Canonical Livepatch Server K8S
- Commercial Systems
Channel | Revision | Published | Runs on |
---|---|---|---|
latest/stable | 43 | 14 Oct 2024 | |
latest/candidate | 44 | 14 Oct 2024 | |
latest/beta | 46 | 15 Oct 2024 | |
latest/edge | 49 | 22 Oct 2024 |
juju deploy canonical-livepatch-server-k8s
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
-
auth.basic.enabled | boolean
Whether basic auth should be used.
-
auth.basic.users | string
A comma separated list of "user:password" pairs used for authentication.
-
auth.sso.enabled | boolean
Note: Currently not available for on-prem users!
Whether or not OIDCSSO authentication should be enabled.
-
auth.sso.public-key | string
Public key for the auth server
-
auth.sso.teams | string
Note: Currently not available for on-prem users!
A list of comma separated launchpad teams that are allowed access when connecting to the admin tool by SSO authentication.
-
auth.sso.url | string
URL to access for SSO auth.
-
cloud_delay.default_delay_hours | int
Default delay hours for clouds/regions/azs without predefined delay hours.
-
cloud_delay.enabled | boolean
Whether to enable the delayed roll-out of patches based on a client's cloud.
-
contracts.ca | string
A certificate of the CA that issued the certificate of the contracts service. Use 'include-base64://' in a bundle to include a certificate. Otherwise, pass a base64-encoded certificate (base64 of "-----BEGIN" to "-----END") as a config option in a Juju CLI invocation.
-
contracts.enabled | boolean
Whether use of the contracts service is enabled.
-
contracts.password | string
Password to authenticate with backend contracts service.
-
contracts.url | string
Default: https://contracts.canonical.com
URL to hit for the contracts service
-
contracts.user | string
Username to authenticate with backend contracts service.
-
database.connection-lifetime-max | string
Default: 10m
The lifespan of an idle PostgreSQL connection.
-
database.connection-pool-max | int
Default: 10
The maximum pool of connections to PostgreSQL.
-
influx.bucket | string
Bucket to send data
-
influx.enabled | boolean
Enables influx db support for time series reporting.
-
influx.organization | string
Organization name
-
influx.token | string
Token to use for influx
-
influx.url | string
URL to connect to influx DB
-
kpi-reports.enabled | string
Note: Currently not available for on-prem users!
Key performance index: Metrics. Enables KPI worker - sends metrics to Influx.
-
kpi-reports.interval | string
Default: 5m
Note: Currently not available for on-prem users!
Specifies KPI worker frequency.
-
machine-reports.database.cleanup-interval | string
Default: 6h
Time between report cleanup runs.
-
machine-reports.database.cleanup-row-limit | int
Default: 1000
Maximum number of rows to remove with a single report cleanup row.
-
machine-reports.database.enabled | boolean
Whether or not to enabled machine reports writes to PostgreSQL.
-
machine-reports.database.retention-days | int
Default: 10
A thing used by the charm.
-
machine-reports.event-bus.brokers | string
The list of kafka brokers, comma separated to use for pushing reports.
-
machine-reports.event-bus.ca-cert | string
The X509 intermediate or root certificate authority certificate to use for mTLS authorisation.
-
machine-reports.event-bus.client-cert | string
The X509 client certificate to use for mTLS authorisation.
-
machine-reports.event-bus.client-key | string
The X509 private key associated with the client certificate to use for mTLS authorisation.
-
machine-reports.event-bus.enabled | boolean
Whether or not to enable machine reports writes to kafka.
-
machine-reports.event-bus.kafka-version | string
The kafka version you wish to specifically bind to, when not provided, the kafka version is not validated.
-
patch-blocklist.enabled | boolean
Whether or not to enable patch blocklist functionality for the admin tool.
-
patch-blocklist.refresh-interval | string
Default: 5m
How often to check for new blocklist entries.
-
patch-cache.cache-size | int
Default: 128
The size of the cache in patches.
-
patch-cache.cache-ttl | string
Default: 10m
How long to persist a patch in cache whilst it has not been actively retrieved.
-
patch-cache.enabled | boolean
Whether or not to cache patches.
-
patch-storage.filesystem-path | string
Default: /home/livepatchu/.livepatch/patches
The filesystem path to store patches.
-
patch-storage.postgres-connection-string | string
A connection string URI to a PostgreSQL database for patch storage.
When set to an empty string, it is handled by relation and uses the same database cluster that livepatch server uses for state. The database name is 'livepatch'.
If this is to be changed, it is expected that the database you wish to connect to is created manually.
-
patch-storage.s3-access-key | string
AWS programmatic API access key.
-
patch-storage.s3-bucket | string
The S3 bucket to store patches within.
-
patch-storage.s3-endpoint | string
The S3 API presigned endpoint.
-
patch-storage.s3-region | string
The AWS region for this S3 storage.
-
patch-storage.s3-secret-key | string
AWS programmatic API secret key.
-
patch-storage.s3-secure | boolean
Whether or not to perform TLS.
-
patch-storage.swift-api-key | string
An authorisation API key for swift.
-
patch-storage.swift-auth-url | string
The authorisation URL for swift.
-
patch-storage.swift-container | string
The swift blob storage location for storing patches.
