underpost 2.8.6 → 2.8.8

package/manifests/kubeadm-calico-config.yaml

@@ -0,0 +1,119 @@
+# This consolidated YAML file contains configurations for:
+# 1. Calico Installation (Installation and APIServer resources)
+# 2. A permissive Egress NetworkPolicy for the 'default' namespace
+#
+# These are standard Kubernetes resources that can be applied directly using 'kubectl apply'.
+# The kubeadm-specific ClusterConfiguration and InitConfiguration have been removed
+# as they are only processed by the 'kubeadm init' command, not 'kubectl apply'.
+
+# --- Calico Installation: Base configuration for Calico ---
+# For more information, see: https://projectcalico.docs.tigera.io/master/reference/installation/api#operator.tigera.io/v1.Installation
+apiVersion: operator.tigera.io/v1
+kind: Installation
+metadata:
+  name: default
+spec:
+  # Configures Calico networking.
+  calicoNetwork:
+    # Note: The ipPools section cannot be modified post-install.
+    ipPools:
+      - blockSize: 26
+        cidr: 192.168.0.0/16
+        encapsulation: VXLANCrossSubnet
+        natOutgoing: Enabled
+        nodeSelector: all()
+
+---
+# This section configures the Calico API server.
+# For more information, see: https://projectcalico.docs.tigera.io/master/reference/installation/api#operator.tigera.io/v1.APIServer
+apiVersion: operator.tigera.io/v1
+kind: APIServer
+metadata:
+  name: default
+spec: {}
+
+---
+# This consolidated NetworkPolicy file ensures that all pods in the specified namespaces
+# have unrestricted egress (outbound) access.
+# This is useful for troubleshooting or for environments where strict egress control
+# is not immediately required for these system/default namespaces.
+
+---
+# Policy for the 'default' namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress-default-namespace
+  namespace: default # This policy applies to the 'default' namespace
+spec:
+  podSelector: {} # Selects all pods in this namespace
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # Allows traffic to any IPv4 address
+
+---
+# Policy for the 'kube-system' namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress-kube-system-namespace
+  namespace: kube-system # This policy applies to the 'kube-system' namespace
+spec:
+  podSelector: {} # Selects all pods in this namespace
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # Allows traffic to any IPv4 address
+
+---
+# Policy for the 'kube-node-lease' namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress-kube-node-lease-namespace
+  namespace: kube-node-lease # This policy applies to the 'kube-node-lease' namespace
+spec:
+  podSelector: {} # Selects all pods in this namespace
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # Allows traffic to any IPv4 address
+
+---
+# Policy for the 'kube-public' namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress-kube-public-namespace
+  namespace: kube-public # This policy applies to the 'kube-public' namespace
+spec:
+  podSelector: {} # Selects all pods in this namespace
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # Allows traffic to any IPv4 address
+
+---
+# Policy for the 'tigera-operator' namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress-tigera-operator-namespace
+  namespace: tigera-operator # This policy applies to the 'tigera-operator' namespace
+spec:
+  podSelector: {} # Selects all pods in this namespace
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # Allows traffic to any IPv4 address

