airship/porthole
Code Issues Proposed changes

[backups] Mariadb backups improvements

Browse Source 
This PS removes mariadb-verify-server sidecar container from
mariadb-ondemand job in order to make backup process more resilent.

Change-Id: I30aa513d28826c8ea487937c8c3f1a7afd985d21
This commit is contained in:
Sergiy Markin 2023-12-13 18:06:38 +00:00
parent adeb25f870
commit 284e923314
4 changed files with 17 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/mysqlclient-utility/Chart.yaml
View File

@ -13,4 +13,4 @@
apiVersion: v1 apiVersion: v1
description: Porthole MySql Client description: Porthole MySql Client
name: mysqlclient-utility name: mysqlclient-utility
version: 0.1.5 version: 0.1.7

2
charts/mysqlclient-utility/templates/bin/utility/_dbutils.tpl
View File

@ -111,7 +111,7 @@ function ensure_ondemand_pod_exists() {
CONTAINERS=$(echo "$POD_LISTING" | awk '{print $2}') CONTAINERS=$(echo "$POD_LISTING" | awk '{print $2}')
# There should only ever be one ondemand pod existing at any time, so if # There should only ever be one ondemand pod existing at any time, so if
# we find any which are not ready remove them, even if completed. # we find any which are not ready remove them, even if completed.
if [[ $STATUS != "Running" || $CONTAINERS != "2/2" ]]; then if [[ $STATUS != "Running" || $CONTAINERS != "1/1" ]]; then
echo "Found an old on-demand pod; removing it." echo "Found an old on-demand pod; removing it."
remove_job "$NAMESPACE" "$ONDEMAND_JOB" remove_job "$NAMESPACE" "$ONDEMAND_JOB"
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then

81
charts/mysqlclient-utility/templates/bin/utility/_mariadb_ondemand_job.sh.tpl
View File

@ -9,17 +9,11 @@ if [[ $MARIADB_POD_NAMESPACE == "" ]]; then
fi fi
export MARIADB_CONF_SECRET={{ $envAll.Values.conf.mariadb_backup_restore.secrets.conf_secret }} export MARIADB_CONF_SECRET={{ $envAll.Values.conf.mariadb_backup_restore.secrets.conf_secret }}
export MARIADB_IMAGE_NAME=$(kubectl get cronjob -n ${MARIADB_POD_NAMESPACE} mariadb-backup -o yaml -o jsonpath="{range .spec.jobTemplate.spec.template.spec.containers[*]}{.image}{'\n'}{end}" | grep mariadb)
export MYSQLCLIENT_UTILTIY_IMAGE_NAME=$(kubectl get cronjob -n ${MARIADB_POD_NAMESPACE} mariadb-backup -o yaml -o jsonpath="{range .spec.jobTemplate.spec.template.spec.containers[*]}{.image}{'\n'}{end}" | grep mysqlclient-utility) export MYSQLCLIENT_UTILTIY_IMAGE_NAME=$(kubectl get cronjob -n ${MARIADB_POD_NAMESPACE} mariadb-backup -o yaml -o jsonpath="{range .spec.jobTemplate.spec.template.spec.containers[*]}{.image}{'\n'}{end}" | grep mysqlclient-utility)
export MARIADB_BACKUP_BASE_PATH=$(kubectl get secret -n ${MARIADB_POD_NAMESPACE} ${MARIADB_CONF_SECRET} -o json | jq -r .data.BACKUP_BASE_PATH | base64 -d) export MARIADB_BACKUP_BASE_PATH=$(kubectl get secret -n ${MARIADB_POD_NAMESPACE} ${MARIADB_CONF_SECRET} -o json | jq -r .data.BACKUP_BASE_PATH | base64 -d)
MARIADB_REMOTE_BACKUP_ENABLED=$(kubectl get secret -n ${MARIADB_POD_NAMESPACE} ${MARIADB_CONF_SECRET} -o json | jq -r .data.REMOTE_BACKUP_ENABLED | base64 -d) MARIADB_REMOTE_BACKUP_ENABLED=$(kubectl get secret -n ${MARIADB_POD_NAMESPACE} ${MARIADB_CONF_SECRET} -o json | jq -r .data.REMOTE_BACKUP_ENABLED | base64 -d)
export MARIADB_REMOTE_BACKUP_ENABLED=$(echo $MARIADB_REMOTE_BACKUP_ENABLED | sed 's/"//g') export MARIADB_REMOTE_BACKUP_ENABLED=$(echo $MARIADB_REMOTE_BACKUP_ENABLED | sed 's/"//g')
if [[ $MARIADB_IMAGE_NAME == "" ]]; then
echo "Cannot find the utility image for populating MARIADB_IMAGE_NAME variable."
exit 1
fi
if [[ $MYSQLCLIENT_UTILTIY_IMAGE_NAME == "" ]]; then if [[ $MYSQLCLIENT_UTILTIY_IMAGE_NAME == "" ]]; then
echo "Cannot find the utility image for populating MYSQLCLIENT_UTILTIY_IMAGE_NAME variable." echo "Cannot find the utility image for populating MYSQLCLIENT_UTILTIY_IMAGE_NAME variable."
exit 1 exit 1
@ -50,7 +44,7 @@ spec:
metadata: metadata:
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{ dict "envAll" $envAll "podName" "mariadb-ondemand" "containerNames" (list "ondemand-perms" "mariadb-verify-server" "mariadb-ondemand" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{ dict "envAll" $envAll "podName" "mariadb-ondemand" "containerNames" (list "ondemand-perms" "mariadb-ondemand" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
labels: labels:
{{ tuple $envAll "mariadb-ondemand" "ondemand" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "mariadb-ondemand" "ondemand" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec: spec:
@ -93,8 +87,10 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.jobs.mariadb_ondemand | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.mariadb_ondemand | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "mariadb_ondemand" "container" "mariadb_ondemand" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "mariadb_ondemand" "container" "mariadb_ondemand" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command: command:
- /bin/sleep - /bin/sh
- "{{ .Values.conf.mariadb_ondemand.ondemapd_pod_sleep_time }}" args:
- -c
- ( /tmp/start_verification_server.sh ) & /bin/sleep {{ .Values.conf.mariadb_ondemand.ondemapd_pod_sleep_time }}
env: env:
- name: MARIADB_BACKUP_BASE_DIR - name: MARIADB_BACKUP_BASE_DIR
valueFrom: valueFrom:
@ -233,42 +229,17 @@ if $TLS_ENABLED; then
mountPath: /etc/mysql/certs/ca.crt mountPath: /etc/mysql/certs/ca.crt
subPath: ca.crt subPath: ca.crt
readOnly: true readOnly: true
{{- if .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts }}
{{ .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts | toYaml | indent 12 }}
{{- end }}
- name: mariadb-verify-server
image: ${MARIADB_IMAGE_NAME}
{{ dict "envAll" $envAll "application" "mariadb_ondemand" "container" "mariadb_verify_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.mariadb_verify_server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: MYSQL_HISTFILE
value: /dev/null
command:
- /bin/sh
args:
- -c
- ( /tmp/start_verification_server.sh )& /bin/sleep {{ .Values.conf.mariadb_ondemand.ondemapd_pod_sleep_time }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: var-run
mountPath: /var/run/mysqld
- name: mycnfd
mountPath: /etc/mysql/conf.d
- name: mariadb-etc
mountPath: /etc/mysql/my.cnf
subPath: my.cnf
readOnly: true
- name: mariadb-secrets
mountPath: /etc/mysql/admin_user.cnf
subPath: admin_user.cnf
readOnly: true
- name: mysql-data - name: mysql-data
mountPath: /var/lib/mysql mountPath: /var/lib/mysql
- name: mariadb-bin - name: mariadb-bin
mountPath: /tmp/start_verification_server.sh mountPath: /tmp/start_verification_server.sh
subPath: start_verification_server.sh subPath: start_verification_server.sh
readOnly: true readOnly: true
- name: var-run
mountPath: /run/mysqld
{{- if .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts }}
{{ .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts | toYaml | indent 12 }}
{{- end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -328,39 +299,17 @@ else
mountPath: /etc/mysql/admin_user.cnf mountPath: /etc/mysql/admin_user.cnf
subPath: admin_user.cnf subPath: admin_user.cnf
readOnly: true readOnly: true
{{- if .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts }}
{{ .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts | toYaml | indent 12 }}
{{- end }}
- name: mariadb-verify-server
image: ${MARIADB_IMAGE_NAME}
{{ dict "envAll" $envAll "application" "mariadb_ondemand" "container" "mariadb_verify_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.mariadb_verify_server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: MYSQL_HISTFILE
value: /dev/null
command:
- /tmp/start_verification_server.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: var-run
mountPath: /var/run/mysqld
- name: mycnfd
mountPath: /etc/mysql/conf.d
- name: mariadb-etc
mountPath: /etc/mysql/my.cnf
subPath: my.cnf
readOnly: true
- name: mariadb-secrets
mountPath: /etc/mysql/admin_user.cnf
subPath: admin_user.cnf
readOnly: true
- name: mysql-data - name: mysql-data
mountPath: /var/lib/mysql mountPath: /var/lib/mysql
- name: mariadb-bin - name: mariadb-bin
mountPath: /tmp/start_verification_server.sh mountPath: /tmp/start_verification_server.sh
subPath: start_verification_server.sh subPath: start_verification_server.sh
readOnly: true readOnly: true
- name: var-run
mountPath: /run/mysqld
{{- if .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts }}
{{ .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts | toYaml | indent 12 }}
{{- end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}

4
charts/mysqlclient-utility/values.yaml
View File

@ -57,10 +57,6 @@ pod:
runAsUser: 65534 runAsUser: 65534
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
mariadb_verify_server:
runAsUser: 65534
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
mounts: mounts:
mysqlclient: mysqlclient:
container: container: