | string

    The swift blob storage location for storing patches.

  • patch-storage.swift-domain | string

    The domain the containers reside under in swift for storing patches.

  • patch-storage.swift-region | string

    The region assigned to this domain and tenant.

  • patch-storage.swift-tenant | string

    The tenant account name for your container and API service user to connect under.

  • patch-storage.swift-username | string

    The Swift username to login against when using API key authorisation.

  • patch-storage.type | string

    Default: filesystem

    The storage type to be used by the charm, defaults to filesystem. The path can be located under: /var/snap/canonical-livepatch-server/common/patches

    The available options are:

    • filesystem
    • swift
    • postgres
    • s3

    When using postgres for storage, the charm will work automatically by means of relation. The default database name is under: livepatch

    The database name can be changed but must be created.

  • patch-sync.architectures | string

    Comma-separated list of architectures to download patches for. When no value is present, all are synced. If this field is empty, the patch sync will gather all architectures.

  • patch-sync.enabled | boolean

    Whether or not if this instance of Livepatch Server should sync patches from another instance.

    A sync is effectively a "shared" storage, having access to the same pool of patches as the upstream services patch storage.

  • patch-sync.flavors | string

    Default: generic,lowlatency,aws

    A comma separated list of kernel flavors to download patches for. If this field is empty, the patch sync will gather all flavors.

  • patch-sync.interval | string

    Default: 1h

    Period between automatic patch snapshot downloads.

  • patch-sync.machine-count-strategy | string

    Default: bucket

    The strategy to use when counting machines in a set.

  • patch-sync.minimum-kernel-version | string

    A minimum kernel version of format "0.0.0" denoting the lowest kernel version to download patches for. When no value is present, all are synced. For example, "5.4.0" will sync "5.4.0" and up.

  • patch-sync.proxy.enabled | boolean

    Whether or not to proxy patch syncs.

  • patch-sync.proxy.http | string

    A comma separated list HTTP proxies to query for patches.

  • patch-sync.proxy.https | string

    A comma separated list HTTPS proxies to query for patches.

  • patch-sync.proxy.no-proxy | string

    A comma separated list of domains, IP CIDRs and/or ports to block.

  • patch-sync.send-machine-reports | boolean

    Enable sending reports from local machines during patch synchronisation.

  • patch-sync.sync-tiers | boolean

    Mirror patch tier information from the upstream server. WARNING: Enabling this feature will modify existing tier information in order to match the upstream server's tier structure. Avoid this if you already have tiers setup.

  • patch-sync.upstream-url | string

    Default: https://livepatch.canonical.com

    Livepatch server to download patch snapshots from.

  • profiler.block_profile_rate | int

    Default: 50000

    this is the sampling average of one blocking event per BlockProfileRate nanoseconds spent blocked. For example, set rate to 1000000000 (aka int(time.Second.Nanoseconds())) to record one sample per second a goroutine is blocked. It is recommended to set this to values greater than 10,000. For more info, visit this: https://github.com/DataDog/go-profiler-notes/blob/main/block.md#benchmarks

  • profiler.enabled | boolean

    Whether to enable or disable continuous profiling on the server or not.

  • profiler.hostname | string

    the hostname of the server the profiler is running on. This is used as a tag to group metrics by the server it is running on.

  • profiler.mutex_profile_fraction | int

    Default: 5

    this turns on mutex profiles with rate indicating the fraction of mutex contention events reported in the mutex profile. On average, 1/rate events are reported. Setting an aggressive rate can hurt performance. ProfileMutexes must be True

  • profiler.profile_allocations | boolean

    this will profile the memory for allocated space as well as allocated objects

  • profiler.profile_blocks | boolean

    would profile blocking events (channels, select, etc) with the BlockProfileRate frequency.

  • profiler.profile_goroutines | boolean

    would profile separate concurrent running gorountines.

  • profiler.profile_inuse | boolean

    this will profile the overall used memory as well as the memory used by objects

  • profiler.profile_mutexes | boolean

    this turns on profiling for mutexes

  • profiler.sample_rate | int

    Default: 100

    sample rate for the profiler in Hz. 100 means reading 100 times per second.

  • profiler.server_address | string

    The pyroscope server address to send the metrics to.

  • profiler.upload_rate | int

    The frequency of upload to the profiling server

  • server.burst-limit | int

    Default: 500

    The maximum number of concurrently incoming requests.

    After this limit, requests are queued according to the following: concurrency-limit - burst_limit

    For defaults, this is: 1000 - 500 = 500 (Maximum queue).

    Once the queue is reached, subsequent requests are rejected.

  • server.concurrency-limit | int

    Default: 1000

    Maximum number of API requests being served concurrently.

  • server.is-hosted | boolean

    Defines whether the server will act as an on-prem server (i.e. fetching patches from the hosted server), or will act as a hosted server.

  • server.log-level | string

    Default: info

    The servers log level.

  • server.redirect-downloads | boolean

    When true, the server will redirect downloads directed at its /v1/patches/{filename} endpoint to the endpoint defined in the server.url-template config option. This is useful if you want patch downloads to be redirected to a fileserver fronting patches. Note: Do not enable this option if the server.url-template is configured as the Livepatch-server as this will result in a redirect loop.

  • server.url-template | string

    Template string to use when making URLs for giving back to the client.

    e.g. https://livepatch-hosting.com/v1/patches/{filename}

    This will need to be configured once the url or ip address of the service is known.