# The main role for the operator apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mysql-operator labels: app.kubernetes.io/name: mysql-operator app.kubernetes.io/instance: mysql-operator app.kubernetes.io/component: controller rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch", "patch"] - apiGroups: [""] resources: ["pods/status"] verbs: ["get", "patch", "update", "watch"] # Kopf needs patch on secrets or the sidecar will throw # The operator needs this verb to be able to pass it to the sidecar - apiGroups: [""] resources: ["secrets"] verbs: ["get", "create", "list", "watch", "patch"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "create", "update", "list", "watch", "patch", "delete"] - apiGroups: [""] resources: ["services"] verbs: ["get", "create", "list", "update", "delete", "patch"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get", "create", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch", "update"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["rolebindings"] verbs: ["get", "create", "patch", "delete"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["get", "create"] - apiGroups: ["batch"] resources: ["jobs"] verbs: ["create"] - apiGroups: ["batch"] resources: ["cronjobs"] verbs: ["get", "create", "update", "delete"] - apiGroups: ["apps"] resources: ["deployments", "statefulsets"] verbs: ["get", "list", "create", "patch", "update", "watch", "delete"] - apiGroups: ["mysql.oracle.com"] resources: ["*"] verbs: ["*"] - apiGroups: ["zalando.org"] resources: ["*"] verbs: ["get", "patch", "list", "watch"] # Kopf: runtime observation of namespaces & CRDs (addition/deletion). - apiGroups: [apiextensions.k8s.io] resources: [customresourcedefinitions] verbs: [list, watch] - apiGroups: [""] resources: [namespaces] verbs: [list, watch] - apiGroups: ["monitoring.coreos.com"] resources: ["servicemonitors"] verbs: ["get", "create", "patch", "update", "delete"] --- # role for the server sidecar apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mysql-sidecar labels: app.kubernetes.io/name: mysql-operator app.kubernetes.io/instance: mysql-operator app.kubernetes.io/component: controller rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch", "patch"] - apiGroups: [""] resources: ["pods/status"] verbs: ["get", "patch", "update", "watch"] # Kopf needs patch on secrets or the sidecar will throw - apiGroups: [""] resources: ["secrets"] verbs: ["get", "create", "list", "watch", "patch"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "create", "list", "watch", "patch"] - apiGroups: [""] resources: ["services"] verbs: ["get", "create", "list", "update"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get", "create"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch", "update"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "patch"] - apiGroups: ["mysql.oracle.com"] resources: ["innodbclusters"] verbs: ["get", "watch", "list", "patch"] - apiGroups: ["mysql.oracle.com"] resources: ["mysqlbackups"] verbs: ["create", "get", "list", "patch", "update", "watch", "delete"] - apiGroups: ["mysql.oracle.com"] resources: ["mysqlbackups/status"] verbs: ["get", "patch", "update", "watch"] --- # Role for the switchover CronJob apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mysql-switchover labels: app.kubernetes.io/name: mysql-operator app.kubernetes.io/instance: mysql-operator app.kubernetes.io/component: controller rules: # Kopf needs patch on secrets or the sidecar will throw - apiGroups: [""] resources: ["events"] verbs: ["create", "patch", "update"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] - apiGroups: [""] resources: ["secrets"] verbs: ["get"] - apiGroups: ["mysql.oracle.com"] resources: ["innodbclusters"] verbs: ["get"] - apiGroups: ["mysql.oracle.com"] resources: ["innodbclusters/status"] verbs: ["get", "patch"] --- # Give access to the operator apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: mysql-operator-rolebinding labels: app.kubernetes.io/name: mysql-operator app.kubernetes.io/instance: mysql-operator app.kubernetes.io/component: controller subjects: - kind: ServiceAccount name: mysql-operator-sa namespace: mysql-operator # TODO The following entry is for dev purposes only #- kind: Group # name: system:serviceaccounts # apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: mysql-operator apiGroup: rbac.authorization.k8s.io --- apiVersion: zalando.org/v1 kind: ClusterKopfPeering metadata: #Should be the same as spec.template.spec.containers[0].env['OPERATOR_PEERING_NAME'] name: mysql-operator labels: app.kubernetes.io/name: mysql-operator app.kubernetes.io/instance: mysql-operator app.kubernetes.io/component: controller --- apiVersion: v1 kind: Namespace metadata: name: mysql-operator --- apiVersion: v1 kind: ServiceAccount metadata: name: mysql-operator-sa namespace: mysql-operator labels: app.kubernetes.io/name: mysql-operator app.kubernetes.io/instance: mysql-operator app.kubernetes.io/component: controller --- apiVersion: apps/v1 kind: Deployment metadata: name: mysql-operator namespace: mysql-operator labels: version: "1.0" app.kubernetes.io/name: mysql-operator app.kubernetes.io/instance: mysql-operator app.kubernetes.io/version: 9.7.0-2.2.8 app.kubernetes.io/component: controller app.kubernetes.io/managed-by: mysql-operator app.kubernetes.io/created-by: mysql-operator spec: replicas: 1 selector: matchLabels: name: mysql-operator template: metadata: labels: name: mysql-operator app.kubernetes.io/name: mysql-operator app.kubernetes.io/instance: mysql-operator app.kubernetes.io/component: controller spec: securityContext: runAsNonRoot: true containers: - name: mysql-operator image: container-registry.oracle.com/mysql/community-operator:9.7.0-2.2.8 imagePullPolicy: IfNotPresent args: [ "mysqlsh", "--log-level=@INFO", "--pym", "mysqloperator", "operator", ] env: - name: MYSQLSH_USER_CONFIG_HOME value: /mysqlsh - name: MYSQLSH_CREDENTIAL_STORE_SAVE_PASSWORDS value: never - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: OPERATOR_DEPLOYMENT_NAME value: "mysql-operator" # used when when OPERATOR_STANDALONE is false - name: OPERATOR_PEERING_NAME value: "mysql-operator" - name: OPERATOR_ROLE_NAME value: "mysql-operator" - name: SIDECAR_ROLE_NAME value: "mysql-sidecar" - name: SWITCHOVER_ROLE_NAME value: "mysql-switchover" # These envs define operator topology for raw-manifest installs and upgrades. # Standalone also requires a safe Deployment strategy. # Comma-separated explicit watched namespaces. Empty means cluster-wide. # Standalone and non-standalone use the same explicit namespace grammar. - name: OPERATOR_NAMESPACES value: "" - name: OPERATOR_STANDALONE value: "false" - name: MYSQL_OPERATOR_DEBUG value: "0" readinessProbe: exec: command: - cat - /tmp/mysql-operator-ready initialDelaySeconds: 1 periodSeconds: 3 volumeMounts: - name: mysqlsh-home mountPath: /mysqlsh - name: tmpdir mountPath: /tmp securityContext: capabilities: drop: - ALL runAsUser: 2 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true volumes: - name: mysqlsh-home emptyDir: {} - name: tmpdir emptyDir: {} serviceAccountName: mysql-operator-sa