[PLAT-13974] Helm changes to support non-restart gflags workflow

Summary: Added changes to helm chart to support non-restart gflags Following is the mounted gflags file: `server.conf.template` ``` [root@ybvkumar-k8s-us-west1-a-vabq-yb-tserver-0 cores]# cat /opt/tserver/conf/server.conf.template --fs_data_dirs=/mnt/disk0 --tserver_master_addrs=ybvkumar-k8s-us-west1-b-wabq-yb-master-0.ybvkumar-k8s-us-west1-b-wabq-yb-masters.yb-admin-vkumar-k8s.svc.cluster.local:7100,ybvkumar-k8s-us-west1-a-vabq-yb-master-0.ybvkumar-k8s-us-west1-a-vabq-yb-masters.yb-admin-vkumar-k8s.svc.cluster.local:7100,ybvkumar-k8s-us-west1-c-xabq-yb-master-0.ybvkumar-k8s-us-west1-c-xabq-yb-masters.yb-admin-vkumar-k8s.svc.cluster.local:7100 --enable_ysql=true --pgsql_proxy_bind_address=0.0.0.0:5433 --metric_node_name=${HOSTNAME} --memory_limit_hard_bytes=3400000000 --stderrthreshold=0 --max_log_size=256 --num_cpus=2 --undefok=num_cpus,enable_ysql --use_node_hostname_for_local_tserver=true --cql_proxy_bind_address=${HOSTNAME}.ybvkumar-k8s-us-west1-a-vabq-yb-tservers.${NAMESPACE}.svc.cluster.local --rpc_bind_addresses=${HOSTNAME}.ybvkumar-k8s-us-west1-a-vabq-yb-tservers.${NAMESPACE}.svc.cluster.local --server_broadcast_addresses=${HOSTNAME}.ybvkumar-k8s-us-west1-a-vabq-yb-tservers.${NAMESPACE}.svc.cluster.local:9100 --webserver_interface=0.0.0.0 --certs_for_cdc_dir=/mnt/disk0/yw-data/yugabyte-tls-producer --placement_cloud=kubernetes --placement_region=us-west1 --placement_uuid=50fae571-9681-41d3-b290-9581cc17988c --placement_zone=us-west1-a --start_redis_proxy=false ``` Following is the applied gflags file used in the process: `server.conf` ``` [root@ybvkumar-k8s-us-west1-a-vabq-yb-tserver-0 cores]# cat /home/yugabyte/tserver/conf/server.conf --fs_data_dirs=/mnt/disk0 --tserver_master_addrs=ybvkumar-k8s-us-west1-b-wabq-yb-master-0.ybvkumar-k8s-us-west1-b-wabq-yb-masters.yb-admin-vkumar-k8s.svc.cluster.local:7100,ybvkumar-k8s-us-west1-a-vabq-yb-master-0.ybvkumar-k8s-us-west1-a-vabq-yb-masters.yb-admin-vkumar-k8s.svc.cluster.local:7100,ybvkumar-k8s-us-west1-c-xabq-yb-master-0.ybvkumar-k8s-us-west1-c-xabq-yb-masters.yb-admin-vkumar-k8s.svc.cluster.local:7100 --enable_ysql=true --pgsql_proxy_bind_address=0.0.0.0:5433 --metric_node_name=ybvkumar-k8s-us-west1-a-vabq-yb-tserver-0 --memory_limit_hard_bytes=3400000000 --stderrthreshold=0 --max_log_size=256 --num_cpus=2 --undefok=num_cpus,enable_ysql --use_node_hostname_for_local_tserver=true --cql_proxy_bind_address=ybvkumar-k8s-us-west1-a-vabq-yb-tserver-0.ybvkumar-k8s-us-west1-a-vabq-yb-tservers.yb-admin-vkumar-k8s.svc.cluster.local --rpc_bind_addresses=ybvkumar-k8s-us-west1-a-vabq-yb-tserver-0.ybvkumar-k8s-us-west1-a-vabq-yb-tservers.yb-admin-vkumar-k8s.svc.cluster.local --server_broadcast_addresses=ybvkumar-k8s-us-west1-a-vabq-yb-tserver-0.ybvkumar-k8s-us-west1-a-vabq-yb-tservers.yb-admin-vkumar-k8s.svc.cluster.local:9100 --webserver_interface=0.0.0.0 --certs_for_cdc_dir=/mnt/disk0/yw-data/yugabyte-tls-producer --placement_cloud=kubernetes --placement_region=us-west1 --placement_uuid=50fae571-9681-41d3-b290-9581cc17988c --placement_zone=us-west1-a --start_redis_proxy=false ``` The process will now start as: ``` root 7 1 0 09:12 ? 00:00:00 python /home/yugabyte/tools/k8s_parent.py /home/yugabyte/bin/yb-tserver --flagfile /tmp/yugabyte/tserver /conf/server.conf root 31 7 1 09:12 ? 