database

Deploy a complete database topology in your Kubernetes cluster using MariaDB, MaxScale and HAProxy.

Prerequisites

A Kubernetes cluster;
Persistent Volume (PV) provisioner support for persistence.

Install the chart

Add the repo

If you haven't yet, please add this repo to Helm.

To deploy the topology with the default parameters to your Kubernetes cluster:

helm install my-database sconeapps/database

The topology

             |
             v
        +---------+
        | HAProxy |
        +----+----+
             | (use any HAProxy load balancing)
       v-----------v
   +--------+  +--------+
   |MaxScale|  |MaxScale|
   |        |  |        |
   +---+----+  +---+----+
       |           | (shard-based routing)
    +-----+------+------+
    v     v      v      v
 +----+ +----+ +----+ +----+
 | DB | | DB | | DB | | DB |
 | 0  | | 1  | | 2  | | 3  |
 +----+ +----+ +----+ +----+

Each MariaDB instance deployed act as a shard, supporting also dynamic volumes (PVs) to provide persistence. MaxScale routes the incoming requests to the appropriate shard based on which table the operation (either a read or a write) is performed. The HAProxy (optionally) balances the load accross the MaxScale replicas.

Have a look at the Parameters section for a complete list of parameters this chart supports.

SGX device

By default, MariaDB and MaxScale helm charts use the SGX Plugin. Hence, their respective resource limits are set as follows:

resources:
  limits:
    sgx.intel.com/enclave: 1

In case you do not want to use the SGX plugin, you can remove the resource limit and explicitly mount the local SGX device by setting:

mariadb-scone:
    extraVolumes:
    - name: dev-isgx
        hostPath:
        path: /dev/isgx

    extraVolumeMounts:
    - name: dev-isgx
        path: /dev/isgx

maxscale:
    extraVolumes:
    - name: dev-isgx
        hostPath:
        path: /dev/isgx

    extraVolumeMounts:
    - name: dev-isgx
        path: /dev/isgx

Please note that mounting the local SGX device into a container requires privileged mode, which will grant the container access to ALL host devices. To enable privileged mode, set securityContext for MariaDB and MaxScale:

mariadb-scone:
  securityContext:
    privileged: true

maxscale:
  securityContext:
    privileged: true

Parameters

This is an umbrella chart composed by subcharts. In fact, the parameters are defined in each subchart (e.g. mariadb, maxscale), but here are a few key parameters. Refer to each subchart in this repo for the complete list of the parameters. Any parameter defined in the umbrella chart will override the subchart value, even those that are not listed below.

Parameter	Description	Default
`global.mariadb.replicaCount`	How many MariaDB instances to deploy. This value is used by MaxScale when generating the shard configuration, if auto-generation is enabled	`1`
`mariadb-scone.shardNameTemplate`	If defined, this will be the prefix of the database created in every MariaDB instance to act as a shard. To the prefix will be added the instance number, generated by the Kubernetes StatefulSet (e.g. db0, db1...)	`db`
`mariadb-scone.image`	MariaDB SCONE image	`registry.scontain.com/sconecuratedimages/apps:mariadb-alpine`
`mariadb-scone.imagePullPolicy`	MariaDB SCONE pull policy	`Always`
`mariadb-scone.service.port`	MariaDB SCONE server port	`3306`
`mariadb-scone.service.type`	MariaDB SCONE service type. As we are deploying MariaDB as a StatefulSet, we use a headless service.	`ClusterIP`
`mariadb-scone.extraVolumes`	Extra volume definitions	`[]`
`mariadb-scone.extraVolumeMounts`	Extra volume mounts for MariaDB pod	`[]`
`mariadb-scone.resources`	CPU/Memory resource requests/limits for node. Request SGX device through the SGX device plugin. Read more	`{"limits": {"sgx.intel.com/enclave": 1}}`
`mariadb-scone.scone.attestation.enabled`	Enable SCONE remote attestation	`true`
`mariadb-scone.scone.attestation.las`	LAS address, to be exported as `SCONE_LAS_ADDR`. Defaults to the Docker network interface address	`172.17.0.1`
`mariadb-scone.scone.attestation.cas`	CAS address, to be exported as `SCONE_CAS_ADDR`	`scone.ml`
`mariadb-scone.scone.attestation.config_id`	MariaDB SCONE session. To be exported as `SCONE_CONFIG_ID`	`database_policy/db`
`mariadb-scone.scone.attestation.env`	SCONE environment variables to be exported into the container	`SCONE_HEAP=2G,SCONE_ALLOW_DLOPEN=2,SCONE_MODE=hw,SCONE_LOG=7,SCONE_SYSLIBS=1`
`maxscale.replicaCount`	How many MaxScale replicas to deploy	`1`
`maxscale.image`	MaxScale SCONE image	`registry.scontain.com/sconecuratedimages/apps:maxscale`
`maxscale.imagePullPolicy`	MaxScale SCONE pull policy	`IfNotPresent`
`maxscale.service.port`	MaxScale listener port	`3306`
`maxscale.service.type`	MaxScale service type	`NodePort`
`maxscale.extraVolumes`	Extra volume definitions	`[]`
`maxscale.extraVolumeMounts`	Extra volume mounts for MaxScale pod	`[]`
`maxscale.resources`	CPU/Memory resource requests/limits for node.	`{}`
`maxscale.scone.attestation.enabled`	Enable SCONE remote attestation	`false`
`maxscale.scone.attestation.lasUseHostIP`	Use node host IP as LAS address	`true`
`maxscale.configuration`	Define the static configuration the MaxScale replicas will use. The content will be rendered as-is into `/etc/maxscale.cnf`. Refer to MaxScale chart to read more about configuration options	`nil`
`maxscale.generateConfig`	If enabled, let MaxScale generate its config. from provided templates	`true`
`maxscale.generateConfig.servers`	List of IP addresses to be added to MaxScale as servers. Leave it undefined or empty and MaxScale will use the DNS entries of the MariaDB instances deployed alongside it	`nil`
`maxscale.generateConfig.serverTemplate`	Template used to render server and monitor definitions. Now it defaults to sharded setup	Sharded setup, where each instance (e.g. IP address) is considered to be a different shard
`maxscale.generateConfig.serviceTemplate`	Template used to render service and listener definitions	Considers one service and one listener exposing all shards at the same port
`maxscale.generateConfig.cliTemplate`	Template used to render the CLI service for MaxScale admin tools	Default one, from MaxScale docs
`maxscale.haproxy.enabled`	Deploy HAProxy Ingress Controller alongside MaxScale and expose it through a service	`false`
`maxscale.haproxy.controller.service.type`	Type of service used to expose the HAProxy	`NodePort`
`maxscale.haproxy.controller.tcp`	Configure TCP services for the Ingress. Please note that MaxScale will be exposed by default (HAProxy's 8000 -> MaxScale's 3306)	`{}`
`maxscale.haproxy.defaultBackend.enabled`	Deploy a default backend service alongside the ingress controller	`true`
`maxscale.haproxy.defaultBackend.image.repository`	Image repository for the default backend service	`gcr.io/google_containers/defaultbackend`
`maxscale.haproxy.defaultBackend.image.tag`	Default backend service tag	`1.0`
`serviceAccount.create`	Create a serviceAccount to be used by the application	`false`
`useSGXDevPlugin`	Use SGX Device Plugin to access SGX resources.	`"enabled"`