# The main role for the operator
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mysql-operator
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch", "patch"]
  - apiGroups: [""]
    resources: ["pods/status"]
    verbs: ["get", "patch", "update", "watch"]
    # Kopf needs patch on secrets or the sidecar will throw
    # The operator needs this verb to be able to pass it to the sidecar
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "create", "list", "watch", "patch"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "list", "watch", "patch", "delete"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "create", "list", "update", "delete", "patch"]
  - apiGroups: [""]
    resources: ["serviceaccounts"]
    verbs: ["get", "create", "patch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch", "update"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["rolebindings"]
    verbs: ["get", "create"]
  - apiGroups: ["policy"]
    resources: ["poddisruptionbudgets"]
    verbs: ["get", "create"]
  - apiGroups: ["batch"]
    resources: ["jobs"]
    verbs: ["create"]
  - apiGroups: ["batch"]
    resources: ["cronjobs"]
    verbs: ["get", "create", "update", "delete"]
  - apiGroups: ["apps"]
    resources: ["deployments", "statefulsets"]
    verbs: ["get", "create", "patch", "update", "watch", "delete"]
  - apiGroups: ["mysql.oracle.com"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups: ["zalando.org"]
    resources: ["*"]
    verbs: ["get", "patch", "list", "watch"]
  # Kopf: runtime observation of namespaces & CRDs (addition/deletion).
  - apiGroups: [apiextensions.k8s.io]
    resources: [customresourcedefinitions]
    verbs: [list, watch]
  - apiGroups: [""]
    resources: [namespaces]
    verbs: [list, watch]
  - apiGroups: ["monitoring.coreos.com"]
    resources: ["servicemonitors"]
    verbs: ["get", "create", "patch", "update", "delete"]
---
# role for the server sidecar
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mysql-sidecar
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch", "patch"]
  - apiGroups: [""]
    resources: ["pods/status"]
    verbs: ["get", "patch", "update", "watch"]
  # Kopf needs patch on secrets or the sidecar will throw
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "create", "list", "watch", "patch"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "list", "watch", "patch"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "create", "list", "update"]
  - apiGroups: [""]
    resources: ["serviceaccounts"]
    verbs: ["get", "create"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch", "update"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "patch"]
  - apiGroups: ["mysql.oracle.com"]
    resources: ["innodbclusters"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["mysql.oracle.com"]
    resources: ["mysqlbackups"]
    verbs: ["create", "get", "list", "patch", "update", "watch", "delete"]
  - apiGroups: ["mysql.oracle.com"]
    resources: ["mysqlbackups/status"]
    verbs: ["get", "patch", "update", "watch"]
---
# Give access to the operator
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: mysql-operator-rolebinding
subjects:
  - kind: ServiceAccount
    name: mysql-operator-sa
    namespace: mysql-operator
  # TODO The following entry is for dev purposes only
  #- kind: Group
  #  name: system:serviceaccounts
  #  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: mysql-operator
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: zalando.org/v1
kind: ClusterKopfPeering
metadata:
  name: mysql-operator
---
apiVersion: v1
kind: Namespace
metadata:
  name: mysql-operator
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: mysql-operator-sa
  namespace: mysql-operator
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mysql-operator
  namespace: mysql-operator
  labels:
    version: "1.0"
    app.kubernetes.io/name: mysql-operator
    app.kubernetes.io/instance: mysql-operator
    app.kubernetes.io/version: 8.4.0-2.1.3
    app.kubernetes.io/component: controller
    app.kubernetes.io/managed-by: mysql-operator
    app.kubernetes.io/created-by: mysql-operator
spec:
  replicas: 1
  selector:
    matchLabels:
      name: mysql-operator
  template:
    metadata:
      labels:
        name: mysql-operator
    spec:
      containers:
        - name: mysql-operator
          image: container-registry.oracle.com/mysql/community-operator:8.4.0-2.1.3
          imagePullPolicy: IfNotPresent
          args:
            [
              "mysqlsh",
              "--log-level=@INFO",
              "--pym",
              "mysqloperator",
              "operator",
            ]
          env:
            - name: MYSQLSH_USER_CONFIG_HOME
              value: /mysqlsh
            - name: MYSQLSH_CREDENTIAL_STORE_SAVE_PASSWORDS
              value: never
          readinessProbe:
            exec:
              command:
              - cat
              - /tmp/mysql-operator-ready
            initialDelaySeconds: 1
            periodSeconds: 3
          volumeMounts:
            - name: mysqlsh-home
              mountPath: /mysqlsh
            - name: tmpdir
              mountPath: /tmp
          securityContext:
            runAsUser: 2
            allowPrivilegeEscalation: false
            privileged: false
            readOnlyRootFilesystem: true
      volumes:
        - name: mysqlsh-home
          emptyDir: {}
        - name: tmpdir
          emptyDir: {}
      serviceAccountName: mysql-operator-sa