Create service account for backup schedulers.

AMecea · AMecea · commit bce6c9278a75 · 2018-06-06T12:05:33.000+03:00
diff --git a/cmd/mysql-helper/apptakebackup/apptakebackup.go b/cmd/mysql-helper/apptakebackup/apptakebackup.go
@@ -27,6 +27,10 @@ import (
 	tb "github.com/presslabs/mysql-operator/cmd/mysql-helper/util"
 )
 
+const (
+	ncatIdleTimeout = "30"
+)
+
 func RunTakeBackupCommand(stopCh <-chan struct{}, srcHost, destBucket string) error {
 	glog.Infof("Take backup from '%s' to bucket '%s' started...", srcHost, destBucket)
 	destBucket = normalizeBucketUri(destBucket)
@@ -35,7 +39,7 @@ func RunTakeBackupCommand(stopCh <-chan struct{}, srcHost, destBucket string) er
 
 func pushBackupFromTo(srcHost, destBucket string) error {
 	// TODO: document each func
-	ncat := exec.Command("ncat", "--recv-only", srcHost, tb.BackupPort)
+	ncat := exec.Command("ncat", "-i", ncatIdleTimeout, "--recv-only", srcHost, tb.BackupPort)
 
 	gzip := exec.Command("gzip", "-c")
 
diff --git a/hack/charts/mysql-operator/Chart.yaml b/hack/charts/mysql-operator/Chart.yaml
@@ -6,8 +6,8 @@ keywords:
   - percona
   - orchestrator
   - presslabs
-version: 0.1.6
+version: 0.1.7
 home: https://github.com/presslabs/mysql-operator
 sources:
   - https://github.com/presslabs/mysql-operator.git
-appVersion: 0.1.6
+appVersion: 0.1.7
diff --git a/hack/charts/mysql-operator/templates/deployment.yaml b/hack/charts/mysql-operator/templates/deployment.yaml
@@ -47,6 +47,9 @@ spec:
             {{- if .Values.installCRDs }}
             - --install-crds
             {{- end }}
+            {{- if .Values.rbac.create }}
+            - --backup-service-account-name={{ template "mysql-operator.serviceAccountName" . }}-backups
+            {{- end }}
           resources:
             {{ toYaml .Values.resources | nindent 12 }}
           livenessProbe:
diff --git a/hack/charts/mysql-operator/templates/rbac.yaml b/hack/charts/mysql-operator/templates/rbac.yaml
@@ -56,4 +56,38 @@ subjects:
   - name: {{ template "mysql-operator.serviceAccountName" . }}
     namespace: {{ .Release.Namespace | quote }}
     kind: ServiceAccount
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: {{ template "mysql-operator.fullname" . }}-backups
+  labels:
+    app: {{ template "mysql-operator.name" . }}
+    chart: {{ template "mysql-operator.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups: ["mysql.presslabs.org"]
+    resources: ["mysqlbackups"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "mysql-operator.fullname" . }}-backups
+  labels:
+    app: {{ template "mysql-operator.name" . }}
+    chart: {{ template "mysql-operator.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "mysql-operator.fullname" . }}-backups
+subjects:
+  - name: {{ template "mysql-operator.serviceAccountName" . }}-backups
+    namespace: {{ .Release.Namespace | quote }}
+    kind: ServiceAccount
+
 {{- end -}}
diff --git a/hack/charts/mysql-operator/templates/serviceaccount.yaml b/hack/charts/mysql-operator/templates/serviceaccount.yaml
@@ -8,4 +8,16 @@ metadata:
     chart: {{ template "mysql-operator.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "mysql-operator.serviceAccountName" . }}-backups
+  labels:
+    app: {{ template "mysql-operator.name" . }}
+    chart: {{ template "mysql-operator.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+
 {{- end }}
diff --git a/hack/e2e-tests/mysql-operator-values.yaml b/hack/e2e-tests/mysql-operator-values.yaml
@@ -1,6 +1,9 @@
 extraArgs:
   - -v=3
 
+rbac:
+  create: true
+
 orchestrator:
   topologyPassword: password1
   antiAffinity: soft
diff --git a/pkg/mysqlcluster/cron_job.go b/pkg/mysqlcluster/cron_job.go
@@ -65,6 +65,7 @@ func (f *cFactory) ensurePodTemplate(spec core.PodSpec) core.PodSpec {
 	}
 
 	spec.RestartPolicy = core.RestartPolicyOnFailure
+	spec.ServiceAccountName = f.opt.BackupSchedulerServiceAccountName
 
 	spec.Containers[0].Name = "schedule-backup"
 	spec.Containers[0].Image = f.cluster.Spec.GetHelperImage()
diff --git a/pkg/util/options/options.go b/pkg/util/options/options.go
@@ -53,7 +53,8 @@ type Options struct {
 	OrchestratorTopologyPassword string
 	OrchestratorTopologyUser     string
 
-	JobCompleteSuccessGraceTime time.Duration
+	JobCompleteSuccessGraceTime       time.Duration
+	BackupSchedulerServiceAccountName string
 
 	HttpServeAddr string
 }
@@ -88,6 +89,8 @@ const (
 	defaultOrchestratorTopologyPassword = ""
 
 	defaultHttpServeAddr = ":80"
+
+	defaultBackupSchedServiceAccountName = "default"
 )
 
 var (
@@ -120,6 +123,10 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&o.HttpServeAddr, "http-serve-addr", defaultHttpServeAddr,
 		"The address for http server.")
 
+	fs.StringVar(&o.BackupSchedulerServiceAccountName, "backup-service-account-name",
+		defaultBackupSchedServiceAccountName, "Specify the service account for backup scheduler. "+
+			"This accounts should have permissions to create backups.")
+
 }
 
 var instance *Options

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ func (f *cFactory) ensurePodTemplate(spec core.PodSpec) core.PodSpec {`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`spec.RestartPolicy = core.RestartPolicyOnFailure`
	`68`	`+ spec.ServiceAccountName = f.opt.BackupSchedulerServiceAccountName`
`68`	`69`
`69`	`70`	`spec.Containers[0].Name = "schedule-backup"`
`70`	`71`	`spec.Containers[0].Image = f.cluster.Spec.GetHelperImage()`