kptdev · yuwenma · Aug 1, 2022
@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: create-secrets
+  namespace: example
+subjects:
+- kind: ServiceAccount
+  name: mariadb
+  namespace: example
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: create-secrets
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: create-secrets
+  namespace: example
+rules:
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - create
+    - get
+    - delete
@@ -6,4 +6,4 @@ metadata:
   namespace: example
   labels:
     app.kubernetes.io/name: mariadb
-automountServiceAccountToken: false
+automountServiceAccountToken: true
@@ -14,8 +14,15 @@ spec:
     type: RollingUpdate
   template:
     spec:
+      serviceAccountName: mariadb
       securityContext:
         fsGroup: 1001
+      initContainers:
+      - name: create-secret
+        image: gcr.io/kpt-fn-demo/yuwenma-secret:v0.6
+        env:
+        - name: SECRET_NAME
+          value: mariadb
       containers:
         - name: mariadb
           image: docker.io/bitnami/mariadb:10.6.7-debian-10-r62
@@ -32,9 +39,51 @@ spec:
               value: bitnami_ghost
             - name: ALLOW_EMPTY_PASSWORD
               value: "true"
+            - name: MARIADB_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mariadb
+                  key: mariadb-root-password
+            - name: MARIADB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mariadb
+                  key: mariadb-password
           ports:
             - name: mysql
               containerPort: 3306
+          livenessProbe:
+            failureThreshold: 3
+            initialDelaySeconds: 120
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+            exec:
+              command:
+              - /bin/bash
+              - -ec
+              - |
+                password_aux="${MARIADB_ROOT_PASSWORD:-}"
+                if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then
+                    password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE")
+                fi
+                mysqladmin status -uroot -p"${password_aux}"
+          readinessProbe:
+            failureThreshold: 3
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+            exec:
+              command:
+              - /bin/bash
+              - -ec
+              - |
+                password_aux="${MARIADB_ROOT_PASSWORD:-}"
+                if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then
+                    password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE")
+                fi
+                mysqladmin status -uroot -p"${password_aux}"
           resources:
             limits: {}
             requests: {}

@@ -0,0 +1,9 @@
+FROM ubuntu:18.04
+
+RUN apt-get update && \
+    apt-get install -y wget sudo curl openssh-client
+
+COPY run.sh .
+RUN chmod 0555 ./run.sh
+
+CMD ["./run.sh"]
@@ -0,0 +1,29 @@
+#!/bin/bash
+# Point to the internal API server hostname
+APISERVER=https://kubernetes.default.svc
+# Path to ServiceAccount token
+SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+# Read this Pod's namespace
+NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
+# Read the ServiceAccount bearer token
+TOKEN=$(cat ${SERVICEACCOUNT}/token)
+# Reference the internal certificate authority (CA)
+CACERT=${SERVICEACCOUNT}/ca.crt
+
+secret=$(cat <<EOF
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ${SECRET_NAME}
+  namespace: ${NAMESPACE}
+type: Opaque
+data:
+  mariadb-root-password: "dE5JbEpVMlpUUQ=="
+  mariadb-password: "bk9WRjJaOWVuaw=="
+EOF
+)
+
+echo ${secret}
+curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/yaml" -d "${secret}" -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets
+