-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
2,722 additions
and
0 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,199 @@ | ||
# The main role for the operator | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: mysql-operator | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["pods"] | ||
verbs: ["get", "list", "watch", "patch"] | ||
- apiGroups: [""] | ||
resources: ["pods/status"] | ||
verbs: ["get", "patch", "update", "watch"] | ||
# Kopf needs patch on secrets or the sidecar will throw | ||
# The operator needs this verb to be able to pass it to the sidecar | ||
- apiGroups: [""] | ||
resources: ["secrets"] | ||
verbs: ["get", "create", "list", "watch", "patch"] | ||
- apiGroups: [""] | ||
resources: ["configmaps"] | ||
verbs: ["get", "create", "update", "list", "watch", "patch", "delete"] | ||
- apiGroups: [""] | ||
resources: ["services"] | ||
verbs: ["get", "create", "list", "update", "delete", "patch"] | ||
- apiGroups: [""] | ||
resources: ["serviceaccounts"] | ||
verbs: ["get", "create", "patch"] | ||
- apiGroups: [""] | ||
resources: ["events"] | ||
verbs: ["create", "patch", "update"] | ||
- apiGroups: ["rbac.authorization.k8s.io"] | ||
resources: ["rolebindings"] | ||
verbs: ["get", "create"] | ||
- apiGroups: ["policy"] | ||
resources: ["poddisruptionbudgets"] | ||
verbs: ["get", "create"] | ||
- apiGroups: ["batch"] | ||
resources: ["jobs"] | ||
verbs: ["create"] | ||
- apiGroups: ["batch"] | ||
resources: ["cronjobs"] | ||
verbs: ["get", "create", "update", "delete"] | ||
- apiGroups: ["apps"] | ||
resources: ["deployments", "statefulsets"] | ||
verbs: ["get", "create", "patch", "update", "watch", "delete"] | ||
- apiGroups: ["mysql.oracle.com"] | ||
resources: ["*"] | ||
verbs: ["*"] | ||
- apiGroups: ["zalando.org"] | ||
resources: ["*"] | ||
verbs: ["get", "patch", "list", "watch"] | ||
# Kopf: runtime observation of namespaces & CRDs (addition/deletion). | ||
- apiGroups: [apiextensions.k8s.io] | ||
resources: [customresourcedefinitions] | ||
verbs: [list, watch] | ||
- apiGroups: [""] | ||
resources: [namespaces] | ||
verbs: [list, watch] | ||
- apiGroups: ["monitoring.coreos.com"] | ||
resources: ["servicemonitors"] | ||
verbs: ["get", "create", "patch", "update", "delete"] | ||
--- | ||
# role for the server sidecar | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: mysql-sidecar | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["pods"] | ||
verbs: ["get", "list", "watch", "patch"] | ||
- apiGroups: [""] | ||
resources: ["pods/status"] | ||
verbs: ["get", "patch", "update", "watch"] | ||
# Kopf needs patch on secrets or the sidecar will throw | ||
- apiGroups: [""] | ||
resources: ["secrets"] | ||
verbs: ["get", "create", "list", "watch", "patch"] | ||
- apiGroups: [""] | ||
resources: ["configmaps"] | ||
verbs: ["get", "create", "list", "watch", "patch"] | ||
- apiGroups: [""] | ||
resources: ["services"] | ||
verbs: ["get", "create", "list", "update"] | ||
- apiGroups: [""] | ||
resources: ["serviceaccounts"] | ||
verbs: ["get", "create"] | ||
- apiGroups: [""] | ||
resources: ["events"] | ||
verbs: ["create", "patch", "update"] | ||
- apiGroups: ["apps"] | ||
resources: ["deployments"] | ||
verbs: ["get", "patch"] | ||
- apiGroups: ["mysql.oracle.com"] | ||
resources: ["innodbclusters"] | ||
verbs: ["get", "watch", "list"] | ||
- apiGroups: ["mysql.oracle.com"] | ||
resources: ["mysqlbackups"] | ||
verbs: ["create", "get", "list", "patch", "update", "watch", "delete"] | ||
- apiGroups: ["mysql.oracle.com"] | ||
resources: ["mysqlbackups/status"] | ||
verbs: ["get", "patch", "update", "watch"] | ||
--- | ||
# Give access to the operator | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: mysql-operator-rolebinding | ||
subjects: | ||
- kind: ServiceAccount | ||
name: mysql-operator-sa | ||
namespace: mysql-operator | ||
# TODO The following entry is for dev purposes only | ||
#- kind: Group | ||
# name: system:serviceaccounts | ||
# apiGroup: rbac.authorization.k8s.io | ||
roleRef: | ||
kind: ClusterRole | ||
name: mysql-operator | ||
apiGroup: rbac.authorization.k8s.io | ||
--- | ||
