From 2cc97ae82e233891693d6f5f65db543fea897448 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 31 Jan 2022 17:50:41 +0000 Subject: [PATCH] using init container and use msql password and databunker master key as a files inside container --- charts/databunker/templates/deployment.yaml | 73 ++++++++++++++++----- charts/databunker/values.yaml | 2 +- terraform/aws/rds.tf | 2 + 3 files changed, 59 insertions(+), 18 deletions(-) diff --git a/charts/databunker/templates/deployment.yaml b/charts/databunker/templates/deployment.yaml index 1bb0a06..4b6cc59 100644 --- a/charts/databunker/templates/deployment.yaml +++ b/charts/databunker/templates/deployment.yaml @@ -59,6 +59,40 @@ spec: # yamllint enable rule:indentation {{- end }} initContainers: + {{- if not .Values.databunkerSkipInstall }} + - name: {{ printf "%s-init" (include "common.names.fullname" .) }} + image: {{ template "databunker.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + command: ["/bin/sh"] + args: ["-c", "/databunker/bin/databunker -init -db databunkerdb"] + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + - name: MYSQL_HOST + value: {{ include "databunker.databaseHost" . | quote }} + - name: MYSQL_PORT + value: {{ include "databunker.databasePort" . | quote }} + - name: MYSQL_DATABASE + value: {{ include "databunker.databaseName" . | quote }} + - name: MYSQL_USER_NAME + value: {{ include "databunker.databaseUser" . | quote }} + - name: MYSQL_USER_PASS + valueFrom: + secretKeyRef: + name: {{ include "databunker.databaseSecretName" . }} + key: {{ include "databunker.databasePasswordKey" . | quote }} + - name: DATABUNKER_MASTERKEY + valueFrom: + secretKeyRef: + name: {{ include "databunker.secretName" . }} + key: databunker-masterkey + - name: DATABUNKER_ROOTTOKEN + valueFrom: + secretKeyRef: + name: {{ include "databunker.secretName" . }} + key: databunker-roottoken + {{- end }} {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} @@ -87,23 +121,10 @@ spec: value: {{ include "databunker.databaseName" . | quote }} - name: MYSQL_USER_NAME value: {{ include "databunker.databaseUser" . | quote }} - - name: MYSQL_USER_PASS - valueFrom: - secretKeyRef: - name: {{ include "databunker.databaseSecretName" . }} - key: {{ include "databunker.databasePasswordKey" . | quote }} - - name: SKIP_BOOTSTRAP - value: {{ ternary "yes" "no" .Values.databunkerSkipInstall | quote }} - - name: DATABUNKER_MASTERKEY - valueFrom: - secretKeyRef: - name: {{ include "databunker.secretName" . }} - key: databunker-masterkey - - name: DATABUNKER_ROOTTOKEN - valueFrom: - secretKeyRef: - name: {{ include "databunker.secretName" . }} - key: databunker-roottoken + - name: MYSQL_USER_PASS_FILE + value: "/opt/databunker/secrets/mysql-user-pass" + - name: DATABUNKER_MASTERKEY_FILE + value: "/opt/databunker/secrets/databunker-master-key" - name: ADMIN_EMAIL value: {{ .Values.databunkerAdminEmail | quote }} {{- if .Values.smtpHost }} @@ -207,6 +228,12 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} volumeMounts: + - name: "databunker-master-key" + mountPath: "/opt/databunker/secrets/databunker-master-key" + subPath: databunker-master-key + - name: "mysql-user-pass" + mountPath: "/opt/databunker/secrets/mysql-user-pass" + subPath: mysql-user-pass {{- include "certificates.volumeMounts" . | nindent 12 }} {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} @@ -237,6 +264,18 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: mysql-user-pass + secret: + secretName: {{ include "databunker.databaseSecretName" . }} + items: + - key: {{ include "databunker.databasePasswordKey" . | quote }} + path: mysql-user-pass + - name: databunker-master-key + secret: + secretName: {{ include "databunker.secretName" . }} + items: + - key: databunker-masterkey + path: databunker-master-key {{- include "certificates.volumes" . | indent 8 }} {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} diff --git a/charts/databunker/values.yaml b/charts/databunker/values.yaml index ff3621e..d24d33c 100644 --- a/charts/databunker/values.yaml +++ b/charts/databunker/values.yaml @@ -105,7 +105,7 @@ databunkerAdminEmail: "user@example.com" command: ["/bin/sh"] ## @param args Override default container args (useful when using custom images) ## -args: ["-c", "/databunker/bin/databunker -init -db databunkerdb; /databunker/bin/databunker -db databunkerdb -conf /databunker/conf/databunker.yaml"] +args: ["-c", "/databunker/bin/databunker -db databunkerdb -conf /databunker/conf/databunker.yaml"] ## @param updateStrategy.type Update strategy - only really applicable for deployments with RWO PVs attached ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will diff --git a/terraform/aws/rds.tf b/terraform/aws/rds.tf index 81e37a0..1242d10 100644 --- a/terraform/aws/rds.tf +++ b/terraform/aws/rds.tf @@ -49,7 +49,9 @@ resource "aws_db_instance" "databunkerdb" { identifier = "databunkerdb" tags = merge({ "Name" = "db-${var.name_suffix}"}, var.resource_tags) instance_class = var.ec2_rds_instance_type + deletion_protection = var.ec2_rds_deletion_protection allocated_storage = 5 + max_allocated_storage = 1000 engine = "mysql" engine_version = "8.0.25" username = "bunkeruser"