d0b3f1c1d2
This PS fixed some imcompatibilities of inherited mariadb config with docker-entrypoint.sh script that is now used to perform initial mariadb nodes setup and mariadb-upgrade at startup. Also added x509 requirement for root and audit users connections. Change-Id: Ic5ad2e692b64927fc73962fe0cc250a9d682114c
214 lines
8.7 KiB
YAML
214 lines
8.7 KiB
YAML
{{/*
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/}}
|
|
|
|
{{- define "mariadbReadinessProbe" }}
|
|
exec:
|
|
command:
|
|
- /tmp/readiness.sh
|
|
{{- end }}
|
|
{{- define "mariadbLivenessProbe" }}
|
|
exec:
|
|
command:
|
|
- /tmp/liveness.sh
|
|
{{- end }}
|
|
|
|
{{- if (.Values.global).subchart_release_name }}
|
|
{{- $_ := set . "deployment_name" .Chart.Name }}
|
|
{{- else }}
|
|
{{- $_ := set . "deployment_name" .Release.Name }}
|
|
{{- end }}
|
|
|
|
{{- if .Values.manifests.mariadb }}
|
|
{{- $envAll := . }}
|
|
|
|
---
|
|
apiVersion: mariadb.mmontes.io/v1alpha1
|
|
kind: MariaDB
|
|
metadata:
|
|
# NOTE(portdirect): the statefulset name must match the POD_NAME_PREFIX env var for discovery to work
|
|
name: {{ tuple "oslo_db" "server" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
|
annotations:
|
|
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
|
mariadb-dbadmin-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }}
|
|
labels:
|
|
{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
|
spec:
|
|
rootPasswordSecretKeyRef:
|
|
name: mariadb-dbadmin-password
|
|
key: MYSQL_DBADMIN_PASSWORD
|
|
|
|
{{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.image" | indent 2 }}
|
|
|
|
initContainers:
|
|
- command:
|
|
- /tmp/init.sh
|
|
{{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.image" | indent 6 }}
|
|
{{ dict "envAll" $envAll "application" "server" "container" "perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
|
|
|
{{ if $envAll.Values.conf.galera.enabled }}
|
|
galera:
|
|
enabled: true
|
|
primary:
|
|
podIndex: {{ .Values.conf.galera.primary.podIndex }}
|
|
automaticFailover: {{ .Values.conf.galera.primary.automaticFailover }}
|
|
sst: {{ .Values.conf.galera.sst }}
|
|
replicaThreads: {{ .Values.conf.galera.replicaThreads }}
|
|
agent:
|
|
{{ tuple $envAll "agent" | include "helm-toolkit.snippets.image" | indent 6 }}
|
|
{{- dict "envAll" $envAll "application" "server" "container" "agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
|
args:
|
|
- '--graceful-shutdown-timeout=5s'
|
|
- '--recovery-timeout=5m0s'
|
|
- '-log-dev'
|
|
- '-log-level=debug'
|
|
port: {{ .Values.conf.galera.agent.port }}
|
|
{{- if $envAll.Values.conf.galera.agent.kubernetesAuth.enabled }}
|
|
kubernetesAuth:
|
|
enabled: true
|
|
{{- end }}
|
|
gracefulShutdownTimeout: {{ .Values.conf.galera.agent.gracefulShutdownTimeout }}
|
|
{{- if $envAll.Values.conf.galera.recovery.enabled }}
|
|
recovery:
|
|
enabled: true
|
|
clusterHealthyTimeout: {{ .Values.conf.galera.recovery.clusterHealthyTimeout }}
|
|
clusterBootstrapTimeout: {{ .Values.conf.galera.recovery.clusterBootstrapTimeout }}
|
|
podRecoveryTimeout: {{ .Values.conf.galera.recovery.podRecoveryTimeout }}
|
|
podSyncTimeout: {{ .Values.conf.galera.recovery.podSyncTimeout }}
|
|
{{- end }}
|
|
initContainer:
|
|
{{ tuple $envAll "initContainer" | include "helm-toolkit.snippets.image" | indent 6 }}
|
|
{{- dict "envAll" $envAll "application" "server" "container" "init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
|
args:
|
|
- '-log-dev'
|
|
- '-log-level=debug'
|
|
# galera volume templates
|
|
volumeClaimTemplate:
|
|
resources:
|
|
requests:
|
|
storage: {{ .Values.volume.galera.size }}
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClassName: {{ .Values.volume.galera.class_name }}
|
|
{{ end }}
|
|
|
|
{{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" ( index $envAll.Values.conf.database "galera" ) "key" "myCnf" ) | indent 2 }}
