github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/mysql/templates/deployment_cluster.yaml (about) 1 {{- $disable_lookups:= .Values.disableLookups }} 2 {{- $cluster_name := default "mycluster" .Release.Name }} 3 {{- $use_self_signed := default false ((.Values.tls).useSelfSigned) }} 4 {{- $minimalVersion := "8.0.27" }} 5 {{- $forbiddenVersions := list "8.0.29" }} 6 {{- $imagePullPolicies := list "ifnotpresent" "always" "never" }} 7 {{- $serverVersion := .Values.serverVersion | default .Chart.AppVersion }} 8 {{- if and ((.Values).routerInstances) (((.Values).router).instances) }} 9 {{- if ne ((.Values).routerInstances) (((.Values).router).instances) }} 10 {{- $err := printf "routerInstances and router.instances both are specified and have different values %d and %d. Use only one" ((.Values).routerInstances) (((.Values).router).instances) }} 11 {{- fail $err }} 12 {{- end }} 13 {{- end }} 14 {{- $routerInstances := coalesce ((.Values).routerInstances) (((.Values).router).instances) }} 15 {{- if lt $serverVersion $minimalVersion }} 16 {{- $err := printf "It is not possible to use MySQL version %s . Please, use %s or above" $serverVersion $minimalVersion }} 17 {{- fail $err }} 18 {{- end }} 19 {{- if has $serverVersion $forbiddenVersions }} 20 {{- $err := printf "It is not possible to use MySQL version %s . Please, use %s or above except %v" $serverVersion $minimalVersion $forbiddenVersions }} 21 {{- fail $err }} 22 {{- end }} 23 {{- if (((.Values).image).pullPolicy) }} 24 {{- if not (has (lower (((.Values).image).pullPolicy)) ($imagePullPolicies)) }} 25 {{- $err := printf "Unknown image pull policy %s. Must be one of %v" (((.Values).image).pullPolicy) $imagePullPolicies }} 26 {{- fail $err }} 27 {{- end }} 28 {{- else }} 29 {{ fail "image.pullPolicy is required" }} 30 {{- end }} 31 apiVersion: mysql.oracle.com/v2 32 kind: InnoDBCluster 33 metadata: 34 name: {{ $cluster_name }} 35 namespace: {{ .Release.Namespace }} 36 spec: 37 instances: {{ required "serverInstances is required" .Values.serverInstances }} 38 tlsUseSelfSigned: {{ $use_self_signed }} 39 router: 40 instances: {{ required "router.instances is required" $routerInstances }} 41 podSpec: 42 securityContext: 43 seccompProfile: 44 type: RuntimeDefault 45 containers: 46 - name: router 47 securityContext: 48 allowPrivilegeEscalation: false 49 privileged: false 50 runAsNonRoot: true 51 capabilities: 52 drop: 53 - ALL 54 {{- if not $use_self_signed }} 55 {{- if and (((.Values).tls).routerCertAndPKsecretName) (((.Values).router).certAndPKsecretName) }} 56 {{- if ne (((.Values).tls).routerCertAndPKsecretName) (((.Values).router).certAndPKsecretName) }} 57 {{- $err := printf "tls.routerCertAndPKsecretName and router.certAndPKsecretName are both specified and have different values %s and %s. Use only one" (((.Values).tls).routerCertAndPKsecretName) (((.Values).router).certAndPKsecretName) }} 58 {{- fail $err }} 59 {{- end }} 60 {{- end }} 61 {{- $default_secret_name := printf "%s-router-tls" $cluster_name }} 62 {{- $secret_name := coalesce ((.Values.tls).routerCertAndPKsecretName) ((.Values.router).certAndPKsecretName) $default_secret_name}} 63 {{- if not (lookup "v1" "Secret" .Release.Namespace $secret_name) }} 64 {{- $err := printf "tls.routerCertAndPKsecretName: secret '%s' not found in namespace '%s'" $secret_name .Release.Namespace }} 65 {{- fail $err }} 66 {{- end }} 67 tlsSecretName: {{ $secret_name }} 68 {{- if (((.Values).router).podSpec) }} 69 podSpec: {{ toYaml (((.Values).router).podSpec) | nindent 6 }} 70 {{- end }} 71 {{ if (((.Values).router).podLabels) }} 72 podLabels: {{ toYaml (((.Values).router).podLabels) | nindent 6 }} 73 {{ end }} 74 {{ if (((.Values).router).podAnnotations) }} 75 podAnnotations: {{ toYaml (((.Values).router).podAnnotations) | nindent 6 }} 76 {{ end }} 77 {{- end }} 78 secretName: {{ .Release.Name }}-cluster-secret 79 imagePullPolicy : {{ .Values.image.pullPolicy }} 80 {{- $repositoryPath := .Values.image.repository }} 81 {{- if $repositoryPath }} 82 imageRepository: {{ $repositoryPath }} 83 {{- end }} 84 baseServerId: {{ required "baseServerId is required" .Values.baseServerId }} 85 version: {{ .Values.serverVersion | default .Chart.AppVersion }} 86 serviceAccountName: {{ .Release.Name }}-sa 87 {{- if not $use_self_signed }} 88 {{- $default_secret_name := printf "%s-ca" $cluster_name }} 89 {{- $secret_name := default $default_secret_name ((.Values.tls).caSecretName) }} 90 {{- if not (lookup "v1" "Secret" .Release.Namespace $secret_name) }} 91 {{- $err := printf "tls.caSecretName: secret '%s' not found in namespace '%s'" $secret_name .Release.Namespace }} 92 {{- fail $err }} 93 {{- end }} 94 tlsCASecretName: {{ $secret_name }} 95 96 {{- $default_secret_name := printf "%s-tls" $cluster_name }} 97 {{- $secret_name := default $default_secret_name ((.Values.tls).serverCertAndPKsecretName) }} 98 {{- if not (lookup "v1" "Secret" .Release.Namespace $secret_name) }} 99 {{- $err := printf "tls.serverCertAndPKsecretName: secret '%s' not found in namespace '%s'" $secret_name .Release.Namespace }} 100 {{- fail $err }} 101 {{- end }} 102 tlsSecretName: {{ $secret_name }} 103 {{- end }} 104 {{- if ((.Values).podLabels) }} 105 podLabels: {{ toYaml ((.Values).podLabels) | nindent 4 }} 106 {{- end }} 107 {{- if ((.Values).podAnnotations) }} 108 podAnnotations: {{ toYaml ((.Values).podAnnotations) | nindent 4 }} 109 {{- end }} 110 {{ if ((.Values).podSpec) }} 111 podSpec: 112 securityContext: 113 seccompProfile: 114 type: RuntimeDefault 115 {{ if ((.Values).podSpec.affinity) }} 116 affinity: 117 {{ toYaml ((.Values).podSpec.affinity) | indent 6 }} 118 {{ end }} 119 {{ if (.Values).configurationFiles }} 120 containers: 121 - name: sidecar 122 image: {{ (.Values).mysqlOperator.image }} 123 securityContext: 124 allowPrivilegeEscalation: false 125 privileged: false 126 runAsNonRoot: true 127 runAsUser: 27 128 runAsGroup: 27 129 capabilities: 130 drop: 131 - ALL 132 - name: mysql 133 securityContext: 134 allowPrivilegeEscalation: false 135 privileged: false 136 runAsNonRoot: true 137 runAsUser: 27 138 runAsGroup: 27 139 capabilities: 140 drop: 141 - ALL 142 volumeMounts: 143 {{- range $key, $val := .Values.configurationFiles }} 144 - name: configurations 145 mountPath: {{ $.Values.configurationFilesPath }}{{ $key }} 146 subPath: {{ $key }} 147 {{- end -}} 148 {{ end }} 149 {{ if(.Values).initdbScripts }} 150 initContainers: 