From 730586fb883ff33fea7544bb2f4bd93dbbab0dd1 Mon Sep 17 00:00:00 2001 From: dtapiacl Date: Fri, 23 May 2025 10:40:29 -0400 Subject: [PATCH] (openvpn) deploy mariadb operator --- fleet/lib/mariadb-operator/fleet.yaml | 20 +++ .../ruka/ipaddresspool-openvpndb.yaml | 20 +++ .../yepun/ipaddresspool-openvpndb.yaml | 20 +++ .../base/external-secret-dockerhub.yaml | 34 +++++ .../base/external-secret-openvpndb.yaml | 21 +++ .../openvpn-db-pre/base/kustomization.yaml | 4 + .../base/mariadb-headless-service.yaml | 13 ++ fleet/lib/openvpn-db-pre/fleet.yaml | 6 + fleet/lib/openvpn-db/fleet.yaml | 19 +++ .../overlays/ruka/kustomization.yaml | 2 + .../openvpn-db/overlays/ruka/mariadb-cr.yaml | 139 ++++++++++++++++++ fleet/s/dev/c/ruka/mariadb-operator | 1 + fleet/s/dev/c/ruka/openvpn-db | 1 + fleet/s/dev/c/ruka/openvpn-db-pre | 1 + 14 files changed, 301 insertions(+) create mode 100644 fleet/lib/mariadb-operator/fleet.yaml create mode 100644 fleet/lib/metallb-conf/overlays/ruka/ipaddresspool-openvpndb.yaml create mode 100644 fleet/lib/metallb-conf/overlays/yepun/ipaddresspool-openvpndb.yaml create mode 100644 fleet/lib/openvpn-db-pre/base/external-secret-dockerhub.yaml create mode 100644 fleet/lib/openvpn-db-pre/base/external-secret-openvpndb.yaml create mode 100644 fleet/lib/openvpn-db-pre/base/kustomization.yaml create mode 100644 fleet/lib/openvpn-db-pre/base/mariadb-headless-service.yaml create mode 100644 fleet/lib/openvpn-db-pre/fleet.yaml create mode 100644 fleet/lib/openvpn-db/fleet.yaml create mode 100644 fleet/lib/openvpn-db/overlays/ruka/kustomization.yaml create mode 100644 fleet/lib/openvpn-db/overlays/ruka/mariadb-cr.yaml create mode 120000 fleet/s/dev/c/ruka/mariadb-operator create mode 120000 fleet/s/dev/c/ruka/openvpn-db create mode 120000 fleet/s/dev/c/ruka/openvpn-db-pre diff --git a/fleet/lib/mariadb-operator/fleet.yaml b/fleet/lib/mariadb-operator/fleet.yaml new file mode 100644 index 000000000..37c7459e0 --- /dev/null +++ b/fleet/lib/mariadb-operator/fleet.yaml @@ -0,0 +1,20 @@ +--- +name: mariadb-operator +defaultNamespace: &name mariadb-system +namespaceLabels: + lsst.io/discover: "true" +labels: + bundle: *name +helm: + chart: mariadb-operator + releaseName: mariadb-operator + repo: https://helm.mariadb.com/mariadb-operator + version: 0.38.1 + waitForJobs: true + timeoutSeconds: 900 + values: + crds: + enabled: true + ha: + enabled: true + replicas: 2 diff --git a/fleet/lib/metallb-conf/overlays/ruka/ipaddresspool-openvpndb.yaml b/fleet/lib/metallb-conf/overlays/ruka/ipaddresspool-openvpndb.yaml new file mode 100644 index 000000000..ee7c3196f --- /dev/null +++ b/fleet/lib/metallb-conf/overlays/ruka/ipaddresspool-openvpndb.yaml @@ -0,0 +1,20 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: openvpndb + namespace: metallb-system +spec: + addresses: + - 139.229.134.140/32 + - 139.229.134.145/32 + - 139.229.134.146/32 + autoAssign: false +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: openvpndb + namespace: metallb-system +spec: + ipAddressPools: + - openvpndb diff --git a/fleet/lib/metallb-conf/overlays/yepun/ipaddresspool-openvpndb.yaml b/fleet/lib/metallb-conf/overlays/yepun/ipaddresspool-openvpndb.yaml new file mode 100644 index 000000000..59610acfe --- /dev/null +++ b/fleet/lib/metallb-conf/overlays/yepun/ipaddresspool-openvpndb.yaml @@ -0,0 +1,20 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: openvpndb + namespace: metallb-system +spec: + addresses: + - 139.229.160.90/32 + - 139.229.160.91/32 + - 139.229.160.92/32 + autoAssign: false +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: openvpndb + namespace: metallb-system +spec: + ipAddressPools: + - openvpndb diff --git a/fleet/lib/openvpn-db-pre/base/external-secret-dockerhub.yaml