diff --git a/.gitignore b/.gitignore old mode 100644 new mode 100755 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml old mode 100644 new mode 100755 diff --git a/.tflint.hcl b/.tflint.hcl old mode 100644 new mode 100755 diff --git a/IAM.md b/IAM.md old mode 100644 new mode 100755 diff --git a/LICENSE b/LICENSE old mode 100644 new mode 100755 diff --git a/README.md b/README.md old mode 100644 new mode 100755 index 1bec542..1e7f7cd --- a/README.md +++ b/README.md @@ -1,7 +1,10 @@ ## MySQL DB -![squareops_avatar] -[squareops_avatar]: https://squareops.com/wp-content/uploads/2022/12/squareops-logo.png + + + + + ### [SquareOps Technologies](https://squareops.com/) Your DevOps Partner for Accelerating cloud journey.
@@ -12,6 +15,7 @@ This module allows you to easily deploy a MySQL database on Kubernetes using Hel | MysqlDB Helm Chart Version | K8s supported version (EKS, AKS & GKE) | | :-----: | :--- | | **9.2.0** | **1.23,1.24,1.25,1.26,1.27** | +| **10.1.0** | **1.23,1.24,1.25,1.26,1.27,1.28,1.29** | ## Usage Example @@ -70,7 +74,7 @@ module "mysql" { namespace = local.namespace mysqldb_config = { name = "mysql" - app_version = "8.0.29-debian-11-r9" + app_version = "8.0.36-debian-12-r10" environment = "prod" values_yaml = "" architecture = "replication" @@ -180,15 +184,15 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [app\_version](#input\_app\_version) | Version of the MySQL application that will be deployed. | `string` | `"8.0.29-debian-11-r9"` | no | +| [app\_version](#input\_app\_version) | Version of the MySQL application that will be deployed. | `string` | `"8.0.36-debian-12-r10"` | no | | [azure\_container\_name](#input\_azure\_container\_name) | Azure container name | `string` | `""` | no | | [azure\_storage\_account\_key](#input\_azure\_storage\_account\_key) | Azure storage account key | `string` | `""` | no | | [azure\_storage\_account\_name](#input\_azure\_storage\_account\_name) | Azure storage account name | `string` | `""` | no | | [bucket\_provider\_type](#input\_bucket\_provider\_type) | Choose what type of provider you want (s3, gcs) | `string` | `"gcs"` | no | -| [chart\_version](#input\_chart\_version) | Version of the Mysql chart that will be used to deploy MySQL application. | `string` | `"9.2.0"` | no | | [cluster\_name](#input\_cluster\_name) | Specifies the name of the EKS cluster to deploy the MySQL application on. | `string` | `""` | no | | [create\_namespace](#input\_create\_namespace) | Specify whether or not to create the namespace if it does not already exist. Set it to true to create the namespace. | `string` | `true` | no | | [custom\_user\_password](#input\_custom\_user\_password) | custom user password for MongoDB | `string` | `""` | no | +| [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Mysql chart that will be used to deploy MySQL application. | `string` | `"10.1.0"` | no | | [iam\_role\_arn\_backup](#input\_iam\_role\_arn\_backup) | IAM role ARN for backup (AWS) | `string` | `""` | no | | [iam\_role\_arn\_restore](#input\_iam\_role\_arn\_restore) | IAM role ARN for restore (AWS) | `string` | `""` | no | | [metric\_exporter\_pasword](#input\_metric\_exporter\_pasword) | Metric exporter password for MongoDB | `string` | `""` | no | diff --git a/examples/complete/aws/README.md b/examples/complete/aws/README.md old mode 100644 new mode 100755 index 9a2ce67..afb9175 --- a/examples/complete/aws/README.md +++ b/examples/complete/aws/README.md @@ -22,8 +22,8 @@ No requirements. | Name | Source | Version | |------|--------|---------| -| [aws](#module\_aws) | squareops/mysql/kubernetes//modules/resources/aws | n/a | -| [mysql](#module\_mysql) | squareops/mysql/kubernetes | n/a | +| [aws](#module\_aws) | ../../../modules/resources/aws | n/a | +| [mysql](#module\_mysql) | ../../../ | n/a | ## Resources diff --git a/examples/complete/aws/helm/values.yaml b/examples/complete/aws/helm/values.yaml old mode 100644 new mode 100755 index 10c3425..69123b5 --- a/examples/complete/aws/helm/values.yaml +++ b/examples/complete/aws/helm/values.yaml @@ -4,7 +4,7 @@ primary: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - - key: "Infra-Services" + - key: "Addons-Services" operator: In values: - "true" @@ -37,7 +37,7 @@ secondary: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - - key: "Infra-Services" + - key: "Addons-Services" operator: In values: - "true" @@ -80,7 +80,7 @@ affinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - - key: "Infra-Services" + - key: "Addons-Services" operator: In values: - "true" @@ -100,4 +100,4 @@ restorejob: cpu: 100m limits: memory: 500Mi - cpu: 200m \ No newline at end of file + cpu: 200m diff --git a/examples/complete/aws/main.tf b/examples/complete/aws/main.tf old mode 100644 new mode 100755 index b5acc13..9e4f347 --- a/examples/complete/aws/main.tf +++ b/examples/complete/aws/main.tf @@ -1,15 +1,15 @@ locals { name = "mysql" - region = "us-east-2" + region = "us-west-2" environment = "prod" - additional_tags = { + additional_aws_tags = { Owner = "organization_name" Expires = "Never" Department = "Engineering" } - create_namespace = false + create_namespace = true namespace = "mysql" - store_password_to_secret_manager = false + store_password_to_secret_manager = true mysqldb_custom_credentials_enabled = true mysqldb_custom_credentials_config = { root_user = "root" @@ -25,8 +25,9 @@ locals { } module "aws" { - source = "squareops/mysql/kubernetes//modules/resources/aws" - cluster_name = "cluster-name" + # source = "squareops/mysql/kubernetes//modules/resources/aws" + source = "../../../modules/resources/aws" + eks_cluster_name = "" environment = local.environment name = local.name namespace = local.namespace @@ -37,13 +38,14 @@ module "aws" { } module "mysql" { - source = "squareops/mysql/kubernetes" + # source = "squareops/mysql/kubernetes" + source = "../../../" create_namespace = local.create_namespace namespace = local.namespace mysqldb_config = { name = local.name values_yaml = file("./helm/values.yaml") - app_version = "8.0.29-debian-11-r9" + app_version = "8.0.36-debian-12-r10" environment = local.environment architecture = "replication" custom_database = "test_db" diff --git a/examples/complete/aws/output.tf b/examples/complete/aws/output.tf old mode 100644 new mode 100755 diff --git a/examples/complete/aws/provider.tf b/examples/complete/aws/provider.tf old mode 100644 new mode 100755 index e8957a1..5e86233 --- a/examples/complete/aws/provider.tf +++ b/examples/complete/aws/provider.tf @@ -1,7 +1,7 @@ provider "aws" { region = local.region default_tags { - tags = local.additional_tags + tags = local.additional_aws_tags } } diff --git a/examples/complete/azure/README.md b/examples/complete/azure/README.md old mode 100644 new mode 100755 diff --git a/examples/complete/azure/helm/values.yaml b/examples/complete/azure/helm/values.yaml old mode 100644 new mode 100755 diff --git a/examples/complete/azure/main.tf b/examples/complete/azure/main.tf old mode 100644 new mode 100755 diff --git a/examples/complete/azure/outputs.tf b/examples/complete/azure/outputs.tf old mode 100644 new mode 100755 diff --git a/examples/complete/azure/provider.tf b/examples/complete/azure/provider.tf old mode 100644 new mode 100755 diff --git a/examples/complete/gcp/README.md b/examples/complete/gcp/README.md old mode 100644 new mode 100755 diff --git a/examples/complete/gcp/helm/values.yaml b/examples/complete/gcp/helm/values.yaml old mode 100644 new mode 100755 diff --git a/examples/complete/gcp/main.tf b/examples/complete/gcp/main.tf old mode 100644 new mode 100755 diff --git a/examples/complete/gcp/output.tf