Skip to content

Instantly share code, notes, and snippets.

@tonejito

tonejito/.gitignore

Last active June 2, 2023 01:59
Show Gist options
  • Save tonejito/771ea1be54de76fd1a1a8e756595d244 to your computer and use it in GitHub Desktop.
Save tonejito/771ea1be54de76fd1a1a8e756595d244 to your computer and use it in GitHub Desktop.
Download ZIP
Harry Potter and the cursed ARO k8s volume mounts
Raw
.gitignore
# .gitignore
**/old
Raw
mariadb-ephemeral.rendered.yaml
# [NOTE]
# ====
# You have to convert the DeploymentConfig to a Deployment to avoid using an ImageStream
#
# Once you have a Deployment just set the '.spec.containers[0].image' and point it to a "well known" (and hopefully public) MySQL/MariaDB image
# ====
# $ oc process template/mariadb-ephemeral -n openshift --parameters
# NAME DESCRIPTION GENERATOR VALUE
# MEMORY_LIMIT Maximum amount of memory the container can use. 512Mi
# NAMESPACE The OpenShift Namespace where the ImageStream resides. openshift
# DATABASE_SERVICE_NAME The name of the OpenShift Service exposed for the database. mariadb
# MYSQL_USER Username for MariaDB user that will be used for accessing the database. expression user[A-Z0-9]{3}
# MYSQL_PASSWORD Password for the MariaDB connection user. expression [a-zA-Z0-9]{16}
# MYSQL_ROOT_PASSWORD Password for the MariaDB root user. expression [a-zA-Z0-9]{16}
# MYSQL_DATABASE Name of the MariaDB database accessed. sampledb
# MARIADB_VERSION Version of MariaDB image to be used (10.3-el7, 10.3-el8, or latest). 10.3-el8
# $ oc process template/mariadb-ephemeral -n openshift \
# -p MYSQL_ROOT_PASSWORD='root' \
# -p MYSQL_DATABASE='database' \
# -p MYSQL_USER='user' \
# -p MYSQL_PASSWORD='password' \
# -o yaml
---
apiVersion: v1
items:
- apiVersion: v1
kind: Secret
metadata:
annotations:
template.openshift.io/expose-database_name: '{.data[''database-name'']}'
template.openshift.io/expose-password: '{.data[''database-password'']}'
template.openshift.io/expose-root_password: '{.data[''database-root-password'']}'
template.openshift.io/expose-username: '{.data[''database-user'']}'
labels:
app.openshift.io/runtime: mariadb
template: mariadb-ephemeral-template
name: mariadb
stringData:
database-name: database
database-password: password
database-root-password: root
database-user: user
- apiVersion: v1
kind: Service
metadata:
annotations:
template.openshift.io/expose-uri: mysql://{.spec.clusterIP}:{.spec.ports[?(.name=="mariadb")].port}
labels:
app.openshift.io/runtime: mariadb
template: mariadb-ephemeral-template
name: mariadb
spec:
ports:
- name: mariadb
port: 3306
selector:
name: mariadb
- apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
annotations:
template.alpha.openshift.io/wait-for-ready: "true"
labels:
app.openshift.io/runtime: mariadb
template: mariadb-ephemeral-template
name: mariadb
spec:
replicas: 1
selector:
name: mariadb
strategy:
type: Recreate
template:
metadata:
labels:
name: mariadb
spec:
containers:
- env:
- name: MYSQL_USER
valueFrom:
secretKeyRef:
key: database-user
name: mariadb
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
key: database-password
name: mariadb
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
key: database-root-password
name: mariadb
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
key: database-name
name: mariadb
image: ' '
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -i
- -c
- MYSQL_PWD="$MYSQL_PASSWORD" mysqladmin -u $MYSQL_USER ping
initialDelaySeconds: 30
timeoutSeconds: 1
name: mariadb
ports:
- containerPort: 3306
readinessProbe:
exec:
command:
- /bin/sh
- -i
- -c
- MYSQL_PWD="$MYSQL_PASSWORD" mysqladmin -u $MYSQL_USER ping
initialDelaySeconds: 5
timeoutSeconds: 1
resources:
limits:
memory: 512Mi
volumeMounts:
- mountPath: /var/lib/mysql/data
name: mariadb-data
volumes:
- emptyDir:
medium: ""
name: mariadb-data
triggers:
- imageChangeParams:
automatic: true
containerNames:
- mariadb
from:
kind: ImageStreamTag
name: mariadb:10.3-el8
namespace: openshift
type: ImageChange
- type: ConfigChange
kind: List
metadata: {}
Raw
mariadb-persistent.rendered.yaml
