fix: pvc mount permission (#70)

* fix: pvc mount permission
- add job to fix permission if needed
- update storage capacity
- update cronjob manifest

* fix: update manifest of tenangdb
- fix permission issue at mounted pvc
- remove unused env var
- combine pvc from 3 to 1

* feat: update configmap

Author: abdullahainun

k8s/README.md

@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: backup-explorer
+  namespace: tenangdb
+  labels:
+    app: tenangdb
+    component: explorer
+spec:
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
+  containers:
+  - name: explorer
+    image: busybox
+    command: ['sleep', 'infinity']
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        type: RuntimeDefault
+    volumeMounts:
+    - name: data
+      mountPath: /data
+      readOnly: true
+    resources:
+      requests:
+        memory: "16Mi"
+        cpu: "10m"
+      limits:
+        memory: "64Mi"
+        cpu: "50m"
+  volumes:
+  - name: data
+    persistentVolumeClaim:
+      claimName: pvc-tenangdb-data
+  restartPolicy: Never
+
+---
+# Instructions for usage:
+# 1. Enable this manifest: mv backup-explorer.yaml.disabled backup-explorer.yaml
+# 2. Deploy: kubectl apply -f backup-explorer.yaml
+# 3. Access files: kubectl exec -it backup-explorer -n tenangdb -- ls -la /data
+# 4. Copy files: kubectl cp tenangdb/backup-explorer:/data/backups/database/date ./local-backup
+# 5. Cleanup: kubectl delete -f backup-explorer.yaml

k8s/backup-explorer.yaml.disabled

@@ -30,7 +30,7 @@ data:
     
     # Backup storage and database selection
     backup:
-      output_dir: /backups
+      directory: /data/backups
       databases:
         - production_db
         - analytics_db
@@ -40,20 +40,17 @@ data:
     
     # Cloud upload configuration
     upload:
-      enabled: true
-      destination: "s3:your-backup-bucket/tenangdb"  # Configure your cloud storage
-      rclone_path: /usr/local/bin/rclone
+      enabled: false
+      destination: "s3:your-backup-bucket/tenangdb"
       timeout: 300
       retry_count: 3
     
     # Frequency checking (requires persistent volume)
     frequency:
       enabled: true
       interval: 24h
-      tracking_file: /tmp/tenangdb/backup_tracking.json
     
     # Logging settings
     logging:
       level: info
-      format: json  # JSON format for better Kubernetes log integration
-      output_file: /var/log/tenangdb/tenangdb.log
+      format: json

k8s/configmap.yaml

@@ -8,8 +8,8 @@ metadata:
 spec:
   # Schedule: Daily at 2 AM
   schedule: "0 2 * * *"
-  failedJobsHistoryLimit: 3        # This should be here
-  successfulJobsHistoryLimit: 3    # This should be here
+  failedJobsHistoryLimit: 3
+  successfulJobsHistoryLimit: 3
   # Timezone (optional, requires Kubernetes 1.25+)
   timeZone: "Asia/Jakarta"
 
@@ -31,6 +31,7 @@ spec:
             runAsUser: 1001
             runAsGroup: 1001
             fsGroup: 1001
+            fsGroupChangePolicy: "OnRootMismatch"
 
           containers:
           - name: tenangdb
@@ -39,40 +40,17 @@ spec:
 
             # Command - use the main binary
             command: ["/tenangdb"]
-            args: ["backup"]
+            args: ["backup", "--force", "--config", "/config.yaml"]
 
-            # Environment variables from secrets
-            env:
-            - name: MYSQL_USER
-              valueFrom:
-                secretKeyRef:
-                  name: tenangdb-secrets
-                  key: MYSQL_USER
-            - name: MYSQL_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: tenangdb-secrets
-                  key: MYSQL_PASSWORD
-            # Optional: Cloud storage credentials
-            - name: RCLONE_CONFIG
-              valueFrom:
-                secretKeyRef:
-                  name: tenangdb-secrets
-                  key: RCLONE_CONFIG
-                  optional: true
 
             # Volume mounts
             volumeMounts:
             - name: config
               mountPath: /config.yaml
               subPath: config.yaml
               readOnly: true
-            - name: backups
-              mountPath: /backups
-            - name: tracking
-              mountPath: /tmp/tenangdb
-            - name: logs
-              mountPath: /var/log/tenangdb
+            - name: data
+              mountPath: /data
 
             # Resource limits
             resources:
@@ -82,124 +60,70 @@ spec:
               limits:
                 memory: "2Gi"
                 cpu: "2000m"
-            
-            # Liveness and readiness probes (optional)
-            # livenessProbe:
-            #   exec:
-            #     command:
-            #     - /bin/sh
-            #     - -c
-            #     - "pgrep -f tenangdb || exit 1"
-            #   initialDelaySeconds: 30
-            #   periodSeconds: 60
 
           volumes:
           - name: config
             configMap:
               name: tenangdb-config
-          - name: backups
-            persistentVolumeClaim:
-              claimName: pvc-tenangdb-backups
-          - name: tracking
+          - name: data
             persistentVolumeClaim:
-              claimName: pvc-tenangdb-tracking
-          - name: logs
-            persistentVolumeClaim:
-              claimName: pvc-tenangdb-logs
-          
-          # Optional: Node selector for dedicated backup nodes
-          # nodeSelector:
-          #   backup-node: "true"
-          
-          # Optional: Tolerations for dedicated backup nodes
-          # tolerations:
-          # - key: "backup-only"
-          #   operator: "Equal"
-          #   value: "true"
-          #   effect: "NoSchedule"
+              claimName: pvc-tenangdb-data
 