b/examples/complete/gcp/output.tf old mode 100644 new mode 100755 diff --git a/examples/complete/gcp/provider.tf b/examples/complete/gcp/provider.tf old mode 100644 new mode 100755 diff --git a/helm/values/backup/values.yaml b/helm/values/backup/values.yaml old mode 100644 new mode 100755 diff --git a/helm/values/mysqldb/values.yaml b/helm/values/mysqldb/values.yaml old mode 100644 new mode 100755 index a0817c4..fd0345b --- a/helm/values/mysqldb/values.yaml +++ b/helm/values/mysqldb/values.yaml @@ -19,6 +19,14 @@ global: mysql_metrics_exporter: password: ${metrics_exporter_password} +compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto + ## @section Common parameters ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) @@ -49,6 +57,9 @@ commonLabels: ## extraDeploy: [] +serviceBindings: + enabled: false + ## Enable diagnostic mode in the deployment ## diagnosticMode: @@ -189,18 +200,17 @@ primary: explicit_defaults_for_timestamp basedir=/opt/bitnami/mysql plugin_dir=/opt/bitnami/mysql/lib/plugin - port=3306 + port={{ .Values.primary.containerPorts.mysql }} socket=/opt/bitnami/mysql/tmp/mysql.sock datadir=/bitnami/mysql/data tmpdir=/opt/bitnami/mysql/tmp max_allowed_packet=16M - bind-address=0.0.0.0 + bind-address=* pid-file=/opt/bitnami/mysql/tmp/mysqld.pid - log_error=/opt/bitnami/mysql/logs/mysqld.log + log-error=/opt/bitnami/mysql/logs/mysqld.log character-set-server=UTF8 collation-server=utf8_general_ci - slow_query_log=1 - slow_query_log_file=/bitnami/mysql/slow-log.log + slow_query_log=0 long_query_time=10.0 [client] @@ -220,6 +230,8 @@ primary: ## @param primary.updateStrategy.type Update strategy type for the MySQL primary statefulset ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies ## + containerPorts: + mysql: 3306 updateStrategy: type: RollingUpdate ## @param primary.podAnnotations Additional pod annotations for MySQL primary pods @@ -303,6 +315,9 @@ primary: ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## MySQL primary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container @@ -312,8 +327,16 @@ primary: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true ## MySQL primary container's resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## We usually recommend not to specify default resources and to leave this as a conscious @@ -584,12 +607,12 @@ secondary: datadir=/bitnami/mysql/data tmpdir=/opt/bitnami/mysql/tmp max_allowed_packet=16M - bind-address=0.0.0.0 + bind-address=* pid-file=/opt/bitnami/mysql/tmp/mysqld.pid - log_error=/opt/bitnami/mysql/logs/mysqld.log + log-error=/opt/bitnami/mysql/logs/mysqld.log character-set-server=UTF8 collation-server=utf8_general_ci - slow_query_log=1 + slow_query_log=0 slow_query_log_file=/bitnami/mysql/slow-log.log long_query_time=10.0 @@ -693,8 +716,12 @@ secondary: ## @param secondary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem ## podSecurityContext: - enabled: true - fsGroup: 1001 + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## MySQL secondary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param secondary.containerSecurityContext.enabled MySQL secondary container securityContext @@ -703,8 +730,16 @@ secondary: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true ## MySQL secondary container's resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## We usually recommend not to specify default resources and to leave this as a conscious @@ -953,7 +988,7 @@ serviceAccount: annotations: {} ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## Role Based Access ## ref: https://kubernetes.io/docs/admin/authorization/rbac/ @@ -1022,8 +1057,8 @@ volumePermissions: ## image: registry: docker.io - repository: bitnami/bitnami-shell - tag: 11-debian-11-r10 + repository: bitnami/os-shell + tag: 12-debian-12-r18 pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -1054,7 +1089,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.14.0-debian-11-r9 + tag: 0.15.1-debian-12-r10 pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -1071,6 +1106,22 @@ metrics: ## @param metrics.service.port MySQL Prometheus Exporter service port ## @param metrics.service.annotations [object] Prometheus exporter service annotations ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + ## @param metrics.containerPorts.http Container port for http + ## + containerPorts: + http: 9104 service: type: ClusterIP port: 9104 diff --git a/helm/values/restore/values.yaml b/helm/values/restore/values.yaml old mode 100644 new mode 100755 diff --git a/main.tf b/main.tf old mode 100644 new mode 100755 index 0c96065..7c53da9 --- a/main.tf +++ b/main.tf @@ -10,7 +10,7 @@ resource "helm_release" "mysqldb" { depends_on = [kubernetes_namespace.mysqldb] name = "mysqldb" chart = "mysql" - version = var.chart_version + version = var.helm_chart_version timeout = 600 namespace = var.namespace repository = "https://charts.bitnami.com/bitnami" diff --git a/modules/backup/.helmignore b/modules/backup/.helmignore old mode 100644 new mode 100755 diff --git a/modules/backup/Chart.yaml b/modules/backup/Chart.yaml old mode 100644 new mode 100755 diff --git a/modules/backup/templates/backup-secret.yaml b/modules/backup/templates/backup-secret.yaml old mode 100644 new mode 100755 diff --git a/modules/backup/templates/cronjob.yaml b/modules/backup/templates/cronjob.yaml old mode 100644 new mode 100755 index 4a94b24..714f0b1 --- a/modules/backup/templates/cronjob.yaml +++ b/modules/backup/templates/cronjob.yaml @@ -13,7 +13,7 @@ spec: spec: template: spec: - affinity: + affinity: {{- toYaml .Values.affinity | nindent 12 }} restartPolicy: OnFailure imagePullSecrets: @@ -44,5 +44,5 @@ spec: value: "s3" - name: AWS_DEFAULT_REGION value: {{ .Values.backup.aws_default_region }} - resources: + resources: {{- toYaml .Values.backupjob.resources | nindent 14 }} diff --git a/modules/backup/templates/service_account.yaml b/modules/backup/templates/service_account.yaml old mode 100644 new mode 100755 diff --git a/modules/resources/aws/README.md b/modules/resources/aws/README.md old mode 100644 new mode 100755 index 378dd56..f1f217c --- a/modules/resources/aws/README.md +++ b/modules/resources/aws/README.md @@ -35,8 +35,8 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [cluster\_name](#input\_cluster\_name) | Specifies the name of the EKS cluster to deploy the MySQL application on. | `string` | `""` | no | | [custom\_user\_username](#input\_custom\_user\_username) | n/a | `string` | `""` | no | +| [eks\_cluster\_name](#input\_eks\_cluster\_name) | Specifies the name of the EKS cluster to deploy the MySQL application on. | `string` | `""` | no | | [environment](#input\_environment) | Environment in which the infrastructure is being deployed (e.g., production, staging, development) | `string` | `"test"` | no | | [mysqldb\_custom\_credentials\_config](#input\_mysqldb\_custom\_credentials\_config) | Specify the configuration settings for MySQL to pass custom credentials during creation | `any` | 
{
  "custom_user_password": "",
  "custom_username": "",
  "exporter_password": "",
  "exporter_user": "",
  "replication_password": "",
  "replication_user": "",
  "root_password": "",
  "root_user": ""
}
