forked from k-space/kube
mongodb is all external
This commit is contained in:
@@ -8,29 +8,14 @@ With ArgoCD. Render it locally:
|
||||
kustomize build . --enable-helm
|
||||
```
|
||||
|
||||
|
||||
To update RBAC rules:
|
||||
|
||||
```
|
||||
curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/role.yaml > mongodb-support.yml
|
||||
echo "---" >> mongodb-support.yml
|
||||
curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/role_binding.yaml >> mongodb-support.yml
|
||||
echo "---" >> mongodb-support.yml
|
||||
curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/role_binding_database.yaml >> mongodb-support.yml
|
||||
echo "---" >> mongodb-support.yml
|
||||
curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/role_database.yaml >> mongodb-support.yml
|
||||
echo "---" >> mongodb-support.yml
|
||||
curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/service_account.yaml >> mongodb-support.yml
|
||||
echo "---" >> mongodb-support.yml
|
||||
curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/service_account_database.yaml >> mongodb-support.yml
|
||||
```
|
||||
|
||||
# Instantiating databases
|
||||
|
||||
For each application:
|
||||
For each application include mongodb-netpol.yaml and kustomization in resources:
|
||||
```yaml
|
||||
resources:
|
||||
- https://git.k-space.ee/k-space/kube//mongodb-operator/mongodb-netpol.yaml
|
||||
- https://github.com/mongodb/mongodb-kubernetes-operator//config/rbac/?ref=v0.13.0
|
||||
```
|
||||
|
||||
```
|
||||
ln -s ../mongodb/mongo-support.yml
|
||||
kubectl apply -f mongo-support.yml
|
||||
kubectl create secret generic -n default mongodb-application-user-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
|
||||
kubectl create secret generic -n <application> mongodb-application-user-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
|
||||
```
|
||||
|
||||
25
mongodb-operator/mongodb-netpol.yml
Normal file
25
mongodb-operator/mongodb-netpol.yml
Normal file
@@ -0,0 +1,25 @@
|
||||
# Allow any pod in this namespace to connect to MongoDB and
|
||||
# allow cluster members to talk to eachother
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: mongodb-operator
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: mongodb-svc
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector: {}
|
||||
ports:
|
||||
- port: 27017
|
||||
egress:
|
||||
- to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: mongodb-svc
|
||||
ports:
|
||||
- port: 27017
|
||||
@@ -1,126 +0,0 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: mongodb-kubernetes-operator
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
- services
|
||||
- configmaps
|
||||
- secrets
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- apps
|
||||
resources:
|
||||
- statefulsets
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- mongodbcommunity.mongodb.com
|
||||
resources:
|
||||
- mongodbcommunity
|
||||
- mongodbcommunity/status
|
||||
- mongodbcommunity/spec
|
||||
- mongodbcommunity/finalizers
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- list
|
||||
- update
|
||||
- watch
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: mongodb-kubernetes-operator
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: mongodb-kubernetes-operator
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: mongodb-kubernetes-operator
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: mongodb-database
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: mongodb-database
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: mongodb-database
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: mongodb-database
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
verbs:
|
||||
- patch
|
||||
- delete
|
||||
- get
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: mongodb-kubernetes-operator
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: mongodb-database
|
||||
---
|
||||
# Allow any pod in this namespace to connect to MongoDB and
|
||||
# allow cluster members to talk to eachother
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: mongodb-operator
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: mongodb-svc
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector: {}
|
||||
ports:
|
||||
- port: 27017
|
||||
egress:
|
||||
- to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: mongodb-svc
|
||||
ports:
|
||||
- port: 27017
|
||||
Reference in New Issue
Block a user