 ---
 # Optional: Manual backup job template
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: tenangdb-manual-backup
-  namespace: tenangdb
-  labels:
-    app: tenangdb
-    job-type: manual
-spec:
-  template:
-    metadata:
-      labels:
-        app: tenangdb
-        job-type: manual
-    spec:
-      serviceAccountName: tenangdb
-      restartPolicy: Never
+# apiVersion: batch/v1
+# kind: Job
+# metadata:
+#   name: tenangdb-manual-backup
+#   namespace: tenangdb
+#   labels:
+#     app: tenangdb
+#     job-type: manual
+# spec:
+#   template:
+#     metadata:
+#       labels:
+#         app: tenangdb
+#         job-type: manual
+#     spec:
+#       serviceAccountName: tenangdb
+#       restartPolicy: Never
 
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1001
-        runAsGroup: 1001
-        fsGroup: 1001
+#       securityContext:
+#         runAsNonRoot: true
+#         runAsUser: 1001
+#         runAsGroup: 1001
+#         fsGroup: 1001
+#         fsGroupChangePolicy: "OnRootMismatch"
 
-      containers:
-      - name: tenangdb
-        image: ghcr.io/abdullahainun/tenangdb:latest
-        imagePullPolicy: Always
-        
-        command: ["/tenangdb"]
-        args: ["backup", "--force"]  # Force backup even if frequency check fails
+#       containers:
+#       - name: tenangdb
+#         image: ghcr.io/abdullahainun/tenangdb:latest
+#         imagePullPolicy: Always
 
-        env:
-        - name: MYSQL_USER
-          valueFrom:
-            secretKeyRef:
-              name: tenangdb-secrets
-              key: MYSQL_USER
-        - name: MYSQL_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: tenangdb-secrets
-              key: MYSQL_PASSWORD
-        - name: RCLONE_CONFIG
-          valueFrom:
-            secretKeyRef:
-              name: tenangdb-secrets
-              key: RCLONE_CONFIG
-              optional: true
+#         command: ["/tenangdb"]
+#         args: ["backup", "--force", "--config", "/config.yaml"]  # Force backup even if frequency check fails    
 
-        volumeMounts:
-        - name: config
-          mountPath: /config.yaml
-          subPath: config.yaml
-          readOnly: true
-        - name: backups
-          mountPath: /backups
-        - name: tracking
-          mountPath: /tmp/tenangdb
-        - name: logs
-          mountPath: /var/log/tenangdb
+#         volumeMounts:
+#         - name: config
+#           mountPath: /config.yaml`
+#           subPath: config.yaml
+#           readOnly: true
+#         - name: backups
+#           mountPath: /backups
 
-        resources:
-          requests:
-            memory: "512Mi"
-            cpu: "500m"
-          limits:
-            memory: "2Gi"
-            cpu: "2000m"
+#         resources:
+#           requests:
+#             memory: "512Mi"
+#             cpu: "500m"
+#           limits:
+#             memory: "2Gi"
+#             cpu: "2000m"
 
-      volumes:
-      - name: config
-        configMap:
-          name: tenangdb-config
-      - name: backups
-        persistentVolumeClaim:
-          claimName: pvc-tenangdb-backups
-      - name: tracking
-        persistentVolumeClaim:
-          claimName: pvc-tenangdb-tracking
-      - name: logs
-        persistentVolumeClaim:
-          claimName: pvc-tenangdb-logs
+#       volumes:
+#       - name: config
+#         configMap:
+#           name: tenangdb-config
+#       - name: backups
+#         persistentVolumeClaim:
+#           claimName: pvc-tenangdb-backups

k8s/cronjob.yaml

@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tenangdb-privileged
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: fix-tenangdb-permissions
+  namespace: tenangdb-privileged
+spec:
+  template:
+    spec:
+      hostPID: true
+      containers:
+      - name: fix-permissions
+        image: busybox
+        command: 
+        - sh
+        - -c
+        - |
+          mkdir -p /host/var/lib/tenangdb/data/backups
+          mkdir -p /host/var/lib/tenangdb/data/metrics
+          mkdir -p /host/var/lib/tenangdb/data/logs
+          chown -R 1001:1001 /host/var/lib/tenangdb/data
+          chmod -R 775 /host/var/lib/tenangdb/data
+          echo "Single PVC permissions fixed for /data structure"
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: host-var
+          mountPath: /host/var
+      volumes:
+      - name: host-var
+        hostPath:
+          path: /var
+      restartPolicy: Never
+      nodeSelector:
+        kubernetes.io/hostname: homelab-k8s-worker-2

k8s/fix-permissions-job.yaml.disabled

@@ -10,7 +10,6 @@ resources:
 - namespace.yaml
 - rbac.yaml
 - configmap.yaml
-- secret.yaml
 - pv.yaml
 - pvc.yaml
 - cronjob.yaml