b/fleet/lib/openvpn-db-pre/base/external-secret-dockerhub.yaml new file mode 100644 index 000000000..8e8d9d726 --- /dev/null +++ b/fleet/lib/openvpn-db-pre/base/external-secret-dockerhub.yaml @@ -0,0 +1,34 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: dockerhub-secret + namespace: openvpn-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword + target: + name: dockerhub-secret + creationPolicy: Owner + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: | + { + "auths": { + "docker.io": { + "username": "{{ .dockerhub_username }}", + "password": "{{ .dockerhub_token }}", + "auth": "{{ printf "%s:%s" .dockerhub_username .dockerhub_token | b64enc }}" + } + } + } + data: + - secretKey: dockerhub_username + remoteRef: + key: lsstitadmin-docker-hub + property: username + - secretKey: dockerhub_token + remoteRef: + key: lsstitadmin-docker-hub + property: docker hub api token diff --git a/fleet/lib/openvpn-db-pre/base/external-secret-openvpndb.yaml b/fleet/lib/openvpn-db-pre/base/external-secret-openvpndb.yaml new file mode 100644 index 000000000..4c0227d5b --- /dev/null +++ b/fleet/lib/openvpn-db-pre/base/external-secret-openvpndb.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: mariadb + namespace: openvpn-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword + target: + name: mariadb + creationPolicy: Owner + data: + - secretKey: mariadb-root-password + remoteRef: + key: openvpn-mariadb-credentials + property: mariadb-root-password + - secretKey: mariadb-replication-password + remoteRef: + key: openvpn-mariadb-credentials + property: mariadb-replication-password diff --git a/fleet/lib/openvpn-db-pre/base/kustomization.yaml b/fleet/lib/openvpn-db-pre/base/kustomization.yaml new file mode 100644 index 000000000..bd794f381 --- /dev/null +++ b/fleet/lib/openvpn-db-pre/base/kustomization.yaml @@ -0,0 +1,4 @@ +resources: + - external-secret-dockerhub.yaml + - external-secret-openvpndb.yaml + - mariadb-headless-service.yaml diff --git a/fleet/lib/openvpn-db-pre/base/mariadb-headless-service.yaml b/fleet/lib/openvpn-db-pre/base/mariadb-headless-service.yaml new file mode 100644 index 000000000..aa9fb392f --- /dev/null +++ b/fleet/lib/openvpn-db-pre/base/mariadb-headless-service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: mariadb-galera + namespace: openvpn-db +spec: + clusterIP: None + selector: + app.kubernetes.io/name: mariadb + ports: + - protocol: TCP + port: 3306 + targetPort: 3306 diff --git a/fleet/lib/openvpn-db-pre/fleet.yaml b/fleet/lib/openvpn-db-pre/fleet.yaml new file mode 100644 index 000000000..d6d309e18 --- /dev/null +++ b/fleet/lib/openvpn-db-pre/fleet.yaml @@ -0,0 +1,6 @@ +defaultNamespace: openvpn-db +labels: + bundle: openvpn-db-pre +name: openvpn-db-pre +kustomize: + dir: base diff --git a/fleet/lib/openvpn-db/fleet.yaml b/fleet/lib/openvpn-db/fleet.yaml new file mode 100644 index 000000000..8275168af --- /dev/null +++ b/fleet/lib/openvpn-db/fleet.yaml @@ -0,0 +1,19 @@ +name: openvpn-db +defaultNamespace: &name openvpn-db +labels: + bundle: *name +dependsOn: + - name: mariadb-operator + namespace: mariadb-system + - name: openvpn-db-pre + namespace: openvpn-db +targetCustomizations: + - name: ruka + clusterSelector: + matchExpressions: + - key: management.cattle.io/cluster-display-name + operator: In + values: + - ruka + kustomize: + dir: overlays/ruka diff --git a/fleet/lib/openvpn-db/overlays/ruka/kustomization.yaml b/fleet/lib/openvpn-db/overlays/ruka/kustomization.yaml new file mode 100644 index 000000000..e47f9182f --- /dev/null +++ b/fleet/lib/openvpn-db/overlays/ruka/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - mariadb-cr.yaml diff --git a/fleet/lib/openvpn-db/overlays/ruka/mariadb-cr.yaml b/fleet/lib/openvpn-db/overlays/ruka/mariadb-cr.yaml