00:02:04 /home/yugabyte/bin/yb-tserver --flagfile /tmp/yugabyte/tserver/conf/server.conf ``` Gflags setup - The gflags are created as per-zone secret. - The secret will be mounted at `/opt/{master,tserver}/conf/server.conf.template` - During runtime, the environment variables are used to replace the placeholder values. The final set of gflags after replacement are copied to `/home/yugabyte/{master,tserver}/conf/server.conf` Modification and Upgrade - Added a helm value per service: ``` tserver: gflagsChecksum: "0" master: gflagsChecksum: "0" ``` - For upgrades which require restart, we will provide the above value as "0", such that helm will calculate the checksum of secret and restart pod if required. - For upgrades which do not require restart, we will use the previous value of checksum, such that the secret modification does not lead to pod restart. Test Plan: Manually tested the changes for helm - Tested modifying secret and verified there is pod restart if old checksum is supplied. - Tested pods are restarted if gflags change and checksum provided is 0. - Tested processes are up and running using new way of applying gflags. Reviewers: anijhawan, sneelakantan, bgandhi, sanketh Reviewed By: anijhawan, bgandhi Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D35040
yugabyte · Jun 28, 2024 · 692d04c · 692d04c
1 parent 50815b5
commit 692d04c
Show file tree

Hide file tree

Showing 5 changed files with 172 additions and 109 deletions.
diff --git a/stable/yugabyte/templates/_helpers.tpl b/stable/yugabyte/templates/_helpers.tpl
@@ -228,18 +228,18 @@ Generate server FQDN.
 */}}
 {{- define "yugabyte.server_fqdn" -}}
   {{- if .Values.multicluster.createServicePerPod -}}
-    {{- printf "$(HOSTNAME).$(NAMESPACE).svc.%s" .Values.domainName -}}
+    {{- printf "${HOSTNAME}.${NAMESPACE}.svc.%s" .Values.domainName -}}
   {{- else if (and .Values.oldNamingStyle .Values.multicluster.createServiceExports) -}}
     {{ $membershipName := required "A valid membership name is required! Please set multicluster.kubernetesClusterId" .Values.multicluster.kubernetesClusterId }}
-    {{- printf "$(HOSTNAME).%s.%s.$(NAMESPACE).svc.clusterset.local" $membershipName .Service.name -}}
+    {{- printf "${HOSTNAME}.%s.%s.${NAMESPACE}.svc.clusterset.local" $membershipName .Service.name -}}
   {{- else if .Values.oldNamingStyle -}}
-    {{- printf "$(HOSTNAME).%s.$(NAMESPACE).svc.%s" .Service.name .Values.domainName -}}
+    {{- printf "${HOSTNAME}.%s.${NAMESPACE}.svc.%s" .Service.name .Values.domainName -}}
   {{- else -}}
     {{- if .Values.multicluster.createServiceExports -}}
       {{ $membershipName := required "A valid membership name is required! Please set multicluster.kubernetesClusterId" .Values.multicluster.kubernetesClusterId }}
-      {{- printf "$(HOSTNAME).%s.%s-%s.$(NAMESPACE).svc.clusterset.local" $membershipName (include "yugabyte.fullname" .) .Service.name -}}
+      {{- printf "${HOSTNAME}.%s.%s-%s.${NAMESPACE}.svc.clusterset.local" $membershipName (include "yugabyte.fullname" .) .Service.name -}}
     {{- else -}}
-      {{- printf "$(HOSTNAME).%s-%s.$(NAMESPACE).svc.%s" (include "yugabyte.fullname" .) .Service.name .Values.domainName -}}
+      {{- printf "${HOSTNAME}.%s-%s.${NAMESPACE}.svc.%s" (include "yugabyte.fullname" .) .Service.name .Values.domainName -}}
     {{- end -}}
   {{- end -}}
 {{- end -}}
@@ -314,7 +314,7 @@ Get YugaByte master addresses
     {{- if eq .name "yb-masters" -}}
       {{- range $index := until $master_replicas -}}
         {{- if ne $index 0 }},{{ end -}}
-        {{- $prefix }}yb-master-{{ $index }}.{{ $prefix }}yb-masters.$(NAMESPACE).svc.{{ $domain_name }}:7100
