github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/pkg/scanners/helm/test/mysql/templates/primary/statefulset.yaml (about) 1 apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} 2 kind: StatefulSet 3 metadata: 4 name: {{ include "mysql.primary.fullname" . }} 5 namespace: {{ .Release.Namespace }} 6 labels: {{- include "common.labels.standard" . | nindent 4 }} 7 app.kubernetes.io/component: primary 8 {{- if .Values.commonLabels }} 9 {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} 10 {{- end }} 11 {{- if .Values.primary.podLabels }} 12 {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podLabels "context" $ ) | nindent 4 }} 13 {{- end }} 14 {{- if .Values.commonAnnotations }} 15 annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 16 {{- end }} 17 spec: 18 replicas: 1 19 selector: 20 matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} 21 app.kubernetes.io/component: primary 22 serviceName: {{ include "mysql.primary.fullname" . }} 23 updateStrategy: 24 type: {{ .Values.primary.updateStrategy }} 25 {{- if (eq "Recreate" .Values.primary.updateStrategy) }} 26 rollingUpdate: null 27 {{- else if .Values.primary.rollingUpdatePartition }} 28 rollingUpdate: 29 partition: {{ .Values.primary.rollingUpdatePartition }} 30 {{- end }} 31 template: 32 metadata: 33 annotations: 34 {{- if (include "mysql.primary.createConfigmap" .) }} 35 checksum/configuration: {{ include (print $.Template.BasePath "/primary/configmap.yaml") . | sha256sum }} 36 {{- end }} 37 {{- if .Values.primary.podAnnotations }} 38 {{- include "common.tplvalues.render" (dict "value" .Values.primary.podAnnotations "context" $) | nindent 8 }} 39 {{- end }} 40 labels: {{- include "common.labels.standard" . | nindent 8 }} 41 app.kubernetes.io/component: primary 42 {{- if .Values.commonLabels }} 43 {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} 44 {{- end }} 45 {{- if .Values.primary.podLabels }} 46 {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podLabels "context" $ ) | nindent 8 }} 47 {{- end }} 48 spec: 49 {{- include "mysql.imagePullSecrets" . | nindent 6 }} 50 {{- if .Values.primary.hostAliases }} 51 hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} 52 {{- end }} 53 {{- if .Values.schedulerName }} 54 schedulerName: {{ .Values.schedulerName | quote }} 55 {{- end }} 56 serviceAccountName: {{ template "mysql.serviceAccountName" . }} 57 {{- if .Values.primary.affinity }} 58 affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} 59 {{- else }} 60 affinity: 61 podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} 62 podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} 63 nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} 64 {{- end }} 65 {{- if .Values.primary.nodeSelector }} 66 nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} 67 {{- end }} 68 {{- if .Values.primary.tolerations }} 69 tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} 70 {{- end }} 71 {{- if .Values.priorityClassName }} 72 priorityClassName: {{ .Values.priorityClassName | quote }} 73 {{- end }} 74 {{- if .Values.primary.podSecurityContext.enabled }} 75 securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} 76 {{- end }} 77 {{- if or .Values.primary.initContainers (and .Values.primary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.primary.persistence.enabled) }} 78 initContainers: 79 {{- if .Values.primary.initContainers }} 80 {{- include "common.tplvalues.render" (dict "value" .Values.primary.initContainers "context" $) | nindent 8 }} 81 {{- end }} 82 {{- if and .Values.primary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.primary.persistence.enabled }} 83 - name: volume-permissions 84 image: {{ include "mysql.volumePermissions.image" . }} 85 imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} 86 command: 87 - /bin/bash 88 - -ec 89 - | 90 chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /bitnami/mysql 91 securityContext: 92 runAsUser: 0 93 {{- if .Values.volumePermissions.resources }} 94 resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} 95 {{- end }} 96 volumeMounts: 97 - name: data 98 mountPath: /bitnami/mysql 99 {{- end }} 100 {{- end }} 101 containers: 102 - name: mysql 103 image: {{ include "mysql.image" . }} 104 imagePullPolicy: {{ .Values.image.pullPolicy | quote }} 105 {{- if .Values.primary.containerSecurityContext.enabled }} 106 securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} 107 {{- end }} 108 {{- if .Values.diagnosticMode.enabled }} 109 command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} 110 {{- else if .Values.primary.command }} 