package/manifests/kubelet-config.yaml

@@ -0,0 +1,65 @@
+apiVersion: v1
+data:
+  kubelet: |
+    apiVersion: kubelet.config.k8s.io/v1beta1
+    authentication:
+      anonymous:
+        enabled: false
+      webhook:
+        cacheTTL: 0s
+        enabled: true
+      x509:
+        clientCAFile: /etc/kubernetes/pki/ca.crt
+    authorization:
+      mode: Webhook
+      webhook:
+        cacheAuthorizedTTL: 0s
+        cacheUnauthorizedTTL: 0s
+    cgroupDriver: systemd
+    clusterDNS:
+    - 10.96.0.10
+    clusterDomain: cluster.local
+    containerRuntimeEndpoint: unix:///run/containerd/containerd.sock
+    cpuManagerReconcilePeriod: 0s
+    crashLoopBackOff: {}
+    evictionHard:
+      imagefs.available: "5%" # Adjusted for more tolerance
+      memory.available: "100Mi"
+      nodefs.available: "5%" # Adjusted for more tolerance
+      nodefs.inodesFree: "5%"
+    evictionPressureTransitionPeriod: 0s
+    fileCheckFrequency: 0s
+    healthzBindAddress: 127.0.0.1
+    healthzPort: 10248
+    httpCheckFrequency: 0s
+    imageMaximumGCAge: 0s
+    imageMinimumGCAge: 0s
+    kind: KubeletConfiguration
+    logging:
+      flushFrequency: 0
+      options:
+        json:
+          infoBufferSize: "0"
+        text:
+          infoBufferSize: "0"
+      verbosity: 0
+    memorySwap: {}
+    nodeStatusReportFrequency: 0s
+    nodeStatusUpdateFrequency: 0s
+    rotateCertificates: true
+    runtimeRequestTimeout: 0s
+    shutdownGracePeriod: 0s
+    shutdownGracePeriodCriticalPods: 0s
+    staticPodPath: /etc/kubernetes/manifests
+    streamingConnectionIdleTimeout: 0s
+    syncFrequency: 0s
+    volumeStatsAggPeriod: 0s
+kind: ConfigMap
+metadata:
+  annotations:
+    kubeadm.kubernetes.io/component-config.hash: sha256:26488e9fc7c5cb5fdda9996cda2e6651a9af5febce07ea02de11bd3ef3f49e9c
+  creationTimestamp: "2025-06-30T12:42:00Z"
+  name: kubelet-config
+  namespace: kube-system
+  resourceVersion: "204"
+  uid: a85321a8-f3e0-40fa-8e4e-9d33b8842e7a

package/manifests/lxd/lxd-admin-profile.yaml

@@ -0,0 +1,17 @@
+config:
+  limits.cpu: "2"
+  limits.memory: 4GB
+description: vm nat network
+devices:
+  eth0:
+    name: eth0
+    network: lxdbr0
+    type: nic
+    ipv4.address: 10.250.250.100
+  root:
+    path: /
+    pool: local # lxc storage list
+    size: 100GB
+    type: disk
+name: admin-profile
+used_by: []

package/manifests/lxd/lxd-preseed.yaml

@@ -0,0 +1,30 @@
+config:
+  core.https_address: 127.0.0.1:8443
+networks: []
+storage_pools:
+  - config:
+      size: 100GiB
+    description: ""
+    name: local
+    driver: zfs
+storage_volumes: []
+profiles:
+  - config: {}
+    description: ""
+    devices:
+      root:
+        path: /
+        pool: local
+        type: disk
+    name: default
+projects: []
+cluster:
+  server_name: lxd-node1
+  enabled: true
+  member_config: []
+  cluster_address: ""
+  cluster_certificate: ""
+  server_address: ""
+  cluster_password: ""
+  cluster_token: ""
+  cluster_certificate_path: ""

