diff --git a/ghost/mariadb/rbac.yaml b/ghost/mariadb/rbac.yaml new file mode 100644 index 0000000..f22d5e6 --- /dev/null +++ b/ghost/mariadb/rbac.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: create-secrets + namespace: example +subjects: +- kind: ServiceAccount + name: mariadb + namespace: example +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: create-secrets +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: create-secrets + namespace: example +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - delete \ No newline at end of file diff --git a/ghost/mariadb/serviceaccount-mariadb.yaml b/ghost/mariadb/serviceaccount-mariadb.yaml index e81bcdf..b6988e5 100644 --- a/ghost/mariadb/serviceaccount-mariadb.yaml +++ b/ghost/mariadb/serviceaccount-mariadb.yaml @@ -6,4 +6,4 @@ metadata: namespace: example labels: app.kubernetes.io/name: mariadb -automountServiceAccountToken: false +automountServiceAccountToken: true diff --git a/ghost/mariadb/statefulset-mariadb.yaml b/ghost/mariadb/statefulset-mariadb.yaml index c97e518..f55d0e9 100644 --- a/ghost/mariadb/statefulset-mariadb.yaml +++ b/ghost/mariadb/statefulset-mariadb.yaml @@ -14,8 +14,15 @@ spec: type: RollingUpdate template: spec: + serviceAccountName: mariadb securityContext: fsGroup: 1001 + initContainers: + - name: create-secret + image: gcr.io/kpt-fn-demo/yuwenma-secret:v0.6 + env: + - name: SECRET_NAME + value: mariadb containers: - name: mariadb image: docker.io/bitnami/mariadb:10.6.7-debian-10-r62 @@ -32,9 +39,51 @@ spec: value: bitnami_ghost - name: ALLOW_EMPTY_PASSWORD value: "true" + - name: MARIADB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb + key: mariadb-root-password + - name: MARIADB_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb + key: mariadb-password ports: - name: mysql containerPort: 3306 + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 120 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + exec: + command: + - /bin/bash + - -ec + - | + password_aux="${MARIADB_ROOT_PASSWORD:-}" + if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then + password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") + fi + mysqladmin status -uroot -p"${password_aux}" + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + exec: + command: + - /bin/bash + - -ec + - | + password_aux="${MARIADB_ROOT_PASSWORD:-}" + if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then + password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") + fi + mysqladmin status -uroot -p"${password_aux}" resources: limits: {} requests: {} diff --git a/ghost/secret-generator/Dockerfile b/ghost/secret-generator/Dockerfile new file mode 100644 index 0000000..4ac724b --- /dev/null +++ b/ghost/secret-generator/Dockerfile @@ -0,0 +1,9 @@ +FROM ubuntu:18.04 + +RUN apt-get update && \ + apt-get install -y wget sudo curl openssh-client + +COPY run.sh . +RUN chmod 0555 ./run.sh + +CMD ["./run.sh"] \ No newline at end of file diff --git a/ghost/secret-generator/run.sh b/ghost/secret-generator/run.sh new file mode 100644 index 0000000..7a486d5 --- /dev/null +++ b/ghost/secret-generator/run.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# Point to the internal API server hostname +APISERVER=https://kubernetes.default.svc +# Path to ServiceAccount token +SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount +# Read this Pod's namespace +NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) +# Read the ServiceAccount bearer token +TOKEN=$(cat ${SERVICEACCOUNT}/token) +# Reference the internal certificate authority (CA) +CACERT=${SERVICEACCOUNT}/ca.crt + +secret=$(cat <