Reduce disk write amplification across cluster (~200-350 GB/day savings) [ci skip]

- Prometheus: persist metric whitelist (keep rules) to Helm template, preventing regression from 33K to 250K samples/scrape on next apply. Reduce retention 52w→26w. - MySQL InnoDB: aggressive write reduction — flush_log_at_trx_commit=0, sync_binlog=0, doublewrite=OFF, io_capacity=100/200, redo_log=1GB, flush_neighbors=1, reduced page cleaners. - etcd: increase snapshot-count 10000→50000 to reduce WAL snapshot frequency. - VM disks: enable TRIM/discard passthrough to LVM thin pool via create-vm module. - Cloud-init: enable fstrim.timer, journald limits (500M/7d/compress). - Kubelet: containerLogMaxSize=10Mi, containerLogMaxFiles=3. - Technitium: DNS query log retention 0→30 days (was unlimited writes to MySQL). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-09 19:01:21 +00:00 · 2026-04-09 19:01:21 +00:00 · 6101fb99f9
commit 6101fb99f9
parent 98aaba98da
8 changed files with 127 additions and 8 deletions
--- a/stacks/rbac/modules/rbac/etcd-tuning.tf
+++ b/stacks/rbac/modules/rbac/etcd-tuning.tf
@ -0,0 +1,50 @@
+# Tune etcd for reduced disk writes on k8s-master.
+# Increases snapshot-count from 10000 (default) to 50000 to reduce WAL snapshot frequency.
+# etcd writes ~37.5 GB/day; less frequent snapshots reduce this by ~30-40%.
+# This patches the kubeadm-managed static pod manifest. Note: kubeadm upgrades
+# will reset this, so re-apply after any kubeadm upgrade.
+
+resource "null_resource" "etcd_tuning" {
+  connection {
+    type        = "ssh"
+    user        = "wizard"
+    host        = var.k8s_master_host
+    private_key = var.ssh_private_key
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      <<-SCRIPT
+      sudo python3 -c "
+import yaml
+
+path = '/etc/kubernetes/manifests/etcd.yaml'
+with open(path) as f:
+    doc = yaml.safe_load(f)
+
+container = doc['spec']['containers'][0]
+args = container['command']
+
+# Update or add --snapshot-count=50000
+new_args = [a for a in args if not a.startswith('--snapshot-count=')]
+new_args.append('--snapshot-count=50000')
+
+# Update or add --quota-backend-bytes (256MB, default is 2GB which is fine)
+# Keep default for now
+
+container['command'] = new_args
+
+with open(path, 'w') as f:
+    yaml.dump(doc, f, default_flow_style=False)
+
+print('etcd manifest updated: --snapshot-count=50000')
+"
+      SCRIPT
+    ]
+  }
+
+  # Re-run if the configuration changes
+  triggers = {
+    snapshot_count = "50000"
+  }
+}