package/manifests/lxd/underpost-setup.sh

@@ -0,0 +1,163 @@
+#!/bin/bash
+
+# Exit immediately if a command exits with a non-zero status.
+set -e
+
+echo "Starting Underpost Kubernetes Node Setup for Production (Kubeadm/K3s Use Case)..."
+
+# --- Disk Partition Resizing (Keep as is, seems functional) ---
+echo "Expanding /dev/sda2 partition and resizing filesystem..."
+
+# Check if parted is installed
+if ! command -v parted &>/dev/null; then
+    echo "parted not found, installing..."
+    sudo dnf install -y parted
+fi
+
+# Get start sector of /dev/sda2
+START_SECTOR=$(sudo parted /dev/sda -ms unit s print | awk -F: '/^2:/{print $2}' | sed 's/s//')
+
+# Resize the partition
+# Using 'sudo' for parted commands
+sudo parted /dev/sda ---pretend-input-tty <<EOF
+unit s
+resizepart 2 100%
+Yes
+quit
+EOF
+
+# Resize the filesystem
+sudo resize2fs /dev/sda2
+
+echo "Disk and filesystem resized successfully."
+
+# --- Essential System Package Installation ---
+echo "Installing essential system packages..."
+sudo dnf install -y tar bzip2 git epel-release
+
+# Perform a system update to ensure all packages are up-to-date
+sudo dnf -y update
+
+# --- NVM and Node.js Installation ---
+echo "Installing NVM and Node.js v23.8.0..."
+curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash
+
+# Load nvm for the current session
+export NVM_DIR="$([ -z "${XDG_CONFIG_HOME-}" ] && printf %s "${HOME}/.nvm" || printf %s "${XDG_CONFIG_HOME}/nvm")"
+[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm
+
+nvm install 23.8.0
+nvm use 23.8.0
+
+echo "
+██╗░░░██╗███╗░░██╗██████╗░███████╗██████╗░██████╗░░█████╗░░██████╗████████╗
+██║░░░██║████╗░██║██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔══██╗██╔════╝╚══██╔══╝
+██║░░░██║██╔██╗██║██║░░██║█████╗░░██████╔╝██████╔╝██║░░██║╚█████╗░░░░██║░░░
+██║░░░██║██║╚████║██║░░██║██╔══╝░░██╔══██╗██╔═╝░░░██║░░██║░╚═══██╗░░░██║░░░
+╚██████╔╝██║░╚███║██████╔╝███████╗██║░░██║██║░░░░░╚█████╔╝██████╔╝░░░██║░░░
+░╚═════╝░╚═╝░░╚══╝╚═════╝░╚══════╝╚═╝░░╚═╝╚═╝░░░░░░╚════╝░╚═════╝░░░░╚═╝░░░
+
+Installing underpost k8s node...
+"
+
+# Install underpost globally
+npm install -g underpost
+
+# Ensure underpost executable is in PATH and has execute permissions
+# Adjusting this for global npm install which usually handles permissions
+# If you still face issues, ensure /root/.nvm/versions/node/v23.8.0/bin is in your PATH
+# For global installs, it's usually handled automatically.
+# chmod +x /root/.nvm/versions/node/v23.8.0/bin/underpost # This might not be necessary for global npm installs
+
+# --- Kernel Module for Bridge Filtering ---
+# This is crucial for Kubernetes networking (CNI)
+echo "Loading br_netfilter kernel module..."
+sudo modprobe br_netfilter
+
+# --- Initial Host Setup for Kubernetes Prerequisites ---
+# This calls the initHost method in cluster.js to install Docker, Podman, Kind, Kubeadm, Helm.
+echo "Running initial host setup for Kubernetes prerequisites..."
+# Ensure the current directory is where 'underpost' expects its root, or use absolute paths.
+# Assuming 'underpost root' correctly points to the base directory of your project.
+cd "$(underpost root)/underpost"
+underpost cluster --init-host
+
+# --- Argument Parsing for Kubeadm/Kind/K3s/Worker ---
+USE_KUBEADM=false
+USE_KIND=false # Not the primary focus for this request, but keeping the logic
+USE_K3S=false  # New K3s option
+USE_WORKER=false
+
+for arg in "$@"; do
+    case "$arg" in
+    --kubeadm)
+        USE_KUBEADM=true
+        ;;
+    --kind)
+        USE_KIND=true
+        ;;
+    --k3s) # New K3s argument
+        USE_K3S=true
+        ;;
+    --worker)
+        USE_WORKER=true
+        ;;
+    esac
+done
+
+echo "USE_KUBEADM = $USE_KUBEADM"
+echo "USE_KIND      = $USE_KIND"
+echo "USE_K3S      = $USE_K3S" # Display K3s flag status
+echo "USE_WORKER   = $USE_WORKER"
+
+# --- Kubernetes Cluster Initialization Logic ---
