in mysqloperator/controller/innodbcluster/cluster_api.py [0:0]
def _add_container_to_sts_spec(self, sts: Union[dict, api_client.V1StatefulSet], patcher: 'InnoDBClusterObjectModifier', add: bool, logger: Logger) -> None:
options = self.options
if self.web_config:
options += ["--web.config.file=/config/web.config"]
mounts = [
{
"name": "rundir",
"mountPath": "/var/run/mysqld",
}
]
if self.web_config:
mounts.append(
{
"name": f"{self.container_name}-web-config",
"mountPath" : "/config",
"readOnly": True,
}
)
if self.tls_secret:
mounts.append(
{
"name": f"{self.container_name}-tls",
"mountPath" : "/tls",
"readOnly": True,
}
)
patch = {
"containers" : [
{
"name": self.container_name,
"image": self.image,
"imagePullPolicy": "IfNotPresent", # TODO: should be self.sidecar_image_pull_policy
"args": options,
# These can't go to spec.template.spec.securityContext
# See: https://pkg.go.dev/k8s.io/api@v0.26.1/core/v1#PodTemplateSpec / https://pkg.go.dev/k8s.io/api@v0.26.1/core/v1#PodSpec
# See: https://pkg.go.dev/k8s.io/api@v0.26.1/core/v1#PodSecurityContext - for pods (top level)
# See: https://pkg.go.dev/k8s.io/api@v0.26.1/core/v1#Container
# See: https://pkg.go.dev/k8s.io/api@v0.26.1/core/v1#SecurityContext - for containers
"securityContext": {
"allowPrivilegeEscalation": False,
"privileged": False,
"readOnlyRootFilesystem": True,
"capabilities": {
"drop": ["ALL"]
},
# We must use same user id as auth_socket expects
"runAsUser": 2,
"runAsGroup": 27,
},
"env": [
# For BC with pre-0.15.0. 0.15.0+ will use the configuration file and skip the env totally
{
"name": "DATA_SOURCE_NAME",
"value": f"{self.dbuser_name}:@unix(/var/run/mysqld/mysql.sock)/"
}
],
"ports": [
{
"name": self.container_name,
"containerPort": self.port,
"protocol": "TCP",
}
],
"volumeMounts": mounts,
}
]
}
patch_sts_spec_template_complex_attribute(sts, patcher, patch, "containers", add)