apiVersion: zalando.org/v1 | ||
kind: ClusterKopfPeering | ||
metadata: | ||
name: mysql-operator | ||
--- | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: mysql-operator | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: mysql-operator-sa | ||
namespace: mysql-operator | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: mysql-operator | ||
namespace: mysql-operator | ||
labels: | ||
version: "1.0" | ||
app.kubernetes.io/name: mysql-operator | ||
app.kubernetes.io/instance: mysql-operator | ||
app.kubernetes.io/version: 8.3.0-2.1.2 | ||
app.kubernetes.io/component: controller | ||
app.kubernetes.io/managed-by: mysql-operator | ||
app.kubernetes.io/created-by: mysql-operator | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
name: mysql-operator | ||
template: | ||
metadata: | ||
labels: | ||
name: mysql-operator | ||
spec: | ||
containers: | ||
- name: mysql-operator | ||
image: container-registry.oracle.com/mysql/community-operator:8.3.0-2.1.2 | ||
imagePullPolicy: IfNotPresent | ||
args: | ||
[ | ||
"mysqlsh", | ||
"--log-level=@INFO", | ||
"--pym", | ||
"mysqloperator", | ||
"operator", | ||
] | ||
env: | ||
- name: MYSQLSH_USER_CONFIG_HOME | ||
value: /mysqlsh | ||
- name: MYSQLSH_CREDENTIAL_STORE_SAVE_PASSWORDS | ||
value: never | ||
readinessProbe: | ||
exec: | ||
command: | ||
- cat | ||
- /tmp/mysql-operator-ready | ||
initialDelaySeconds: 1 | ||
periodSeconds: 3 | ||
volumeMounts: | ||
- name: mysqlsh-home | ||
mountPath: /mysqlsh | ||
- name: tmpdir | ||
mountPath: /tmp | ||
securityContext: | ||
runAsUser: 2 | ||
allowPrivilegeEscalation: false | ||
privileged: false | ||
readOnlyRootFilesystem: true | ||
volumes: | ||
- name: mysqlsh-home | ||
emptyDir: {} | ||
- name: tmpdir | ||
emptyDir: {} | ||
serviceAccountName: mysql-operator-sa |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
{ | ||
"deploy": { | ||
"steps": [ | ||
{ | ||
"apply": { | ||
"file": "data/mysql_mysql-operator/deploy-crds.yaml", | ||
"namespace": "default" | ||
} | ||
}, | ||
{ | ||
"wait": { | ||
"duration": 10 | ||
} | ||
}, | ||
{ | ||
"apply": { | ||
"file": "data/mysql_mysql-operator/deploy-operator.yaml", | ||
"operator": true | ||
} | ||
}, | ||
{ | ||
"wait": { | ||
"duration": 10 | ||
} | ||
}, | ||
{ | ||
"apply": { | ||
"file": "data/mysql_mysql-operator/secret.yaml", | ||
"operator": true | ||
} | ||
} | ||
] | ||
}, | ||
"crd_name": "innodbclusters.mysql.oracle.com", | ||
"seed_custom_resource": "data/mysql_mysql-operator/cr.yaml" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Copyright (c) 2020, 2022, Oracle and/or its affiliates. | ||
# | ||
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ | ||
# | ||
# This sample creates a simple InnoDB Cluster with help from the MySQL Operator. | ||
# This yields: | ||
# 3 MySQL Server Pods; one primary and two secondaries | ||
# 1 MySQL Router Pod | ||
# It uses self-signed TLS certificates. | ||
# It requires a deployed Operator (e.g., deploy/deploy-operator.yaml), | ||
# and requires root user credentials provided by a Kubernetes Secret; | ||
# the Secret is named mypwds in this case (e.g., sample-secret.yaml) | ||
# | ||
apiVersion: mysql.oracle.com/v2 | ||
kind: InnoDBCluster | ||
metadata: | ||
name: test-cluster | ||
spec: | ||
secretName: mypwds | ||
instances: 3 | ||
router: | ||
instances: 1 | ||
tlsUseSelfSigned: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Copyright (c) 2020, 2022, Oracle and/or its affiliates. | ||
# | ||
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ | ||
# | ||
# This sample adds a Secret to reference from an InnoDBCluster manifest. | ||
# It's used to create a privileged MySQL user, a user used by a sysadmin to manage the cluster. | ||
# Although typically named "root", it can be a different name. | ||
# Note: MySQL Operator creates additional (internal) Secrets and MySQL users. | ||
# | ||
# This file requires editing before deployment; other samples here reference the name 'mypwds' | ||
# | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: mypwds | ||
stringData: | ||
rootUser: root | ||
rootHost: '%' | ||
rootPassword: password |