new file mode 100644 index 000000000..005f6b8e7 --- /dev/null +++ b/fleet/lib/openvpn-db/overlays/ruka/mariadb-cr.yaml @@ -0,0 +1,139 @@ +apiVersion: k8s.mariadb.com/v1alpha1 +kind: MariaDB +metadata: + name: mariadb + namespace: openvpn-db +spec: + replicas: 3 + galera: + enabled: true + primary: + podIndex: 0 + automaticFailover: true + sst: mariabackup + rootPasswordSecretKeyRef: + name: mariadb + key: mariadb-root-password + username: mariadb + passwordSecretKeyRef: + name: mariadb + key: mariadb-root-password + database: mariadb + image: docker.io/library/mariadb:11.4.5 + imagePullPolicy: IfNotPresent + imagePullSecrets: + - name: dockerhub-secret + storage: + size: 100Gi + storageClassName: rook-ceph-block + connection: + secretName: connection-mariadb + secretTemplate: + key: dsn + healthCheck: + interval: 10s + retryInterval: 3s + params: + parseTime: "true" + myCnf: | + [mariadb] + bind-address=* + skip-name-resolve + connect_timeout=30 + wait_timeout=28800 + interactive_timeout=28800 + net_read_timeout=60 + net_write_timeout=60 + max_connections=500 + max_allowed_packet=64M + thread_cache_size=100 + table_open_cache=2048 + open_files_limit=65535 + default_storage_engine=InnoDB + binlog_format=row + innodb_autoinc_lock_mode=2 + innodb_buffer_pool_size=1024M + + [galera] + wsrep_on=ON + wsrep_provider=/usr/lib/galera/libgalera_smm.so + wsrep_cluster_name=mariadb-galera + wsrep_sst_method=mariabackup + wsrep_cluster_address=gcomm://mariadb-galera.openvpn-db.svc.cluster.local + wsrep_provider_options="gcache.size=512M; gcs.fc_limit=512" + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 1Gi + env: + - name: MARIADB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb + key: mariadb-root-password + podSecurityContext: + runAsUser: 0 + securityContext: + allowPrivilegeEscalation: false + livenessProbe: + exec: + command: + - bash + - -c + - mariadb -u root -p=$MARIADB_ROOT_PASSWORD -e "SELECT 1;" + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - bash + - -c + - mariadb -u root -p=$MARIADB_ROOT_PASSWORD -e "SELECT 1;" + periodSeconds: 10 + timeoutSeconds: 5 + startupProbe: + exec: + command: + - bash + - -c + - mariadb -u root -p=$MARIADB_ROOT_PASSWORD -e "SELECT 1;" + failureThreshold: 30 + periodSeconds: 10 + timeoutSeconds: 5 + podDisruptionBudget: + maxUnavailable: 50% + updateStrategy: + type: ReplicasFirstPrimaryLast + service: + type: LoadBalancer + metadata: + annotations: + metallb.universe.tf/address-pool: openvpndb + loadBalancerIP: 139.229.134.140 + primaryService: + type: LoadBalancer + metadata: + annotations: + metallb.universe.tf/address-pool: openvpndb + loadBalancerIP: 139.229.134.145 + secondaryService: + type: LoadBalancer + metadata: + annotations: + metallb.universe.tf/address-pool: openvpndb + loadBalancerIP: 139.229.134.146 + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: mariadb + topologyKey: kubernetes.io/hostname + metrics: + enabled: true + suspend: false diff --git a/fleet/s/dev/c/ruka/mariadb-operator b/fleet/s/dev/c/ruka/mariadb-operator new file mode 120000 index 000000000..5e874221a --- /dev/null +++ b/fleet/s/dev/c/ruka/mariadb-operator @@ -0,0 +1 @@ +../../../../lib/mariadb-operator \ No newline at end of file diff --git a/fleet/s/dev/c/ruka/openvpn-db b/fleet/s/dev/c/ruka/openvpn-db new file mode 120000 index 000000000..41cd740b7 --- /dev/null +++ b/fleet/s/dev/c/ruka/openvpn-db @@ -0,0 +1 @@ +../../../../lib/openvpn-db \ No newline at end of file diff --git a/fleet/s/dev/c/ruka/openvpn-db-pre b/fleet/s/dev/c/ruka/openvpn-db-pre new file mode 120000 index 000000000..034f2981b --- /dev/null +++ b/fleet/s/dev/c/ruka/openvpn-db-pre @@ -0,0 +1 @@ +../../../../lib/openvpn-db-pre \ No newline at end of file