-
patch-storage.swift-domain | string
The domain the containers reside under in swift for storing patches.
-
patch-storage.swift-region | string
The region assigned to this domain and tenant.
-
patch-storage.swift-tenant | string
The tenant account name for your container and API service user to connect under.
-
patch-storage.swift-username | string
The Swift username to login against when using API key authorisation.
-
patch-storage.type | string
Default: filesystem
The storage type to be used by the charm, defaults to filesystem. The path can be located under: /var/snap/canonical-livepatch-server/common/patches
The available options are:
- filesystem
- swift
- postgres
- s3
When using postgres for storage, the charm will work automatically by means of relation. The default database name is under: livepatch
The database name can be changed but must be created.
-
patch-sync.architectures | string
Comma-separated list of architectures to download patches for. When no value is present, all are synced. If this field is empty, the patch sync will gather all architectures.
-
patch-sync.enabled | boolean
Whether or not if this instance of Livepatch Server should sync patches from another instance.
A sync is effectively a "shared" storage, having access to the same pool of patches as the upstream services patch storage.
-
patch-sync.flavors | string
Default: generic,lowlatency,aws
A comma separated list of kernel flavors to download patches for. If this field is empty, the patch sync will gather all flavors.
-
patch-sync.interval | string
Default: 1h
Period between automatic patch snapshot downloads.
-
patch-sync.machine-count-strategy | string
Default: bucket
The strategy to use when counting machines in a set.
-
patch-sync.minimum-kernel-version | string
A minimum kernel version of format "0.0.0" denoting the lowest kernel version to download patches for. When no value is present, all are synced. For example, "5.4.0" will sync "5.4.0" and up.
-
patch-sync.proxy.enabled | boolean
Whether or not to proxy patch syncs.
-
patch-sync.proxy.http | string
A comma separated list HTTP proxies to query for patches.
-
patch-sync.proxy.https | string
A comma separated list HTTPS proxies to query for patches.
-
patch-sync.proxy.no-proxy | string
A comma separated list of domains, IP CIDRs and/or ports to block.
-
patch-sync.send-machine-reports | boolean
Enable sending reports from local machines during patch synchronisation.
-
patch-sync.sync-tiers | boolean
Mirror patch tier information from the upstream server. WARNING: Enabling this feature will modify existing tier information in order to match the upstream server's tier structure. Avoid this if you already have tiers setup.
-
patch-sync.upstream-url | string
Default: https://livepatch.canonical.com
Livepatch server to download patch snapshots from.
-
profiler.block_profile_rate | int
Default: 50000
this is the sampling average of one blocking event per
BlockProfileRate
nanoseconds spent blocked. For example, set rate to 1000000000 (aka int(time.Second.Nanoseconds())) to record one sample per second a goroutine is blocked. It is recommended to set this to values greater than 10,000. For more info, visit this: https://github.com/DataDog/go-profiler-notes/blob/main/block.md#benchmarks -
profiler.enabled | boolean
Whether to enable or disable continuous profiling on the server or not.
-
profiler.hostname | string
the hostname of the server the profiler is running on. This is used as a tag to group metrics by the server it is running on.
-
profiler.mutex_profile_fraction | int
Default: 5
this turns on mutex profiles with rate indicating the fraction of mutex contention events reported in the mutex profile. On average, 1/rate events are reported. Setting an aggressive rate can hurt performance. ProfileMutexes must be True
-
profiler.profile_allocations | boolean
this will profile the memory for allocated space as well as allocated objects
-
profiler.profile_blocks | boolean
would profile blocking events (channels, select, etc) with the BlockProfileRate frequency.
-
profiler.profile_goroutines | boolean
would profile separate concurrent running gorountines.
-
profiler.profile_inuse | boolean
this will profile the overall used memory as well as the memory used by objects
-
profiler.profile_mutexes | boolean
this turns on profiling for mutexes
-
profiler.sample_rate | int
Default: 100
sample rate for the profiler in Hz. 100 means reading 100 times per second.
-
profiler.server_address | string
The pyroscope server address to send the metrics to.
-
profiler.upload_rate | int
The frequency of upload to the profiling server
-
server.burst-limit | int
Default: 500
The maximum number of concurrently incoming requests.
After this limit, requests are queued according to the following: concurrency-limit - burst_limit
For defaults, this is: 1000 - 500 = 500 (Maximum queue).
Once the queue is reached, subsequent requests are rejected.
-
server.concurrency-limit | int
Default: 1000
Maximum number of API requests being served concurrently.
-
server.is-hosted | boolean
Defines whether the server will act as an on-prem server (i.e. fetching patches from the hosted server), or will act as a hosted server.
-
server.log-level | string
Default: info
The servers log level.
-
server.redirect-downloads | boolean
When true, the server will redirect downloads directed at its /v1/patches/{filename} endpoint to the endpoint defined in the server.url-template config option. This is useful if you want patch downloads to be redirected to a fileserver fronting patches. Note: Do not enable this option if the server.url-template is configured as the Livepatch-server as this will result in a redirect loop.
-
server.url-template | string
Template string to use when making URLs for giving back to the client.
e.g. https://livepatch-hosting.com/v1/patches/{filename}
This will need to be configured once the url or ip address of the service is known.