diff --git a/deploy/jiniaslog/monolith/mysql/mysql-operator.yml b/deploy/jiniaslog/monolith/mysql/mysql-operator.yml new file mode 100644 index 00000000..19335515 --- /dev/null +++ b/deploy/jiniaslog/monolith/mysql/mysql-operator.yml @@ -0,0 +1,209 @@ +--- +# Source: mysql-operator/templates/service_account_operator.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mysql-operator-sa + namespace: mysql-operator +--- +# Source: mysql-operator/templates/cluster_role_operator.yaml +# The main role for the operator +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: mysql-operator +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["pods/status"] + verbs: ["get", "patch", "update", "watch"] + # Kopf needs patch on secrets or the sidecar will throw + # The operator needs this verb to be able to pass it to the sidecar + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["services"] + verbs: ["get", "create", "list"] + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "create"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch", "update"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["rolebindings"] + verbs: ["get", "create"] + - apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["get", "create"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create"] + - apiGroups: ["batch"] + resources: ["cronjobs"] + verbs: ["create", "update", "delete"] + - apiGroups: ["apps"] + resources: ["deployments", "statefulsets"] + verbs: ["get", "create", "patch", "watch", "delete"] + - apiGroups: ["mysql.oracle.com"] + resources: ["*"] + verbs: ["*"] + - apiGroups: ["zalando.org"] + resources: ["*"] + verbs: ["get", "patch", "list", "watch"] + # Kopf: runtime observation of namespaces & CRDs (addition/deletion). + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [list, watch] + - apiGroups: [""] + resources: [namespaces] + verbs: [list, watch] +--- +# Source: mysql-operator/templates/cluster_role_sidecar.yaml +# role for the server sidecar +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: mysql-sidecar +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["pods/status"] + verbs: ["get", "patch", "update", "watch"] + # Kopf needs patch on secrets or the sidecar will throw + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["services"] + verbs: ["get", "create", "list"] + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "create"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch", "update"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "patch"] + - apiGroups: ["mysql.oracle.com"] + resources: ["innodbclusters"] + verbs: ["get", "watch", "list"] + - apiGroups: ["mysql.oracle.com"] + resources: ["mysqlbackups"] + verbs: ["create", "get", "list", "patch", "update", "watch", "delete"] + - apiGroups: ["mysql.oracle.com"] + resources: ["mysqlbackups/status"] + verbs: ["get", "patch", "update", "watch"] +--- +# Source: mysql-operator/templates/cluster_role_binding_operator.yaml +# Give access to the operator +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: mysql-operator-rolebinding +subjects: + - kind: ServiceAccount + name: mysql-operator-sa + namespace: mysql-operator + # TODO The following entry is for dev purposes only and must be deleted + #- kind: Group + # name: system:serviceaccounts + # apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: mysql-operator + apiGroup: rbac.authorization.k8s.io +--- +# Source: mysql-operator/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: mysql-operator + namespace: mysql-operator + labels: + name: mysql-operator +spec: + type: ClusterIP + ports: + - port: 9443 + protocol: TCP + selector: + name: mysql-operator +--- +# Source: mysql-operator/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysql-operator + namespace: mysql-operator + labels: + version: "8.0.40-2.0.16" + app.kubernetes.io/name: mysql-operator + app.kubernetes.io/instance: mysql-operator + app.kubernetes.io/version: "8.0.40-2.0.16" + app.kubernetes.io/component: controller +spec: + replicas: 1 + selector: + matchLabels: + name: mysql-operator + template: + metadata: + labels: + name: mysql-operator + spec: + containers: + - name: mysql-operator + image: container-registry.oracle.com/mysql/community-operator:8.0.40-2.0.16 + imagePullPolicy: IfNotPresent + args: ["mysqlsh", "--log-level=@INFO", "--pym", "mysqloperator", "operator"] + env: + - name: MYSQLSH_USER_CONFIG_HOME + value: /mysqlsh + - name: MYSQLSH_CREDENTIAL_STORE_SAVE_PASSWORDS + value: never + + - name: MYSQL_OPERATOR_IMAGE_PULL_POLICY + value: IfNotPresent + + readinessProbe: + exec: + command: + - cat + - /tmp/mysql-operator-ready + initialDelaySeconds: 1 + periodSeconds: 3 + volumeMounts: + - name: mysqlsh-home + mountPath: /mysqlsh + - name: tmpdir + mountPath: /tmp + securityContext: + runAsUser: 2 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + volumes: + - name: mysqlsh-home + emptyDir: {} + - name: tmpdir + emptyDir: {} + serviceAccountName: mysql-operator-sa +--- +# Source: mysql-operator/templates/cluster_kopf_keepering.yaml +apiVersion: zalando.org/v1 +kind: ClusterKopfPeering +metadata: + name: mysql-operator