+        {{- $prefix }}yb-master-{{ $index }}.{{ $prefix }}yb-masters.${NAMESPACE}.svc.{{ $domain_name }}:7100
       {{- end -}}
     {{- end -}}
   {{- end -}}

diff --git a/stable/yugabyte/templates/master-gflags-secret.yaml b/stable/yugabyte/templates/master-gflags-secret.yaml
@@ -0,0 +1,57 @@
+{{- $root := . -}}
+{{- range $service := $root.Values.Services }}
+{{- if eq $service.name "yb-masters" }}
+{{- $serviceValues := (dict "Service" $service "Values" $root.Values "Chart" $root.Chart "Release" $root.Release) -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "yugabyte.fullname" $root }}-master-gflags
+  namespace: "{{ $root.Release.Namespace }}"
+type: Opaque
+stringData:
+  server.conf.template: |
+{{- if not $root.Values.storage.ephemeral }}
+    --fs_data_dirs={{ template "yugabyte.fs_data_dirs" $root.Values.storage.master }}
+{{- else }}
+    --fs_data_dirs=/var/yugabyte
+{{- end }}
+{{- if eq $root.Values.ip_version_support "v6_only" }}
+    --net_address_filter=ipv6_external,ipv6_non_link_local,ipv6_all,ipv4_external,ipv4_all
+{{- end }}
+{{- if $root.Values.isMultiAz }}
+    --master_addresses={{ $root.Values.masterAddresses }}
+    --replication_factor={{ $root.Values.replicas.totalMasters }}
+{{- else }}
+    --master_addresses={{ template "yugabyte.master_addresses" $root }}
+    --replication_factor={{ $root.Values.replicas.master }}
+{{- end }}
+{{- if not $root.Values.disableYsql }}
+    --enable_ysql=true
+{{- else }}
+    --enable_ysql=false
+{{- end }}
+{{- if $root.Values.tls.enabled }}
+    --certs_dir=/opt/certs/yugabyte
+    --use_node_to_node_encryption={{ $root.Values.tls.nodeToNode }}
+    --allow_insecure_connections={{ $root.Values.tls.insecure }}
+{{- end }}
+{{- if $root.Values.yugabytedUi.enabled }}
+    --master_enable_metrics_snapshotter={{ $root.Values.yugabytedUi.metricsSnapshotter.enabled }}
+    --metrics_snapshotter_tserver_metrics_whitelist={{ join "," $root.Values.yugabytedUi.metricsSnapshotter.whitelist }}
+{{- end }}
+    --metric_node_name=${HOSTNAME}
+    --memory_limit_hard_bytes={{ template "yugabyte.memory_hard_limit" dict "size" $root.Values.resource.master.limits.memory "limitPercent" $root.Values.master.memoryLimitHardPercentage }}
+    --stderrthreshold=0
+    --num_cpus={{ ceil $root.Values.resource.master.requests.cpu }}
+    --max_log_size=256
+    --undefok=num_cpus,enable_ysql
+    --rpc_bind_addresses={{ include "yugabyte.rpc_bind_address" $serviceValues }}
+    --server_broadcast_addresses={{ include "yugabyte.server_broadcast_address" $serviceValues }}
+    --webserver_interface={{ include "yugabyte.webserver_interface" $serviceValues }}
+{{- range $flag, $override := $root.Values.gflags.master }}
+    --{{ $flag }}={{ $override }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
diff --git a/stable/yugabyte/templates/service.yaml b/stable/yugabyte/templates/service.yaml
@@ -221,18 +221,19 @@ spec:
       {{- include "yugabyte.appselector" ($appLabelArgs) | indent 6 }}
   template:
     metadata:
+      annotations:
       {{- if eq .name "yb-masters" }}
+        checksum/gflags: {{ (not $root.Values.master.gflagsChecksum) | ternary (include (print $root.Template.BasePath "/master-gflags-secret.yaml") $root | sha256sum) $root.Values.master.gflagsChecksum }}
       {{- if (or $root.Values.networkAnnotation $root.Values.master.podAnnotations $root.Values.tls.enabled) }}
-      annotations:
       {{- with $root.Values.networkAnnotation }}{{ toYaml . | nindent 8 }}{{ end }}
       {{- with $root.Values.master.podAnnotations }}{{ toYaml . | nindent 8 }}{{ end }}
       {{- if $root.Values.tls.enabled }}
         checksum/rootCA: {{ cat $root.Values.tls.rootCA.cert $root.Values.tls.rootCA.key | sha256sum }}
       {{- end }}
       {{- end }}
       {{- else }}
+        checksum/gflags: {{ (not $root.Values.tserver.gflagsChecksum) | ternary (include (print $root.Template.BasePath "/tserver-gflags-secret.yaml") $root | sha256sum) $root.Values.tserver.gflagsChecksum }}
       {{- if (or $root.Values.networkAnnotation $root.Values.tserver.podAnnotations $root.Values.tls.enabled) }}
-      annotations:
       {{- with $root.Values.networkAnnotation }}{{ toYaml . | nindent 8 }}{{ end }}
       {{- with $root.Values.tserver.podAnnotations }}{{ toYaml . | nindent 8 }}{{ end }}
       {{- if $root.Values.tls.enabled }}
@@ -497,49 +498,10 @@ spec:
             fi && \
           {{- end }}
           {{- if eq .name "yb-masters" }}
+            mkdir -p /tmp/yugabyte/master/conf && \
+            envsubst < /opt/master/conf/server.conf.template > /tmp/yugabyte/master/conf/server.conf && \
             exec ${k8s_parent} /home/yugabyte/bin/yb-master \
-              --max_log_size="256" \
-              --undefok="enable_ysql" \
-            {{- if not $root.Values.storage.ephemeral }}
-              --fs_data_dirs={{ template "yugabyte.fs_data_dirs" $storageInfo }} \
-            {{- else }}
-              --fs_data_dirs=/var/yugabyte \
-            {{- end }}
-            {{- if eq $root.Values.ip_version_support "v6_only" }}
-              --net_address_filter=ipv6_external,ipv6_non_link_local,ipv6_all,ipv4_external,ipv4_all \
-            {{- end }}
-            {{- if $root.Values.isMultiAz }}
-              --master_addresses={{ $root.Values.masterAddresses }} \
-              --replication_factor={{ $root.Values.replicas.totalMasters }} \
-            {{- else }}
-              --master_addresses={{ template "yugabyte.master_addresses" $root }} \
-              --replication_factor={{ $root.Values.replicas.master }} \
-            {{- end }}
-            {{- if not $root.Values.disableYsql }}
-              --enable_ysql=true \
-            {{- else }}
-              --enable_ysql=false \
-            {{- end }}
-              --metric_node_name=$(HOSTNAME) \
-              --memory_limit_hard_bytes={{ template "yugabyte.memory_hard_limit" dict "size" $root.Values.resource.master.limits.memory "limitPercent" $root.Values.master.memoryLimitHardPercentage }} \
-              --stderrthreshold=0 \
-              --num_cpus={{ ceil $root.Values.resource.master.requests.cpu }} \
-              --undefok=num_cpus,enable_ysql \
-            {{- range $flag, $override := $root.Values.gflags.master }}
-              --{{ $flag }}={{ quote $override }} \
-            {{- end }}
-            {{- if $root.Values.tls.enabled }}
-              --certs_dir=/opt/certs/yugabyte \
-              --use_node_to_node_encryption={{ $root.Values.tls.nodeToNode }} \
-              --allow_insecure_connections={{ $root.Values.tls.insecure }} \
-            {{- end }}
-              --rpc_bind_addresses={{ $rpcAddr }} \
-              --server_broadcast_addresses={{ $broadcastAddr }} \
-              --webserver_interface={{ $webserverAddr }} \
-            {{- if $root.Values.yugabytedUi.enabled }}
-              --master_enable_metrics_snapshotter={{ $root.Values.yugabytedUi.metricsSnapshotter.enabled }} \
