More work on early system setup init containers

2025-04-22 10:03:57 -04:00
parent 1fa2fd3d95
commit 2f28459f9a
9 changed files with 167 additions and 17 deletions
--- a/deploy/30-service-account.yaml
+++ b/deploy/30-service-account.yaml
@@ -0,0 +1,77 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: p5x-api-sa
+  namespace: p5x-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: p5x-api-configmap-role
+  namespace: p5x-system
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["dynamic-kv"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: p5x-api-configmap-binding
+  namespace: p5x-system
+subjects:
+  - kind: ServiceAccount
+    name: p5x-api-sa
+    namespace: p5x-system
+roleRef:
+  kind: Role
+  name: p5x-api-configmap-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pod-self-read-role
+  namespace: p5x-system
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pod-self-read-binding
+  namespace: p5x-system
+subjects:
+  - kind: ServiceAccount
+    name: p5x-api-sa
+    namespace: p5x-system
+roleRef:
+  kind: Role
+  name: pod-self-read-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-label-read-role
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-label-read-binding
+subjects:
+  - kind: ServiceAccount
+    name: p5x-api-sa
+    namespace: p5x-system
+roleRef:
+  kind: ClusterRole
+  name: node-label-read-role
+  apiGroup: rbac.authorization.k8s.io
--- a/deploy/40-statefulset.yaml
+++ b/deploy/40-statefulset.yaml
@@ -19,11 +19,18 @@ spec:
        app: p5x-api-server
    spec:
      priorityClassName: system-cluster-critical
+
+      # api-server interacts w/ some parts of the K8s API, so bind its service account
+      serviceAccountName: p5x-api-sa
+
      volumes:
+        # Used for the api-server SQLite database et al
        - name: p5x-system-data
          persistentVolumeClaim:
            claimName: system-data
+
      initContainers:
+        # Make sure the p5x-system-data disk exists in PVE and is mounted
        - name: ensure-system-disk
          image: docker.io/glmdev/p5x-api:latest
          envFrom:
@@ -37,6 +44,22 @@ spec:
            - name: RUST_LOG
              value: 'p5x=debug,sqlx=warn,info'
          command: ['/p5x/p5x', 'ensure-system-disk']
+
+        # Transfer the p5x-system-data PVE disk to the correct node, if necessary
+        - name: migrate-system-disk
+          image: docker.io/glmdev/p5x-api:latest
+          envFrom:
+            - secretRef:
+                name: api-env
+          env:
+            - name: P5X_NODE_HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: RUST_LOG
+              value: 'p5x=debug,sqlx=warn,info'
+          command: ['/p5x/p5x', 'migrate-system-disk']
+
      containers:
        - name: api-server
          image: docker.io/glmdev/p5x-api:latest