diff options
Diffstat (limited to 'kubernetes/common/common/templates/_mariadb.tpl')
-rw-r--r-- | kubernetes/common/common/templates/_mariadb.tpl | 143 |
1 files changed, 111 insertions, 32 deletions
diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl index caf2fd1031..0e46e5ef26 100644 --- a/kubernetes/common/common/templates/_mariadb.tpl +++ b/kubernetes/common/common/templates/_mariadb.tpl @@ -80,11 +80,7 @@ {{- index .Values "mariadb-galera" "nameOverride" -}} {{- end }} {{- else -}} - {{- if .Values.global.mariadbGalera.useOperator }} - {{- printf "%s-primary" (.Values.global.mariadbGalera.service) }} - {{- else }} {{- .Values.global.mariadbGalera.service -}} - {{- end }} {{- end -}} {{- end -}} @@ -118,14 +114,14 @@ {{- end -}} {{/* - Create MariDB Database via mariadb-operator + Create MariaDB Database via mariadb-operator */}} {{- define "common.mariadbOpDatabase" -}} {{- $dot := default . .dot -}} {{- $dbname := (required "'dbame' param, is required." .dbname) -}} {{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} --- -apiVersion: mariadb.mmontes.io/v1alpha1 +apiVersion: k8s.mariadb.com/v1alpha1 kind: Database metadata: name: {{ $dbinst }}-{{ $dbname }} @@ -147,7 +143,7 @@ spec: {{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} {{- $dbsecret := (required "'dbsecret' param, is required." .dbsecret) -}} --- -apiVersion: mariadb.mmontes.io/v1alpha1 +apiVersion: k8s.mariadb.com/v1alpha1 kind: User metadata: name: {{ $dbinst }}-{{ $dbuser }} @@ -155,6 +151,7 @@ spec: name: {{ $dbuser }} mariaDbRef: name: {{ $dbinst }} + waitForIt: true passwordSecretKeyRef: name: {{ $dbsecret }} key: password @@ -172,13 +169,14 @@ spec: {{- $dbname := (required "'dbame' param, is required." .dbname) -}} {{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} --- -apiVersion: mariadb.mmontes.io/v1alpha1 +apiVersion: k8s.mariadb.com/v1alpha1 kind: Grant metadata: name: {{ $dbuser }}-{{ $dbname }}-{{ $dbinst }} spec: mariaDbRef: name: {{ $dbinst }} + waitForIt: true privileges: - "ALL" database: {{ $dbname }} @@ -196,13 +194,19 @@ spec: {{- $dbinst := include "common.name" $dot -}} {{- $name := default $dbinst $dot.Values.backup.nameOverride -}} --- -apiVersion: mariadb.mmontes.io/v1alpha1 +apiVersion: k8s.mariadb.com/v1alpha1 kind: Backup metadata: name: {{ $name }} spec: + inheritMetadata: + labels: + sidecar.istio.io/inject: 'false' + backoffLimit: 5 + logLevel: info mariaDbRef: name: {{ $dbinst }} + waitForIt: true schedule: cron: {{ $dot.Values.backup.cron }} suspend: false @@ -244,7 +248,7 @@ spec: {{- $dbrootsecret := tpl (default (include "common.mariadb.secret.rootPassSecretName" (dict "dot" $dot "chartName" "")) $dot.Values.rootUser.externalSecret) $dot -}} {{- $dbusersecret := tpl (default (include "common.mariadb.secret.userCredentialsSecretName" (dict "dot" $dot "chartName" "")) $dot.Values.db.externalSecret) $dot -}} --- -apiVersion: mariadb.mmontes.io/v1alpha1 +apiVersion: k8s.mariadb.com/v1alpha1 kind: MariaDB metadata: name: {{ $dbinst }} @@ -253,11 +257,37 @@ spec: runAsUser: 10001 runAsGroup: 10001 fsGroup: 10001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + volumes: + - name: run + emptyDir: + sizeLimit: 64Mi + - name: tmp + emptyDir: + sizeLimit: 64Mi + volumeMounts: + - name: run + mountPath: /run/mysqld + - name: tmp + mountPath: /tmp inheritMetadata: {{ if .Values.podAnnotations -}} annotations: {{ toYaml .Values.podAnnotations | nindent 6 }} {{- end }} labels: + # temporarily test mariaDB without sidecar (fix initial Job, Backup and Metrics) + # will be obsolete with "native-sidecars" feature in K8S and Istio + sidecar.istio.io/inject: "false" app: {{ $dbinst }} version: {{ .Values.mariadbOperator.appVersion }} rootPasswordSecretKeyRef: @@ -281,24 +311,52 @@ spec: enabled: true authDelegatorRoleName: {{ $dbinst }}-auth gracefulShutdownTimeout: 5s + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + privileged: false + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + primary: + automaticFailover: true + podIndex: 0 recovery: enabled: true - clusterHealthyTimeout: 5m0s + clusterHealthyTimeout: 30s clusterBootstrapTimeout: 10m0s - podRecoveryTimeout: 5m0s - podSyncTimeout: 10m0s + minClusterSize: 50% + podRecoveryTimeout: 3m0s + podSyncTimeout: 3m0s initContainer: image: {{ include "repositoryGenerator.githubContainerRegistry" . }}/{{ $dot.Values.mariadbOperator.galera.initImage }}:{{ $dot.Values.mariadbOperator.galera.initVersion }} imagePullPolicy: IfNotPresent - volumeClaimTemplate: - {{- if .Values.mariadbOperator.storageClassName }} - storageClassName: {{ .Values.mariadbOperator.storageClassName }} - {{- end }} - resources: - requests: - storage: 50Mi - accessModes: - - ReadWriteOnce + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + privileged: false + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + config: + reuseStorageVolume: false + volumeClaimTemplate: + {{- if .Values.mariadbOperator.persistence.storageClassName }} + storageClassName: {{ .Values.mariadbOperator.persistence.storageClassName }} + {{- end }} + resources: + requests: + storage: 50Mi + accessModes: + - ReadWriteOnce {{- end }} livenessProbe: exec: @@ -318,16 +376,41 @@ spec: initialDelaySeconds: 20 periodSeconds: 10 timeoutSeconds: 5 - {{- if default false .Values.global.metrics.enabled }} + {{- if default false $dot.Values.global.metrics.enabled }} metrics: enabled: true + exporter: + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/prom/mysqld-exporter:v0.15.1 + port: 9104 + podSecurityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsUser: 10001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi {{- end }} affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - topologyKey: kubernetes.io/hostname tolerations: - - key: mariadb.mmontes.io/ha + - key: k8s.mariadb.com/ha operator: Exists effect: NoSchedule podDisruptionBudget: @@ -339,15 +422,11 @@ spec: key: my.cnf name: {{ printf "%s-configuration" (include "common.fullname" $dot) }} resources: {{ include "common.resources" . | nindent 4 }} - volumeClaimTemplate: - {{- if $dot.Values.mariadbOperator.storageClassName }} - storageClassName: {{ $dot.Values.mariadbOperator.storageClassName }} + storage: + {{- if $dot.Values.mariadbOperator.persistence.storageClassName }} + storageClassName: {{ $dot.Values.mariadbOperator.persistence.storageClassName }} {{- end }} - resources: - requests: - storage: {{ $dot.Values.mariadbOperator.persistence.size | quote }} - accessModes: - - ReadWriteOnce + size: {{ $dot.Values.mariadbOperator.persistence.size | quote }} {{- if $dot.Values.db.user }} {{ include "common.mariadbOpUser" (dict "dot" . "dbuser" $dot.Values.db.user "dbinst" $dbinst "dbsecret" $dbusersecret) }} {{- end }} |