| no | | [mysqldb\_custom\_credentials\_enabled](#input\_mysqldb\_custom\_credentials\_enabled) | Specifies whether to enable custom credentials for MySQL database. | `bool` | `false` | no | diff --git a/modules/resources/aws/main.tf b/modules/resources/aws/main.tf old mode 100644 new mode 100755 index 3c97571..169b73e --- a/modules/resources/aws/main.tf +++ b/modules/resources/aws/main.tf @@ -9,7 +9,7 @@ locals { data "aws_caller_identity" "current" {} data "aws_eks_cluster" "kubernetes_cluster" { - name = var.cluster_name + name = var.eks_cluster_name } resource "random_password" "mysqldb_root_password" { @@ -70,7 +70,7 @@ resource "aws_secretsmanager_secret_version" "mysql_user_password" { } resource "aws_iam_role" "mysql_backup_role" { - name = format("%s-%s-%s", var.cluster_name, var.name, "mysql-backup") + name = format("%s-%s-%s", var.eks_cluster_name, var.name, "mysql-backup") assume_role_policy = jsonencode({ Version = "2012-10-17", Statement = [ @@ -113,7 +113,7 @@ resource "aws_iam_role" "mysql_backup_role" { resource "aws_iam_role" "mysql_restore_role" { - name = format("%s-%s-%s", var.cluster_name, var.name, "mysql-restore") + name = format("%s-%s-%s", var.eks_cluster_name, var.name, "mysql-restore") assume_role_policy = jsonencode({ Version = "2012-10-17", Statement = [ diff --git a/modules/resources/aws/outputs.tf b/modules/resources/aws/outputs.tf old mode 100644 new mode 100755 diff --git a/modules/resources/aws/variables.tf b/modules/resources/aws/variables.tf old mode 100644 new mode 100755 index 26f4944..15ab157 --- a/modules/resources/aws/variables.tf +++ b/modules/resources/aws/variables.tf @@ -37,7 +37,7 @@ variable "recovery_window_aws_secret" { description = "Number of days that AWS Secrets Manager will wait before deleting a secret. This value can be set to 0 to force immediate deletion, or to a value between 7 and 30 days to allow for recovery." } -variable "cluster_name" { +variable "eks_cluster_name" { type = string default = "" description = "Specifies the name of the EKS cluster to deploy the MySQL application on." diff --git a/modules/resources/azure/README.md b/modules/resources/azure/README.md old mode 100644 new mode 100755 diff --git a/modules/resources/azure/main.tf b/modules/resources/azure/main.tf old mode 100644 new mode 100755 diff --git a/modules/resources/azure/outputs.tf b/modules/resources/azure/outputs.tf old mode 100644 new mode 100755 diff --git a/modules/resources/azure/variables.tf b/modules/resources/azure/variables.tf old mode 100644 new mode 100755 diff --git a/modules/resources/gcp/README.md b/modules/resources/gcp/README.md old mode 100644 new mode 100755 diff --git a/modules/resources/gcp/main.tf b/modules/resources/gcp/main.tf old mode 100644 new mode 100755 diff --git a/modules/resources/gcp/outputs.tf b/modules/resources/gcp/outputs.tf old mode 100644 new mode 100755 diff --git a/modules/resources/gcp/variables.tf b/modules/resources/gcp/variables.tf old mode 100644 new mode 100755 diff --git a/modules/restore/.helmignore b/modules/restore/.helmignore old mode 100644 new mode 100755 diff --git a/modules/restore/Chart.yaml b/modules/restore/Chart.yaml old mode 100644 new mode 100755 diff --git a/modules/restore/templates/job.yaml b/modules/restore/templates/job.yaml old mode 100644 new mode 100755 diff --git a/modules/restore/templates/restore-secret.yaml b/modules/restore/templates/restore-secret.yaml old mode 100644 new mode 100755 diff --git a/modules/restore/templates/service_account.yaml b/modules/restore/templates/service_account.yaml old mode 100644 new mode 100755 diff --git a/output.tf b/output.tf old mode 100644 new mode 100755 diff --git a/variables.tf b/variables.tf old mode 100644 new mode 100755 index c45bbf6..3b14aed --- a/variables.tf +++ b/variables.tf @@ -39,13 +39,13 @@ variable "mysqldb_custom_credentials_config" { variable "app_version" { type = string - default = "8.0.29-debian-11-r9" + default = "8.0.36-debian-12-r10" description = "Version of the MySQL application that will be deployed." } -variable "chart_version" { +variable "helm_chart_version" { type = string - default = "9.2.0" + default = "10.1.0" description = "Version of the Mysql chart that will be used to deploy MySQL application." }