airship/porthole
Code Issues Proposed changes
porthole/charts/etcdctl-utility/templates/deployment-etcdctl-utility.yaml
Markin, Sergiy (sm515x) 1cb2ee3566 [CPID-354] Improve MariaDB Backup/Restore validation process 
HTK has been updated to 0.2.48 version that includes local backup verification step before uploading to remote storage.

In mysqlclient-utility chart HTK is used to perform test backup/restore processes. This chart has been updated to match HTK changes.
The main difference that a mariadb verification server has to be running as a side container.

In etcdctl-utility chart .Values.manifests.secret_certificates value was set to False and a condition has been added to deployment-etcdctl-utility.yaml to avoid looking for etcdctl-etcd-secrets secret to mount.

Also in mysqlclient-utility in ensure_ondemand_pod_exists() function of dbutils.sh made the folloging adjustment: number of containers in *-ondemand pod in pod existence verification condition set to 2/2. This is because we added the second container to this pod with verification server.

Additionally, bumping up HTK version to 0.2.48 from a commit id obtained from merge of https://review.opendev.org/c/openstack/openstack-helm-infra/+/853027 and set proper commit id in this file: tools/helm_tk.sh

Change-Id: I9d3796500574da3582cf67d8aeeec8c796dd88dd
2022-09-10 14:55:40 -05:00

218 lines
8.0 KiB
YAML
Raw Blame History

{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.deployment_etcdctl_utility }}
{{- $envAll := . }}
{{- $serviceAccountName := printf "%s" $envAll.Release.Name }}
{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups: [""]
resources:
- namespaces
- nodes
- pods
- pods/exec
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- list
- watch
- create
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- "batch"
resources:
- cronjobs
verbs:
- get
- list
- watch
- apiGroups:
- "batch"
resources:
- jobs
verbs:
- get
- list
- watch
- create
- update
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $serviceAccountName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ printf "%s" $envAll.Release.Name }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
{{ tuple $envAll "etcd" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
replicas: {{ .Values.pod.replicas.utility }}
selector:
matchLabels:
{{ tuple $envAll "etcd" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
template:
metadata:
name: {{ printf "%s" $envAll.Release.Name }}
labels:
{{ tuple $envAll "etcd" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{ dict "envAll" $envAll "podName" "etcdctl-utility" "containerNames" (list "etcdctl-utility") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "etcd" "utility" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
{{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }}
containers:
- name: etcdctl-utility
{{ tuple $envAll "etcdctl_utility" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.etcdctl_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "etcd" "container" "etcdctl_utility" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: ETCDCTL_API
value: "{{ .Values.conf.etcd.etcdctl_api }}"
- name: ETCDCTL_DIAL_TIMEOUT
value: 10s
- name: ETCDCTL_CACERT
value: /etc/kubernetes/apiserver/pki/etcd-client-ca.pem
- name: ETCDCTL_CERT
value: /etc/kubernetes/apiserver/pki/etcd-client.pem
- name: ETCDCTL_KEY
value: /etc/kubernetes/apiserver/pki/etcd-client-key.pem
- name: ETCDCTL_ENDPOINTS
value: https://{{ .Values.conf.etcd.endpoints }}:{{ .Values.endpoints.etcd.port.client.default }}
- name: BACKUP_RESTORE_NAMESPACE_LIST
value: {{ .Values.conf.etcd_backup_restore.enabled_namespaces | quote }}
- name: BACKUP_RESTORE_SCOPE
value: "etcd"
command:
- /tmp/bootstrap.sh
volumeMounts:
{{- if .Values.manifests.secret_certificates }}
- name: etcdctl-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: etcdctl-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: etcdctl-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
{{- end }}
- name: etcdctl-utility-bin-utilscli
mountPath: /tmp/bootstrap.sh
subPath: bootstrap.sh
readOnly: true
- name: etcdctl-utility-bin
mountPath: /tmp/start.sh
subPath: start.sh
readOnly: true
- name: etcdctl-utility-bin-utilscli
mountPath: /usr/local/bin/utilscli
subPath: utilscli
readOnly: true
- name: etcdctl-utility-bin
mountPath: /usr/local/bin/etcdctl-utility-rootwrap
subPath: etcdctl-utility-rootwrap
readOnly: true
- name: etcdctl-utility-bin-utilscli
mountPath: /usr/local/bin/dbutils
subPath: dbutils
readOnly: true
- name: etcdctl-utility-bin-utilscli
mountPath: /tmp/etcd-ondemand-job.sh
subPath: etcd-ondemand-job.sh
readOnly: true
- name: etcdctl-utility-sudoers
mountPath: /etc/sudoers.d/utilscli-sudo
subPath: utilscli-sudo
readOnly: true
- name: etcdctl-utility-etc
mountPath: /etc/etcdctl-utility/rootwrap.d/etcdctl-rootwrap-filter
subPath: etcdctl-rootwrap-filter
readOnly: true
- name: etcdctl-utility-etc
mountPath: /etc/etcdctl-utility/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
- name: etcdctl-utility-etc
mountPath: /etc/etcd/etcdctl.cfg
subPath: etcdctl.cfg
readOnly: true
{{- if .Values.pod.mounts.etcd.container.etcdctl_utility.volumeMounts }}
{{ .Values.pod.mounts.etcd.container.etcdctl_utility.volumeMounts | toYaml | indent 12 }}
{{- end }}
volumes:
- name: etcdctl-utility-sudoers
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
defaultMode: 0644
- name: etcdctl-utility-bin
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
defaultMode: 0500
- name: etcdctl-utility-etc
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
defaultMode: 0400
- name: etcdctl-utility-bin-utilscli
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }}
defaultMode: 0755
{{- if .Values.manifests.secret_certificates }}
- name: etcdctl-etcd-secrets
secret:
secretName: etcdctl-etcd-secrets
defaultMode: 0444
{{- end }}
{{- if .Values.pod.mounts.etcd.container.etcdctl_utility.volumes }}
{{ .Values.pod.mounts.etcd.container.etcdctl_utility.volumes | toYaml | indent 8 }}
{{- end }}
{{- end }}
View Git Blame Copy Permalink