in oracle/controllers/resources.go [390:596]
func NewPodTemplate(sp StsParams, inst v1alpha1.Instance) corev1.PodTemplateSpec {
cdbName := inst.Spec.CDBName
DBDomain := GetDBDomain(&inst)
labels := map[string]string{
"instance": sp.Inst.Name,
"statefulset": sp.StsName,
"task-type": DatabaseTaskType,
}
// Set default safeguard memory if the database resource is not specified.
dbResource := sp.Inst.Spec.DatabaseResources
if dbResource.Requests == nil {
dbResource.Requests = corev1.ResourceList{}
}
if dbResource.Requests.Memory() == nil {
sp.Log.Info("NewPodTemplate: No memory request found for DB. Setting default safeguard memory", "SafeMinMemoryForDBContainer", safeMinMemoryForDBContainer)
dbResource.Requests[corev1.ResourceMemory] = resource.MustParse(safeMinMemoryForDBContainer)
}
// Kind cluster can only use local images
imagePullPolicy := corev1.PullAlways
if sp.Config != nil && sp.Config.Spec.Platform == utils.PlatformKind {
imagePullPolicy = corev1.PullIfNotPresent
}
sp.Log.Info("NewPodTemplate: creating new template with images", "images", sp.Images)
dataDiskPVC, dataDiskMountName := GetPVCNameAndMount(sp.Inst.Name, "DataDisk")
containers := []corev1.Container{
{
Name: dbContainerName,
Resources: dbResource,
Image: sp.Images["service"],
Command: []string{fmt.Sprintf("%s/init_container.sh", scriptDir)},
Env: []corev1.EnvVar{
{
Name: "SCRIPTS_DIR",
Value: scriptDir,
},
{
Name: "PROVISIONDONE_FILE",
Value: consts.ProvisioningDoneFile,
},
},
Args: []string{cdbName, DBDomain},
Ports: []corev1.ContainerPort{
{Name: "secure-listener", Protocol: "TCP", ContainerPort: consts.SecureListenerPort},
{Name: "ssl-listener", Protocol: "TCP", ContainerPort: consts.SSLListenerPort},
},
VolumeMounts: append([]corev1.VolumeMount{
{Name: "var-tmp", MountPath: "/var/tmp"},
{Name: "agent-repo", MountPath: "/agents"},
{Name: podInfoVolume, MountPath: podInfoDir, ReadOnly: true},
},
buildPVCMounts(sp)...),
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: &sp.PrivEscalation,
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"NET_RAW"}},
},
EnvFrom: []corev1.EnvFromSource{
{
ConfigMapRef: &corev1.ConfigMapEnvSource{LocalObjectReference: corev1.LocalObjectReference{Name: sp.ConfigMap.ObjectMeta.Name}},
},
},
ImagePullPolicy: imagePullPolicy,
},
{
Name: "dbdaemon",
Image: sp.Images["service"],
Command: []string{fmt.Sprintf("%s/init_dbdaemon.sh", scriptDir)},
Args: []string{cdbName},
Ports: []corev1.ContainerPort{
{Name: "dbdaemon", Protocol: "TCP", ContainerPort: consts.DefaultDBDaemonPort},
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: &sp.PrivEscalation,
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"NET_RAW"}},
},
VolumeMounts: append([]corev1.VolumeMount{
{Name: "var-tmp", MountPath: "/var/tmp"},
{Name: "agent-repo", MountPath: "/agents"},
{Name: podInfoVolume, MountPath: podInfoDir},
},
buildPVCMounts(sp)...),
ImagePullPolicy: imagePullPolicy,
},
{
Name: "alert-log-sidecar",
Image: sp.Images["logging_sidecar"],
Command: []string{"/logging_main"},
Args: []string{"--logType=ALERT"},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: &sp.PrivEscalation,
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"NET_RAW"}},
},
VolumeMounts: []corev1.VolumeMount{
{Name: dataDiskPVC, MountPath: fmt.Sprintf("/%s", dataDiskMountName)},
{Name: podInfoVolume, MountPath: podInfoDir, ReadOnly: true},
},
ImagePullPolicy: imagePullPolicy,
},
{
Name: "listener-log-sidecar",
Image: sp.Images["logging_sidecar"],
Command: []string{"/logging_main"},
Args: []string{"--logType=LISTENER"},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: &sp.PrivEscalation,
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"NET_RAW"}},
},
VolumeMounts: []corev1.VolumeMount{
{Name: dataDiskPVC, MountPath: fmt.Sprintf("/%s", dataDiskMountName)},
{Name: podInfoVolume, MountPath: podInfoDir, ReadOnly: true},
},
ImagePullPolicy: imagePullPolicy,
},
}
initContainers := []corev1.Container{
{
Name: "dbinit",
Image: sp.Images["dbinit"],
Command: []string{"sh", "-c", "cp -r agent_repo/. /agents/ && chmod -R 750 /agents/*"},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: &sp.PrivEscalation,
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"NET_RAW"}},
},
VolumeMounts: []corev1.VolumeMount{
{Name: "agent-repo", MountPath: "/agents"},
},
ImagePullPolicy: imagePullPolicy,
},
}
volumes := []corev1.Volume{
{
Name: "var-tmp",
VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
},
{
Name: "agent-repo",
VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
},
{
Name: podInfoVolume,
VolumeSource: corev1.VolumeSource{DownwardAPI: &corev1.DownwardAPIVolumeSource{
Items: []corev1.DownwardAPIVolumeFile{{
Path: podInfoMemRequestSubPath,
ResourceFieldRef: &corev1.ResourceFieldSelector{
ContainerName: dbContainerName,
Resource: "requests.memory",
Divisor: resource.MustParse("1Mi"),
},
},
},
}},
},
}
uid := sp.Inst.Spec.DatabaseUID
if uid == nil {
sp.Log.Info("set pod user ID to default value", "UID", DefaultUID)
// consts are not addressable
uid = func(i int64) *int64 { return &i }(DefaultUID)
}
gid := sp.Inst.Spec.DatabaseGID
if gid == nil {
sp.Log.Info("set pod group ID to default value", "GID", DefaultGID)
// consts are not addressable
gid = func(i int64) *int64 { return &i }(DefaultGID)
}
// for minikube/kind, the default csi-hostpath-driver mounts persistent volumes writable by root only, so explicitly
// change owner and permissions of mounted pvs with an init container.
if sp.Config != nil && (sp.Config.Spec.Platform == utils.PlatformMinikube || sp.Config.Spec.Platform == utils.PlatformKind) {
initContainers = addHostpathInitContainer(sp, initContainers, *uid, *gid)
}
podSpec := corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
RunAsUser: uid,
RunAsGroup: gid,
FSGroup: gid,
RunAsNonRoot: func(b bool) *bool { return &b }(true),
},
// ImagePullSecrets: []corev1.LocalObjectReference {{Name: GcrSecretName }},
Containers: containers,
InitContainers: initContainers,
ShareProcessNamespace: func(b bool) *bool { return &b }(true),
// ServiceAccountName:
// TerminationGracePeriodSeconds:
Tolerations: inst.Spec.PodSpec.Tolerations,
Volumes: volumes,
Affinity: inst.Spec.PodSpec.Affinity,
}
// TODO(bdali): consider adding priority class name, secret mount.
return corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: labels,
Namespace: sp.Namespace,
// Annotations: annotations,
},
Spec: podSpec,
}
}