-              --metrics_snapshotter_tserver_metrics_whitelist={{ join "," $root.Values.yugabytedUi.metricsSnapshotter.whitelist }}
-            {{- end }}
+              --flagfile /tmp/yugabyte/master/conf/server.conf
           {{- else }}
             {{- $cqlAddr := include "yugabyte.cql_proxy_bind_address" $serviceValues -}}
             {{- $cqlPort := index $service.ports "tcp-yql-port" -}}
@@ -553,65 +515,10 @@ spec:
               {{- $ysqlPreflight := include "yugabyte.preflight_check" (set $serviceValues "Preflight" $ysqlDict) -}}
               {{- if $ysqlPreflight -}}{{ $ysqlPreflight | nindent 12 }}{{ end -}}
             {{- end }}
-            exec ${k8s_parent} /home/yugabyte/bin/yb-tserver \
-              --max_log_size="256" \
-              --undefok="enable_ysql" \
-            {{- if not $root.Values.storage.ephemeral }}
-              --fs_data_dirs={{ template "yugabyte.fs_data_dirs" $storageInfo }} \
-            {{- else }}
-              --fs_data_dirs=/var/yugabyte \
-            {{- end }}
-            {{- if eq $root.Values.ip_version_support "v6_only" }}
-              --net_address_filter=ipv6_external,ipv6_non_link_local,ipv6_all,ipv4_external,ipv4_all \
-            {{- end }}
-            {{- if $root.Values.isMultiAz }}
-              --tserver_master_addrs={{ $root.Values.masterAddresses }} \
-            {{- else }}
-              --tserver_master_addrs={{ template "yugabyte.master_addresses" $root }} \
-            {{- end }}
-              --metric_node_name=$(HOSTNAME) \
-              --memory_limit_hard_bytes={{ template "yugabyte.memory_hard_limit" dict "size" $root.Values.resource.tserver.limits.memory "limitPercent" $root.Values.tserver.memoryLimitHardPercentage }} \
-              --stderrthreshold=0 \
-              --num_cpus={{ ceil $root.Values.resource.tserver.requests.cpu }} \
-              --undefok=num_cpus,enable_ysql \
-              --use_node_hostname_for_local_tserver=true \
-            {{- if $root.Values.authCredentials.ysql.password }}
-              --ysql_enable_auth=true \
-              {{- if (include "yugabyte.tserver.readinessProbe" $root) }}
-              --ysql_hba_conf_csv="local all yugabyte trust" \
-              {{- end }}
-            {{- end }}
-            {{- if or $root.Values.authCredentials.ycql.user $root.Values.authCredentials.ycql.password }}
-              --use_cassandra_authentication=true \
-            {{- end }}
-            {{- range $flag, $override := $root.Values.gflags.tserver }}
-              --{{ $flag }}={{ quote $override }} \
-            {{- end }}
-            {{- if $root.Values.tls.enabled }}
-              --certs_dir=/opt/certs/yugabyte \
-              --use_node_to_node_encryption={{ $root.Values.tls.nodeToNode }} \
-              --allow_insecure_connections={{ $root.Values.tls.insecure }} \
-              --use_client_to_server_encryption={{ $root.Values.tls.clientToServer }} \
-              --certs_for_client_dir=/opt/certs/yugabyte \
-              {{- if $root.Values.tserver.serverBroadcastAddress }}
-              --cert_node_filename={{ include "yugabyte.server_fqdn" $serviceValues }} \
-              {{- end }}
-            {{- end }}
-              --rpc_bind_addresses={{ $rpcAddr }} \
-              --server_broadcast_addresses={{ $root.Values.tserver.serverBroadcastAddress | default $broadcastAddr }} \
-              --webserver_interface={{ $webserverAddr }} \