# [NOTE]
# ====
# You have to convert the DeploymentConfig to a Deployment to avoid using an ImageStream
#
# Once you have a Deployment just set the '.spec.containers[0].image' and point it to a "well known" (and hopefully public) MySQL/MariaDB image
# ====
# $ oc process template/mariadb-persistent -n openshift --parameters
# NAME DESCRIPTION GENERATOR VALUE
# MEMORY_LIMIT Maximum amount of memory the container can use. 512Mi
# NAMESPACE The OpenShift Namespace where the ImageStream resides. openshift
# DATABASE_SERVICE_NAME The name of the OpenShift Service exposed for the database. mariadb
# MYSQL_USER Username for MariaDB user that will be used for accessing the database. expression user[A-Z0-9]{3}
# MYSQL_PASSWORD Password for the MariaDB connection user. expression [a-zA-Z0-9]{16}
# MYSQL_ROOT_PASSWORD Password for the MariaDB root user. expression [a-zA-Z0-9]{16}
# MYSQL_DATABASE Name of the MariaDB database accessed. sampledb
# MARIADB_VERSION Version of MariaDB image to be used (10.3-el7, 10.3-el8, or latest). 10.3-el8
# VOLUME_CAPACITY Volume space available for data, e.g. 512Mi, 2Gi. 1Gi
# oc process template/mariadb-persistent -n openshift \
# -p MYSQL_ROOT_PASSWORD='root' \
# -p MYSQL_DATABASE='database' \
# -p MYSQL_USER='user' \
# -p MYSQL_PASSWORD='password' \
# -p VOLUME_CAPACITY='1Gi' \
# -o yaml
---
apiVersion: v1
items:
- apiVersion: v1
kind: Secret
metadata:
annotations:
template.openshift.io/expose-database_name: '{.data[''database-name'']}'
template.openshift.io/expose-password: '{.data[''database-password'']}'
template.openshift.io/expose-root_password: '{.data[''database-root-password'']}'
template.openshift.io/expose-username: '{.data[''database-user'']}'
labels:
app.openshift.io/runtime: mariadb
template: mariadb-persistent-template
name: mariadb
stringData:
database-name: database
database-password: password
database-root-password: root
database-user: user
- apiVersion: v1
kind: Service
metadata:
annotations:
template.openshift.io/expose-uri: mysql://{.spec.clusterIP}:{.spec.ports[?(.name=="mariadb")].port}
labels:
app.openshift.io/runtime: mariadb
template: mariadb-persistent-template
name: mariadb
spec:
ports:
- name: mariadb
port: 3306
selector:
name: mariadb
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.openshift.io/runtime: mariadb
template: mariadb-persistent-template
name: mariadb
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
annotations:
template.alpha.openshift.io/wait-for-ready: "true"
labels:
app.openshift.io/runtime: mariadb
template: mariadb-persistent-template
name: mariadb
spec:
replicas: 1
selector:
name: mariadb
strategy:
type: Recreate
template:
metadata:
labels:
name: mariadb
spec:
containers:
- env:
- name: MYSQL_USER
valueFrom:
secretKeyRef:
key: database-user
name: mariadb
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
key: database-password
name: mariadb
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
key: database-root-password
name: mariadb
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
key: database-name
name: mariadb
image: ' '
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -i
- -c
- MYSQL_PWD="$MYSQL_PASSWORD" mysqladmin -u $MYSQL_USER ping
initialDelaySeconds: 30
timeoutSeconds: 1
name: mariadb
ports:
- containerPort: 3306
readinessProbe:
exec:
command:
- /bin/sh
- -i
- -c
- MYSQL_PWD="$MYSQL_PASSWORD" mysqladmin -u $MYSQL_USER ping
initialDelaySeconds: 5
timeoutSeconds: 1
resources:
limits:
memory: 512Mi
volumeMounts:
- mountPath: /var/lib/mysql/data
name: mariadb-data
volumes:
- name: mariadb-data
persistentVolumeClaim:
claimName: mariadb
triggers:
- imageChangeParams:
automatic: true
containerNames:
- mariadb
from:
kind: ImageStreamTag
name: mariadb:10.3-el8
namespace: openshift
type: ImageChange
- type: ConfigChange
kind: List
metadata: {}
Raw
mariadb.yaml
# Apply the rbac.yaml file and uncomment the 'serviceAccountName' field of the Deployment to run the Pod with a specific ServiceAccount
# oc new-project mj-aro
# oc create sa storage-sa
# oc adm policy add-scc-to-user anyuid -z storage-sa
# oc set serviceaccount deployment/mariadb storage-sa
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app: mariadb
name: mariadb
spec:
#
# storage classes in a DO280 classroom
#
# - file storage (not appropriate for a database)
# storageClassName: nfs-storage
#
# - block storage (appropriate for a database)
storageClassName: lvms-vg1