|
|
|
|
replicas: {{ .Values.pod.replicas.server }}
|
|
|
|
affinity:
|
|
{{- tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 4 }}
|
|
|
|
{{ if $envAll.Values.pod.tolerations.mariadb.enabled }}
|
|
{{- tuple $envAll "mariadb" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
|
|
{{- end }}
|
|
|
|
updateStrategy:
|
|
type: {{ .Values.pod.lifecycle.upgrades.deployments.pod_replacement_strategy }}
|
|
|
|
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 2 }}
|
|
{{ dict "envAll" $envAll "application" "server" "container" "mariadb" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
|
|
|
|
nodeSelector:
|
|
{{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }}
|
|
|
|
podAnnotations:
|
|
{{- dict "envAll" $envAll "podName" "mariadb-server" "containerNames" (list "init-0" "init" "agent" "mariadb") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
|
|
|
podDisruptionBudget:
|
|
minAvailable: {{ .Values.pod.lifecycle.disruption_budget.mariadb.min_available }}
|
|
|
|
{{ dict "envAll" . "component" "server" "container" "mariadb" "type" "readiness" "probeTemplate" (include "mariadbReadinessProbe" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 2 }}
|
|
|
|
{{ dict "envAll" . "component" "server" "container" "mariadb" "type" "liveness" "probeTemplate" (include "mariadbLivenessProbe" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 2 }}
|
|
|
|
{{ if .Values.monitoring.prometheus.enabled }}
|
|
metrics:
|
|
exporter:
|
|
{{ tuple $envAll "prometheus_mysql_exporter" | include "helm-toolkit.snippets.image" | indent 6 }}
|
|
{{ dict "envAll" $envAll "application" "prometheus_mysql_exporter" "container" "exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.prometheus_mysql_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
|
port: {{ tuple "prometheus_mysql_exporter" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
{{- if $envAll.Values.manifests.certificates }}
|
|
volumeMounts:
|
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
{{- end }}
|
|
serviceMonitor:
|
|
prometheusRelease: prometheus-mysql-exporter
|
|
interval: 10s
|
|
scrapeTimeout: 10s
|
|
{{ end }}
|
|
|
|
env:
|
|
- name: MYSQL_HISTFILE
|
|
value: {{ .Values.conf.database.mysql_histfile }}
|
|
{{ if .Values.conf.database.auto_upgrade.enabled }}
|
|
- name: MARIADB_AUTO_UPGRADE
|
|
value: {{ .Values.conf.database.auto_upgrade.enabled | quote }}
|
|
- name: MARIADB_DISABLE_UPGRADE_BACKUP
|
|
value: {{ .Values.conf.database.auto_upgrade.disable_upgrade_backup | quote }}
|
|
{{ end }}
|
|
|
|
volumeMounts:
|
|
- name: pod-tmp
|
|
mountPath: /tmp
|
|
- name: mariadb-secrets
|
|
mountPath: /etc/mysql/admin_user.cnf
|
|
subPath: admin_user.cnf
|
|
readOnly: true
|
|
- name: mariadb-secrets
|
|
mountPath: /docker-entrypoint-initdb.d/privileges.sql
|
|
subPath: privileges.sql
|
|
readOnly: true
|
|
- name: mariadb-bin
|
|
mountPath: /tmp/init.sh
|
|
subPath: init.sh
|
|
- name: mariadb-bin
|
|
mountPath: /tmp/readiness.sh
|
|
subPath: readiness.sh
|
|
readOnly: true
|
|
- name: mariadb-bin
|
|
mountPath: /tmp/liveness.sh
|
|
subPath: liveness.sh
|
|
readOnly: true
|
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 4 }}
|
|
|
|
volumes:
|
|
- name: pod-tmp
|
|
emptyDir: {}
|
|
- name: mariadb-bin
|
|
configMap:
|
|
name: mariadb-bin
|
|
defaultMode: 0555
|
|
- name: mariadb-etc
|
|
configMap:
|
|
name: mariadb-etc
|
|
defaultMode: 0444
|
|
- name: mariadb-secrets
|
|
secret:
|
|
secretName: mariadb-secrets
|
|
defaultMode: 0444
|
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
|
|
# storage volume templates
|
|
volumeClaimTemplate:
|
|
resources:
|
|
requests:
|
|
storage: {{ .Values.volume.size }}
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClassName: {{ .Values.volume.class_name }}
|
|
|
|
{{- end }}
|