-            {{- if not $root.Values.disableYsql }}
-              --enable_ysql=true \
-              --pgsql_proxy_bind_address={{ $ysqlAddr }} \
-            {{- else }}
-              --enable_ysql=false \
-            {{- end }}
-              --cql_proxy_bind_address={{ $cqlAddr }} \
-            {{- if $root.Values.yugabytedUi.enabled }}
-              --tserver_enable_metrics_snapshotter={{ $root.Values.yugabytedUi.metricsSnapshotter.enabled }} \
-              --metrics_snapshotter_interval_ms={{ $root.Values.yugabytedUi.metricsSnapshotter.interval }} \
-              --metrics_snapshotter_tserver_metrics_whitelist={{ join "," $root.Values.yugabytedUi.metricsSnapshotter.whitelist }}
-            {{- end }}
+              mkdir -p /tmp/yugabyte/tserver/conf && \
+              envsubst < /opt/tserver/conf/server.conf.template > /tmp/yugabyte/tserver/conf/server.conf && \
+              exec ${k8s_parent} /home/yugabyte/bin/yb-tserver \
+                --flagfile /tmp/yugabyte/tserver/conf/server.conf
           {{- end }}
         ports:
           {{- range $label, $port := .ports }}
@@ -629,6 +536,11 @@ spec:
           {{- if (eq .name "yb-tservers") }}
           - name: tserver-tmp
             mountPath: /tmp
+          - name: tserver-gflags
+            mountPath: /opt/tserver/conf
+          {{- else if (eq .name "yb-masters") }}
+          - name: master-gflags
+            mountPath: /opt/master/conf
           {{- end }}
           - name: debug-hooks-volume
             mountPath: /opt/debug_hooks_config
@@ -823,11 +735,19 @@ spec:
           configMap:
             name: {{ include "yugabyte.fullname" $root }}-master-hooks
             defaultMode: 0755
+        - name: master-gflags
+          secret:
+            secretName: {{ include "yugabyte.fullname" $root }}-master-gflags
+            defaultMode: 0755
         {{- else if (eq .name "yb-tservers") }}
         - name: debug-hooks-volume
           configMap:
             name: {{ include "yugabyte.fullname" $root }}-tserver-hooks
             defaultMode: 0755
+        - name: tserver-gflags
+          secret:
+            secretName: {{ include "yugabyte.fullname" $root }}-tserver-gflags
+            defaultMode: 0755
         - name: tserver-tmp
           emptyDir: {}
         {{- end }}

diff --git a/stable/yugabyte/templates/tserver-gflags-secret.yaml b/stable/yugabyte/templates/tserver-gflags-secret.yaml
@@ -0,0 +1,73 @@
+{{- $root := . -}}
+{{- range $service := $root.Values.Services }}
+{{- if eq $service.name "yb-tservers" }}
+{{- $serviceValues := (dict "Service" $service "Values" $root.Values "Chart" $root.Chart "Release" $root.Release) -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "yugabyte.fullname" $root }}-tserver-gflags
+  namespace: "{{ $root.Release.Namespace }}"
+type: Opaque
+stringData:
+  server.conf.template: |
+{{- if not $root.Values.storage.ephemeral }}
+    --fs_data_dirs={{ template "yugabyte.fs_data_dirs" $root.Values.storage.tserver }}
+{{- else }}
+    --fs_data_dirs=/var/yugabyte
+{{- end }}
+{{- if eq $root.Values.ip_version_support "v6_only" }}
+    --net_address_filter=ipv6_external,ipv6_non_link_local,ipv6_all,ipv4_external,ipv4_all
+{{- end }}
+{{- if $root.Values.isMultiAz }}
+    --tserver_master_addrs={{ $root.Values.masterAddresses }}
+{{- else }}
+    --tserver_master_addrs={{ template "yugabyte.master_addresses" $root }}
+{{- end }}
+{{- if $root.Values.authCredentials.ysql.password }}
+    --ysql_enable_auth=true
+  {{- if (include "yugabyte.tserver.readinessProbe" $root) }}
+    --ysql_hba_conf_csv="local all yugabyte trust"
+  {{- end }}
+{{- end }}
+{{- if or $root.Values.authCredentials.ycql.user $root.Values.authCredentials.ycql.password }}
+    --use_cassandra_authentication=true
+{{- end }}
+{{- if $root.Values.tls.enabled }}
+    --certs_dir=/opt/certs/yugabyte
+    --use_node_to_node_encryption={{ $root.Values.tls.nodeToNode }}
+    --allow_insecure_connections={{ $root.Values.tls.insecure }}
+    --use_client_to_server_encryption={{ $root.Values.tls.clientToServer }}
+    --certs_for_client_dir=/opt/certs/yugabyte
+  {{- if $root.Values.tserver.serverBroadcastAddress }}
+    --cert_node_filename={{ include "yugabyte.server_fqdn" $serviceValues }}
+  {{- end }}
+{{- end }}
+{{- if not $root.Values.disableYsql }}
+    --enable_ysql=true
+    --pgsql_proxy_bind_address={{ include "yugabyte.pgsql_proxy_bind_address" $serviceValues }}
+{{- else }}
+    --enable_ysql=false
+{{- end }}
+{{- if $root.Values.yugabytedUi.enabled }}
+    --tserver_enable_metrics_snapshotter={{ $root.Values.yugabytedUi.metricsSnapshotter.enabled }}
+    --metrics_snapshotter_interval_ms={{ $root.Values.yugabytedUi.metricsSnapshotter.interval }}
+    --metrics_snapshotter_tserver_metrics_whitelist={{ join "," $root.Values.yugabytedUi.metricsSnapshotter.whitelist }}
+{{- end }}
+    --metric_node_name=${HOSTNAME}
+    --memory_limit_hard_bytes={{ template "yugabyte.memory_hard_limit" dict "size" $root.Values.resource.tserver.limits.memory "limitPercent" $root.Values.tserver.memoryLimitHardPercentage }}
+    --stderrthreshold=0
+    --max_log_size=256
+    --num_cpus={{ ceil $root.Values.resource.tserver.requests.cpu }}
+    --undefok=num_cpus,enable_ysql
+    --use_node_hostname_for_local_tserver=true
+    --cql_proxy_bind_address={{ include "yugabyte.cql_proxy_bind_address" $serviceValues }}
+    --rpc_bind_addresses={{ include "yugabyte.rpc_bind_address" $serviceValues }}
+    --server_broadcast_addresses={{ $root.Values.tserver.serverBroadcastAddress | default (include "yugabyte.server_broadcast_address" $serviceValues) }}
+    --webserver_interface={{ include "yugabyte.webserver_interface" $serviceValues }}
+{{- range $flag, $override := $root.Values.gflags.tserver }}
+    --{{ $flag }}={{ $override }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
diff --git a/stable/yugabyte/values.yaml b/stable/yugabyte/values.yaml
@@ -498,6 +498,13 @@ master:
   ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
   customStartupProbe: {}
 
+  ## Checksum for master gflags secret. If set to empty, statefulset
+  ## will calculate new checksum value and decide whether to restart pods
+  ## based on the result of comparing previous checksum value and new value.
+  ## If previous value is provided again, there will be no Pod restart
+  ## for gflags changes.
+  gflagsChecksum: ""
+
 
 tserver:
   ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#affinity-v1-core
@@ -640,6 +647,12 @@ tserver:
   ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
   customStartupProbe: {}
 
+  ## Checksum for tserver gflags secret. If set to empty, statefulset
+  ## will calculate new checksum value and decide whether to restart pods
+  ## based on the result of comparing previous checksum value and new value.
+  ## If previous value is provided again, there will be no Pod restart
+  ## for gflags changes.
+  gflagsChecksum: ""
 
 helm2Legacy: false