151 - name: fixdatadir 152 runAsUser: 0 153 image: {{ (.Values).mysqlOperator.image }} 154 - name: initconf 155 securityContext: 156 allowPrivilegeEscalation: false 157 privileged: false 158 runAsNonRoot: true 159 runAsUser: 27 160 runAsGroup: 27 161 capabilities: 162 drop: 163 - ALL 164 image: {{ (.Values).mysqlOperator.image }} 165 - name: initmysql 166 securityContext: 167 allowPrivilegeEscalation: false 168 privileged: false 169 runAsNonRoot: true 170 runAsUser: 27 171 runAsGroup: 27 172 capabilities: 173 drop: 174 - ALL 175 {{ if ((.Values).initDB) }} 176 env: 177 - name: DB_RESTORE 178 value: "true" 179 {{ end }} 180 volumeMounts: 181 {{- range $key, $val := .Values.initdbScripts }} 182 - name: custominitsql 183 mountPath: /docker-entrypoint-initdb.d/{{ $key }} 184 subPath: {{ $key }} 185 {{- end -}} 186 {{ end }} 187 {{ if (or (.Values).initdbScripts (.Values).configurationFiles) }} 188 volumes: 189 {{- if .Values.configurationFiles }} 190 - name: configurations 191 configMap: 192 name: {{ $cluster_name }}-configuration 193 defaultMode: 0755 194 items: 195 {{- range $key, $val := .Values.configurationFiles }} 196 - key: {{ $key }} 197 path: {{ $key }} 198 {{- end -}} 199 {{- end -}} 200 {{- if .Values.initdbScripts }} 201 - name: custominitsql 202 configMap: 203 name: initsql 204 defaultMode: 0755 205 items: 206 {{- range $key, $val := .Values.initdbScripts }} 207 - key: {{ $key }} 208 path: {{ $key }} 209 {{- end -}} 210 {{- end -}} 211 {{ end }} 212 {{ end }} 213 214 {{- if ((.Values).serverConfig) }} 215 {{- if (((.Values).serverConfig).mycnf) }} 216 mycnf: | 217 {{- if not (hasPrefix "[mysqld]" (((.Values).serverConfig).mycnf) ) }} 218 [mysqld] 219 {{- end }} 220 {{ (((.Values).serverConfig).mycnf) | indent 4 }} 221 {{- end }} 222 {{- end }} 223 224 {{- if .Values.datadirVolumeClaimTemplate }} 225 {{- with .Values.datadirVolumeClaimTemplate }} 226 datadirVolumeClaimTemplate: 227 {{- if .storageClassName }} 228 storageClassName: {{ .storageClassName | quote }} 229 {{- end}} 230 {{- if .accessModes }} 231 accessModes: [ "{{ .accessModes }}" ] 232 {{- end }} 233 {{- if .resources.requests.storage }} 234 resources: 235 requests: 236 storage: "{{ .resources.requests.storage }}" 237 {{- end }} 238 {{- end }} 239 {{- end }} 240 241 {{- if (or (((.Values).keyring).file) (((.Values).keyring).encryptedFile) (((.Values).keyring).oci) ) }} 242 keyring: 243 {{- $keyringAlreadySpecified := "" }} 244 {{- if (((.Values).keyring).file) }} 245 {{- if $keyringAlreadySpecified }} 246 {{- $err := printf "Keyring '%s' already specified" $keyringAlreadySpecified }} 247 {{- fail $err }} 248 {{- end }} 249 {{- $keyringAlreadySpecified = "file" }} 250 {{- with .Values.keyring.file }} 251 file: 252 fileName: {{ required "keyring.file.fileName is required" .fileName | quote }} 253 {{- if .readOnly }} 254 readOnly: {{ .readOnly }} 255 {{- end }} 256 storage: {{ toYaml .storage | nindent 8 }} 257 {{- end }} 258 {{- end }} 259 260 {{- if (((.Values).keyring).encryptedFile) }} 261 {{- if $keyringAlreadySpecified }} 262 {{- $err := printf "Keyring '%s' already specified" $keyringAlreadySpecified | quote }} 263 {{- fail $err }} 264 {{- end }} 265 {{- $keyringAlreadySpecified = "encryptedFile" }} 266 {{- with .Values.keyring.encryptedFile }} 267 encryptedFile: 268 fileName: {{ required "keyring.encryptedFile.fileName is required" .fileName | quote }} 269 {{- if .readOnly }} 270 readOnly: {{ .readOnly }} 271 {{- end }} 272 password: {{ required "keyring.encryptedFile.password is required" .password | quote }} 273 storage: {{ toYaml .storage | nindent 8 }} 274 {{- end }} 275 {{- end }} 276 277 {{- if (((.Values).keyring).oci) }} 278 {{- if $keyringAlreadySpecified }} 279 {{- $err := printf "Keyring '%s' already specified" $keyringAlreadySpecified }} 280 {{- fail $err }} 281 {{- end }} 282 {{- $keyringAlreadySpecified = "oci" }} 283 {{- with .Values.keyring.oci }} 284 oci: 285 user: {{ required "keyring.oci.user is required" .user | quote}} 286 keySecret: {{ required "keyring.oci.keySecret is required" .keySecret | quote}} 287 keyFingerprint: {{ required "keyring.oci.keyFingerprint is required" .keyFingerprint | quote }} 288 tenancy: {{ required "keyring.oci.tenancy is required" .tenancy | quote}} 289 {{- if .compartment}} 290 compartment: {{ .compartment | quote }} 291 {{- end }} 292 {{- if .virtualVault}} 293 virtualVault: {{ .virtualVault | quote}} 294 {{- end }} 295 {{- if .masterKey}} 296 masterKey: {{ .masterKey | quote}} 297 {{- end }} 298 {{- if .caCertificate}} 299 caCertificate: {{ .caCertificate | quote}} 300 {{- end }} 301 {{- if .endpoints}} 302 endpoints: 303 {{- if ((.endpoints).encryption) }} 304 encryption: {{ ((.endpoints).encryption) | quote}} 305 {{- end }} 306 {{- if ((.endpoints).management) }} 307 management: {{ ((.endpoints).management) | quote}} 308 {{- end }} 309 {{- if ((.endpoints).vaults) }} 310 vaults: {{ ((.endpoints).vaults) | quote}} 311 {{- end }} 312 {{- if ((.endpoints).secrets) }} 313 secrets: {{ ((.endpoints).secrets) | quote}} 314 {{- end }} 315 {{- end }} 316 {{- end }} 317 {{- end }} 318 {{- end }} 319 320 {{- if .Values.initDB }} 321 {{- if and (and .Values.initDB.dump .Values.initDB.dump.name) (and .Values.initDB.clone .Values.initDB.donorUrl) }} 322 {{- fail "Dump and Clone are mutually exclusive" }} 323 {{- end }} 324 325 {{- if and .Values.initDB .Values.initDB.clone }} 326 {{- with .Values.initDB.clone }} 327 initDB: 328 clone: 329 donorUrl: {{ required "initDB.clone.donorUrl is required" .donorUrl }} 330 rootUser: {{ .rootUser | default "root" }} 331 secretKeyRef: 332 name: {{ required "initDB.clone.credentials is required" .credentials }} 333 {{- end }} 334 {{- end }} 335 336 {{- if and .Values.initDB .Values.initDB.dump }} 337 {{- with .Values.initDB.dump }} 338 {{- if and .name (or .ociObjectStorage .s3 .persistentVolumeClaim .options) }} 339 initDB: 340 dump: 341 {{- if .name }} 342 name: {{ .name }} 343 {{- end }} 344 {{- if .path }} 345 path: {{ .path }} 346 {{- end }} 347 {{- if .options }} 348 options: 349 {{- toYaml .options | nindent 8}} 350 {{- end }} 351 storage: 352 {{- if .ociObjectStorage }} 353 ociObjectStorage: 354 prefix: {{ required "initDB.dump.ociObjectStorage.prefix is required" .ociObjectStorage.prefix }} 355 bucketName: {{ required "initDB.dump.ociObjectStorage.bucketName is required" .ociObjectStorage.bucketName }} 356 credentials: {{ required "initDB.dump.ociObjectStorage.credentials is required" .ociObjectStorage.credentials }} 357 {{- end }} 358 {{- if .s3 }} 359 s3: 360 prefix: {{ required "initDB.dump.s3.prefix is required" .s3.prefix }} 361 bucketName: {{ required "initDB.dump.s3.bucketName is required" .s3.bucketName }} 362 config: {{ required "initDB.dump.s3.config is required" .s3.config }} 363 {{- if .s3.profile }} 364 profile: {{ .s3.profile }} 365 {{- end }} 366 {{- if .s3.endpoint }} 367 endpoint: {{ .s3.endpoint }} 368 {{- end }} 369 {{- end }} 370 {{- if .persistentVolumeClaim }} 371 persistentVolumeClaim: 372 {{- toYaml .persistentVolumeClaim | nindent 10}} 373 {{- end }} 374 {{- end }} 375 {{- end }} 376 {{- end }} 377 {{- end }} 378 379 {{- if .Values.backupProfiles }} 380 backupProfiles: 381 {{- $isDumpInstance := false }} 382 {{- $isSnapshot := false }} 383 {{- range $_, $profile := .Values.backupProfiles }} 384 {{- if $profile.name }} 385 - name: {{ $profile.name -}} 386 {{- if hasKey $profile "podAnnotations" }} 387 podAnnotations: {{ toYaml $profile.podAnnotations | nindent 6 }} 388 {{- end }} 389 {{- if hasKey $profile "podLabels" }} 390 podLabels: {{ toYaml $profile.podLabels | nindent 6 }} 391 {{- end }} 392 {{- $isDumpInstance = hasKey $profile "dumpInstance" }} 393 {{- $isSnapshot = hasKey $profile "snapshot" }} 394 {{- if or $isDumpInstance $isSnapshot }} 395 {{- $backupProfile := ternary $profile.dumpInstance $profile.snapshot $isDumpInstance }} 396 {{- if $isDumpInstance }} 397 dumpInstance: 398 {{- else if $isSnapshot }} 399 snapshot: 400 {{- else }} 401 {{- fail "Impossible backup type" }} 402 {{ end }} 403 {{- if not (hasKey $backupProfile "storage") }} 404 {{- fail "backup profile $profile.name has no storage section" }} 405 {{- else if hasKey $backupProfile.storage "ociObjectStorage" }} 406 storage: 407 ociObjectStorage: 408 {{- if $backupProfile.storage.ociObjectStorage.prefix }} 409 prefix: {{ $backupProfile.storage.ociObjectStorage.prefix }} 410 {{- end }} 411 bucketName: {{ required "bucketName is required" $backupProfile.storage.ociObjectStorage.bucketName }} 412 credentials: {{ required "credentials is required" $backupProfile.storage.ociObjectStorage.credentials }} 413 {{- else if hasKey $backupProfile.storage "s3" }} 414 storage: 415 s3: 416 {{- if $backupProfile.storage.s3.prefix }} 417 prefix: {{ $backupProfile.storage.s3.prefix }} 418 {{- end }} 419 bucketName: {{ required "bucketName is required" $backupProfile.storage.s3.bucketName }} 420 config: {{ required "config is required" $backupProfile.storage.s3.config }} 421 {{- if $backupProfile.storage.s3.profile }} 422 profile: {{ $backupProfile.storage.s3.profile }} 423 {{- end }} 424 {{- if $backupProfile.storage.s3.endpoint }} 425 endpoint: {{ $backupProfile.storage.s3.endpoint }} 426 {{- end }} 427 {{- else if hasKey $backupProfile.storage "persistentVolumeClaim" }} 428 storage: 429 persistentVolumeClaim: {{ toYaml $backupProfile.storage.persistentVolumeClaim | nindent 12}} 430 {{- else -}} 431 {{- fail "dumpInstance backup profile $profile.name has empty storage section - neither ociObjectStorage nor persistentVolumeClaim defined" }} 432 {{- end -}} 433 {{- else }} 434 {{- fail "One of