#
# Storage classes in ARO (Azure)
# storageClassName: managed-premium
# (I believe this is block storage, but correct me if I'm wrong)
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi
---
apiVersion: v1
kind: Secret
metadata:
labels:
app: mariadb
name: mariadb
stringData:
database-name: do120db
database-password: redhat
database-root-password: redhat
database-user: operator1
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: mariadb
name: mariadb
spec:
replicas: 1
selector:
matchLabels:
app: mariadb
strategy:
type: Recreate
template:
metadata:
labels:
app: mariadb
spec:
containers:
- name: mariadb
# I mirrored the image to Quay because my cluster didn't had the appropriate Image Pull Secrets in place
# image: registry.redhat.io/rhel9/mariadb-105
image: quay.io/redhattraining/mariadb:105-1-125
env:
- name: MYSQL_USER
valueFrom:
secretKeyRef:
key: database-user
name: mariadb
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
key: database-password
name: mariadb
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
key: database-root-password
name: mariadb
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
key: database-name
name: mariadb
ports:
- containerPort: 3306
livenessProbe:
exec:
command:
- /bin/sh
- -i
- -c
- MYSQL_PWD="$MYSQL_PASSWORD" mysqladmin -u $MYSQL_USER ping
initialDelaySeconds: 30
timeoutSeconds: 1
readinessProbe:
exec:
command:
- /bin/sh
- -i
- -c
- MYSQL_PWD="$MYSQL_PASSWORD" mysqladmin -u $MYSQL_USER ping
initialDelaySeconds: 5
timeoutSeconds: 1
resources:
# Warning: No CPU limit specified for this container, this could starve other processes
limits:
memory: 512Mi
# https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
privileged: false
runAsNonRoot: true
allowPrivilegeEscalation: false
# seccompProfile can be set as RuntimeDefault, Unconfined, and Localhost
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /var/lib/mysql/data
name: mariadb-data
# oc set serviceaccount deployment/mariadb storage-sa
# The above command adds the `serviceAccountName` parameter to the deployment
# serviceAccountName: storage-sa
# Can't add this when running in 'restricted*' PSA
# securityContext:
# # matches project/namespace 'sa.scc.supplemental-groups' annotation
# fsGroup: 1000820000
# # These two fail because they don't match the annotation range
# # fsGroup: 0 # root
# # fsGroup: 27 # mysql
volumes:
- name: mariadb-data
persistentVolumeClaim:
claimName: mariadb
defaultMode: 0777
---
apiVersion: v1
kind: Service
metadata:
labels:
app: mariadb
name: mariadb
spec:
ports:
- name: mariadb
port: 3306
targetPort: 3306 # Added to get rid of a warning
selector:
name: mariadb
Raw
project-namespace.yaml
---
# oc get project/mj-aro -o yaml
apiVersion: project.openshift.io/v1
kind: Project
metadata:
annotations:
openshift.io/description: ""
openshift.io/display-name: ""
openshift.io/requester: admin
openshift.io/sa.scc.mcs: s0:c29,c4
openshift.io/sa.scc.supplemental-groups: 1000820000/10000
openshift.io/sa.scc.uid-range: 1000820000/10000
labels:
kubernetes.io/metadata.name: mj-aro
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: v1.24
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: v1.24
name: mj-aro
spec:
finalizers:
- kubernetes
status:
phase: Active
---
# oc get namespace/mj-aro -o yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/description: ""
openshift.io/display-name: ""
openshift.io/requester: admin
openshift.io/sa.scc.mcs: s0:c29,c4
openshift.io/sa.scc.supplemental-groups: 1000820000/10000
openshift.io/sa.scc.uid-range: 1000820000/10000
labels:
kubernetes.io/metadata.name: mj-aro
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: v1.24
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: v1.24
name: mj-aro
spec:
finalizers:
- kubernetes
status:
phase: Active
Raw
rbac.yaml
---
# oc create sa storage-sa --dry-run=client -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: storage-sa
---
# oc adm policy add-scc-to-user anyuid -z storage-sa --dry-run=client -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:openshift:scc:anyuid
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
name: storage-sa
namespace: mj-aro
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment