janhoy/patch.yaml Secret

## patch.yaml
# Cluster role used for getting node label to inject into the POD
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole

metadata:
  name: release-name-node-labels

rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

metadata:
  name: release-name-node-labels-binding

roleRef:
  kind: ClusterRole
  name: release-name-node-labels
  apiGroup: rbac.authorization.k8s.io

subjects:
  - kind: ServiceAccount
    name: release-name-solr
    namespace: default
---
apiVersion: solr.apache.org/v1beta1
kind: SolrCloud
metadata:
  name: release-name
  labels:
    app.kubernetes.io/name: solr
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "9.3.0"
spec:
  customSolrKubeOptions:
    podOptions:
      envVars:
      - name: SOLR_INCLUDE
        value: /path/to/solr/home/k8s/node.sh
      podSecurityContext:
        # Change fsGroup to allow the jq-curl-bash-alpine-edge image access to token, since it runs as 'nobody / 65534'
        fsGroup: 65534
        runAsNonRoot: true
      volumes:
        # Volume for node properties that will hold the script for setting availability_zone property
        - name: kube-node-info
          defaultContainerMount:
            mountPath: /path/to/solr/home/k8s
            name: kube-node-info
          source:
            emptyDir: {}
      initContainers:
        # Fetch node's properties from k8s api and propagate it into sysprop availability_zone for affinity plugin to consume
        - name: k8s-node-label-fetcher
          image: "docker.io/vakaobr/jq-curl-bash-alpine-edge:20220811"
          command: ["sh", "-c", "curl -s \"https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/nodes/${NODE_NAME}\" -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" --cacert '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' | jq -r '.metadata.labels[\"topology.kubernetes.io/zone\"] | \"SOLR_OPTS=\\\"${SOLR_OPTS} -Davailability_zone=\" + . + \"\\\"\"' > /node-info/node.sh"]
          volumeMounts:
            - name: kube-node-info
              mountPath: "/node-info"
          env:
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          securityContext:
            runAsNonRoot: true
            runAsUser: 65534
	# Cluster role used for getting node label to inject into the POD
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole

	metadata:
	name: release-name-node-labels

	rules:
	- apiGroups: [""]
	resources: ["nodes"]
	verbs: ["get", "list"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding

	metadata:
	name: release-name-node-labels-binding

	roleRef:
	kind: ClusterRole
	name: release-name-node-labels
	apiGroup: rbac.authorization.k8s.io

	subjects:
	- kind: ServiceAccount
	name: release-name-solr
	namespace: default
	---
	apiVersion: solr.apache.org/v1beta1
	kind: SolrCloud
	metadata:
	name: release-name
	labels:
	app.kubernetes.io/name: solr
	app.kubernetes.io/instance: release-name
	app.kubernetes.io/version: "9.3.0"
	spec:
	customSolrKubeOptions:
	podOptions:
	envVars:
	- name: SOLR_INCLUDE
	value: /path/to/solr/home/k8s/node.sh
	podSecurityContext:
	# Change fsGroup to allow the jq-curl-bash-alpine-edge image access to token, since it runs as 'nobody / 65534'
	fsGroup: 65534
	runAsNonRoot: true
	volumes:
	# Volume for node properties that will hold the script for setting availability_zone property
	- name: kube-node-info
	defaultContainerMount:
	mountPath: /path/to/solr/home/k8s
	name: kube-node-info
	source:
	emptyDir: {}
	initContainers:
	# Fetch node's properties from k8s api and propagate it into sysprop availability_zone for affinity plugin to consume
	- name: k8s-node-label-fetcher
	image: "docker.io/vakaobr/jq-curl-bash-alpine-edge:20220811"
	command: ["sh", "-c", "curl -s \"https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/nodes/${NODE_NAME}\" -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" --cacert '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' \| jq -r '.metadata.labels[\"topology.kubernetes.io/zone\"] \| \"SOLR_OPTS=\\\"${SOLR_OPTS} -Davailability_zone=\" + . + \"\\\"\"' > /node-info/node.sh"]
	volumeMounts:
	- name: kube-node-info
	mountPath: "/node-info"
	env:
	- name: NODE_NAME
	valueFrom:
	fieldRef:
	fieldPath: spec.nodeName
	securityContext:
	runAsNonRoot: true
	runAsUser: 65534