dumpInstance or snapshot must be methods of a backupProfile" }} 435 {{- end }} 436 {{- end }} 437 {{- end }} 438 {{- end }} 439 440 {{- if .Values.backupSchedules }} 441 backupSchedules: 442 {{- $isDumpInstance := false }} 443 {{- $isSnapshot := false }} 444 {{- range $_, $schedule := .Values.backupSchedules }} 445 - name: {{ $schedule.name }} 446 schedule: {{ quote $schedule.schedule }} 447 deleteBackupData: {{ $schedule.deleteBackupData }} 448 enabled: {{ $schedule.enabled }} 449 {{- if hasKey $schedule "backupProfileName" }} 450 backupProfileName: {{ $schedule.backupProfileName }} 451 {{- else if hasKey $schedule "backupProfile" }} 452 {{- $isDumpInstance = hasKey $schedule.backupProfile "dumpInstance" }} 453 {{- $isSnapshot = hasKey $schedule.backupProfile "snapshot" }} 454 {{- if or $isDumpInstance $isSnapshot }} 455 {{- $backupProfile := ternary $schedule.backupProfile.dumpInstance $schedule.backupProfile.snapshot $isDumpInstance }} 456 backupProfile: 457 {{- if hasKey $schedule.backupProfile "podAnnotations" }} 458 podAnnotations: {{ toYaml $schedule.backupProfile.podAnnotations | nindent 8 }} 459 {{- end }} 460 {{- if hasKey $schedule.backupProfile "podLabels" }} 461 podLabels: {{ toYaml $schedule.backupProfile.podLabels | nindent 8 }} 462 {{- end }} 463 {{- if $isDumpInstance }} 464 dumpInstance: 465 {{- else if $isSnapshot }} 466 snapshot: 467 {{- end }} 468 {{- if not (hasKey $backupProfile "storage") }} 469 {{- fail "schedule backup profile $schedule.name has no storage section" }} 470 {{- else if hasKey $backupProfile.storage "ociObjectStorage" }} 471 storage: 472 ociObjectStorage: 473 {{- if $backupProfile.storage.ociObjectStorage.prefix }} 474 prefix: {{ $backupProfile.storage.ociObjectStorage.prefix }} 475 {{- end }} 476 bucketName: {{ required "bucketName is required" $backupProfile.storage.ociObjectStorage.bucketName }} 477 credentials: {{ required "credentials is required" $backupProfile.storage.ociObjectStorage.credentials }} 478 {{- else if hasKey $backupProfile.storage "s3" }} 479 storage: 480 s3: 481 {{- if $backupProfile.storage.s3.prefix }} 482 prefix: {{ $backupProfile.storage.s3.prefix }} 483 {{- end }} 484 bucketName: {{ required "bucketName is required" $backupProfile.storage.s3.bucketName }} 485 config: {{ required "config is required" $backupProfile.storage.s3.config }} 486 {{- if $backupProfile.storage.s3.profile }} 487 profile: {{ $backupProfile.storage.s3.profile }} 488 {{- end }} 489 {{- if $backupProfile.storage.s3.endpoint }} 490 endpoint: {{ $backupProfile.storage.s3.endpoint }} 491 {{- end }} 492 {{- else if hasKey $backupProfile.storage "persistentVolumeClaim" }} 493 storage: 494 persistentVolumeClaim: {{ toYaml $backupProfile.storage.persistentVolumeClaim | nindent 12}} 495 {{- else -}} 496 {{- fail "dumpInstance backup profile $profile.name has empty storage section - neither ociObjectStorage nor persistentVolumeClaim defined" }} 497 {{- end -}} 498 {{- else }} 499 {{- fail "Impossible backup type for a schedule" }} 500 {{- end }} 501 502 {{- else }} 503 {{- fail "Neither backupProfileName nor backupProfile provided for a schedule" }} 504 {{- end }} 505 {{- end }} 506 {{- end }} 507 {{- if false }} 508 {{- end }}