111 command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }} 112 {{- end }} 113 {{- if .Values.diagnosticMode.enabled }} 114 args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} 115 {{- else if .Values.primary.args }} 116 args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }} 117 {{- end }} 118 env: 119 - name: BITNAMI_DEBUG 120 value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} 121 {{- if .Values.auth.usePasswordFiles }} 122 - name: MYSQL_ROOT_PASSWORD_FILE 123 value: {{ default "/opt/bitnami/mysql/secrets/mysql-root-password" .Values.auth.customPasswordFiles.root }} 124 {{- else }} 125 - name: MYSQL_ROOT_PASSWORD 126 valueFrom: 127 secretKeyRef: 128 name: {{ template "mysql.secretName" . }} 129 key: mysql-root-password 130 {{- end }} 131 {{- if not (empty .Values.auth.username) }} 132 - name: MYSQL_USER 133 value: {{ .Values.auth.username | quote }} 134 {{- if .Values.auth.usePasswordFiles }} 135 - name: MYSQL_PASSWORD_FILE 136 value: {{ default "/opt/bitnami/mysql/secrets/mysql-password" .Values.auth.customPasswordFiles.user }} 137 {{- else }} 138 - name: MYSQL_PASSWORD 139 valueFrom: 140 secretKeyRef: 141 name: {{ template "mysql.secretName" . }} 142 key: mysql-password 143 {{- end }} 144 {{- end }} 145 - name: MYSQL_DATABASE 146 value: {{ .Values.auth.database | quote }} 147 {{- if eq .Values.architecture "replication" }} 148 - name: MYSQL_REPLICATION_MODE 149 value: "master" 150 - name: MYSQL_REPLICATION_USER 151 value: {{ .Values.auth.replicationUser | quote }} 152 {{- if .Values.auth.usePasswordFiles }} 153 - name: MYSQL_REPLICATION_PASSWORD_FILE 154 value: {{ default "/opt/bitnami/mysql/secrets/mysql-replication-password" .Values.auth.customPasswordFiles.replicator }} 155 {{- else }} 156 - name: MYSQL_REPLICATION_PASSWORD 157 valueFrom: 158 secretKeyRef: 159 name: {{ template "mysql.secretName" . }} 160 key: mysql-replication-password 161 {{- end }} 162 {{- end }} 163 {{- if .Values.primary.extraFlags }} 164 - name: MYSQL_EXTRA_FLAGS 165 value: "{{ .Values.primary.extraFlags }}" 166 {{- end }} 167 {{- if .Values.primary.extraEnvVars }} 168 {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }} 169 {{- end }} 170 {{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }} 171 envFrom: 172 {{- if .Values.primary.extraEnvVarsCM }} 173 - configMapRef: 174 name: {{ .Values.primary.extraEnvVarsCM }} 175 {{- end }} 176 {{- if .Values.primary.extraEnvVarsSecret }} 177 - secretRef: 178 name: {{ .Values.primary.extraEnvVarsSecret }} 179 {{- end }} 180 {{- end }} 181 ports: 182 - name: mysql 183 containerPort: 3306 184 {{- if not .Values.diagnosticMode.enabled }} 185 {{- if .Values.primary.livenessProbe.enabled }} 186 livenessProbe: {{- omit .Values.primary.livenessProbe "enabled" | toYaml | nindent 12 }} 187 exec: 188 command: 189 - /bin/bash 190 - -ec 191 - | 192 password_aux="${MYSQL_ROOT_PASSWORD:-}" 193 if [[ -f "${MYSQL_ROOT_PASSWORD_FILE:-}" ]]; then 194 password_aux=$(cat "$MYSQL_ROOT_PASSWORD_FILE") 195 fi 196 mysqladmin status -uroot -p"${password_aux}" 197 {{- else if .Values.primary.customLivenessProbe }} 198 livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }} 199 {{- end }} 200 {{- if .Values.primary.readinessProbe.enabled }} 201 readinessProbe: {{- omit .Values.primary.readinessProbe "enabled" | toYaml | nindent 12 }} 202 exec: 203 command: 204 - /bin/bash 205 - -ec 206 - | 207 password_aux="${MYSQL_ROOT_PASSWORD:-}" 208 if [[ -f "${MYSQL_ROOT_PASSWORD_FILE:-}" ]]; then 209 password_aux=$(cat "$MYSQL_ROOT_PASSWORD_FILE") 210 fi 211 mysqladmin status -uroot -p"${password_aux}" 212 {{- else if .Values.primary.customReadinessProbe }} 213 readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }} 214 {{- end }} 215 {{- if .Values.primary.startupProbe.enabled }} 216 startupProbe: {{- omit .Values.primary.startupProbe "enabled" | toYaml | nindent 12 }} 217 exec: 218 command: 219 - /bin/bash 220 - -ec 221 - | 222 password_aux="${MYSQL_ROOT_PASSWORD:-}" 223 if [[ -f "${MYSQL_ROOT_PASSWORD_FILE:-}" ]]; then 224 password_aux=$(cat "$MYSQL_ROOT_PASSWORD_FILE") 225 fi 226 mysqladmin status -uroot -p"${password_aux}" 227 {{- else if .Values.primary.customStartupProbe }} 228 startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }} 229 {{- end }} 230 {{- end }} 231 {{- if .Values.primary.resources }} 232 resources: {{ toYaml .Values.primary.resources | nindent 12 }} 233 {{- end }} 234 volumeMounts: 235 - name: data 236 mountPath: /bitnami/mysql 237 {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} 238 - name: custom-init-scripts 239 mountPath: /docker-entrypoint-initdb.d 240 {{- end }} 241 {{- if or .Values.primary.configuration .Values.primary.existingConfigmap }} 242 - name: config 243 mountPath: /opt/bitnami/mysql/conf/my.cnf 244 subPath: my.cnf 245 {{- end }} 246 {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} 247 - name: mysql-credentials 248 mountPath: /opt/bitnami/mysql/secrets/ 249 {{- end }} 250 {{- if .Values.primary.extraVolumeMounts }} 251 {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} 252 {{- end }} 253 {{- if .Values.metrics.enabled }} 254 - name: metrics 255 image: {{ include "mysql.metrics.image" . }} 256 imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} 257 env: 258 {{- if .Values.auth.usePasswordFiles }} 259 - name: MYSQL_ROOT_PASSWORD_FILE 260 value: {{ default "/opt/bitnami/mysqld-exporter/secrets/mysql-root-password" .Values.auth.customPasswordFiles.root }} 261 {{- else }} 262 - name: MYSQL_ROOT_PASSWORD 263 valueFrom: 264 secretKeyRef: 265 name: {{ include "mysql.secretName" . }} 266 key: mysql-root-password 267 {{- end }} 268 {{- if .Values.diagnosticMode.enabled }} 269 command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} 270 args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} 271 {{- else }} 272 command: 273 - /bin/bash 274 - -ec 275 - | 276 password_aux="${MYSQL_ROOT_PASSWORD:-}" 277 if [[ -f "${MYSQL_ROOT_PASSWORD_FILE:-}" ]]; then 278 password_aux=$(cat "$MYSQL_ROOT_PASSWORD_FILE") 279 fi 280 DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} 281 {{- end }} 282 ports: 283 - name: metrics 284 containerPort: 9104 285 {{- if not .Values.diagnosticMode.enabled }} 286 {{- if .Values.metrics.livenessProbe.enabled }} 287 livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }} 288 httpGet: 289 path: /metrics 290 port: metrics 291 {{- end }} 292 {{- if .Values.metrics.readinessProbe.enabled }} 293 readinessProbe: {{- omit .Values.metrics.readinessProbe "enabled" | toYaml | nindent 12 }} 294 httpGet: 295 path: /metrics 296 port: metrics 297 {{- end }} 298 {{- end }} 299 {{- if .Values.metrics.resources }} 300 resources: {{- toYaml .Values.metrics.resources | nindent 12 }} 301 {{- end }} 302 {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} 303 volumeMounts: 304 - name: mysql-credentials 305 mountPath: /opt/bitnami/mysqld-exporter/secrets/ 306 {{- end }} 307 {{- end }} 308 {{- if .Values.primary.sidecars }} 309 {{- include "common.tplvalues.render" (dict "value" .Values.primary.sidecars "context" $) | nindent 8 }} 310 {{- end }} 311 volumes: 312 {{- if or .Values.primary.configuration .Values.primary.existingConfigmap }} 313 - name: config 314 configMap: 315 name: {{ include "mysql.primary.configmapName" . }} 316 {{- end }} 317 {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} 318 - name: custom-init-scripts 319 configMap: 320 name: {{ include "mysql.initdbScriptsCM" . }} 321 {{- end }} 322 {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} 323 - name: mysql-credentials 324 secret: 325 secretName: {{ include "mysql.secretName" . }} 326 items: 327 - key: mysql-root-password 328 path: mysql-root-password 329 - key: mysql-password 330 path: mysql-password 331 {{- if eq .Values.architecture "replication" }} 332 - key: mysql-replication-password 333 path: mysql-replication-password 334 {{- end }} 335 {{- end }} 336 {{- if .Values.primary.extraVolumes }} 337 {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumes "context" $) | nindent 8 }} 338 {{- end }} 339 {{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }} 340 - name: data 341 persistentVolumeClaim: 342 claimName: {{ tpl .Values.primary.persistence.existingClaim . }} 343 {{- else if not .Values.primary.persistence.enabled }} 344 - name: data 345 emptyDir: {} 346 {{- else if and .Values.primary.persistence.enabled (not .Values.primary.persistence.existingClaim) }} 347 volumeClaimTemplates: 348 - metadata: 349 name: data 350 labels: {{ include "common.labels.matchLabels" . | nindent 10 }} 351 app.kubernetes.io/component: primary 352 {{- if .Values.primary.persistence.annotations }} 353 annotations: 354 {{- toYaml .Values.primary.persistence.annotations | nindent 10 }} 355 {{- end }} 356 spec: 357 accessModes: 358 {{- range .Values.primary.persistence.accessModes }} 359 - {{ . | quote }} 360 {{- end }} 361 resources: 362 requests: 363 storage: {{ .Values.primary.persistence.size | quote }} 364 {{ include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) }} 365 {{- if .Values.primary.persistence.selector }} 366 selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }} 367 {{- end -}} 368 {{- end }}