+
+# Apply host configuration (SELinux, Containerd, Sysctl, and now firewalld disabling)
+echo "Applying Kubernetes host configuration (SELinux, Containerd, Sysctl, Firewalld)..."
+underpost cluster --config
+
+if $USE_KUBEADM; then
+    if $USE_WORKER; then
+        echo "Running worker node setup for kubeadm..."
+        # For worker nodes, the 'underpost cluster --worker' command will handle joining
+        # the cluster. The join command itself needs to be provided from the control plane.
+        # This script assumes the join command will be executed separately or passed in.
+        # Example: underpost cluster --worker --join-command "kubeadm join ..."
+        # For now, this just runs the worker-specific config.
+        underpost cluster --worker
+        underpost cluster --chown
+        echo "Worker node setup initiated. You will need to manually join this worker to your control plane."
+        echo "On your control plane, run 'kubeadm token create --print-join-command' and execute the output here."
+    else
+        echo "Running control plane setup with kubeadm..."
+        # This will initialize the kubeadm control plane and install Calico
+        underpost cluster --kubeadm
+        echo "Kubeadm control plane initialized. Check cluster status with 'kubectl get nodes'."
+    fi
+elif $USE_K3S; then # New K3s initialization block
+    if $USE_WORKER; then
+        echo "Running worker node setup for K3s..."
+        # For K3s worker nodes, the 'underpost cluster --worker' command will handle joining
+        # the cluster. The K3s join command (k3s agent --server ...) needs to be provided.
+        underpost cluster --worker --k3s
+        underpost cluster --chown
+        echo "K3s Worker node setup initiated. You will need to manually join this worker to your control plane."
+        echo "On your K3s control plane, get the K3S_TOKEN from /var/lib/rancher/k3s/server/node-token"
+        echo "and the K3S_URL (e.g., https://<control-plane-ip>:6443)."
+        echo "Then execute: K3S_URL=${K3S_URL} K3S_TOKEN=${K3S_TOKEN} curl -sfL https://get.k3s.io | sh -"
+    else
+        echo "Running control plane setup with K3s..."
+        underpost cluster --k3s
+        echo "K3s control plane initialized. Check cluster status with 'kubectl get nodes'."
+    fi
+elif $USE_KIND; then
+    echo "Running control node with kind..."
+    underpost cluster
+    echo "Kind cluster initialized. Check cluster status with 'kubectl get nodes'."
+else
+    echo "No specific cluster role (--kubeadm, --kind, --k3s, --worker) specified. Please provide one."
+    exit 1
+fi
+
+echo "Underpost Kubernetes Node Setup completed."
+echo "Remember to verify cluster health with 'kubectl get nodes' and 'kubectl get pods --all-namespaces'."

package/manifests/maas/lxd-preseed.yaml

@@ -0,0 +1,32 @@
+config:
+  core.https_address: "[::]:8443"
+  # core.trust_password: password
+networks:
+  - config:
+      ipv4.address: 10.10.10.1/24
+      ipv6.address: none
+    description: ""
+    name: lxdbr0
+    type: ""
+    project: default
+storage_pools:
+  - config:
+      size: 500GB
+    description: ""
+    name: default
+    driver: zfs
+profiles:
+  - config: {}
+    description: ""
+    devices:
+      eth0:
+        name: eth0
+        network: lxdbr0
+        type: nic
+      root:
+        path: /
+        pool: default
+        type: disk
+    name: default
+projects: []
+cluster: null

package/manifests/maas/maas-setup.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+set -euo pipefail
+
+# Update LXD and install dependencies
+sudo snap install --channel=latest/stable lxd
+sudo snap refresh --channel=latest/stable lxd
+sudo snap install jq
+sudo snap install maas
+
+# Get default interface and IP address
+INTERFACE=$(ip route | grep default | awk '{print $5}')
+IP_ADDRESS=$(ip -4 addr show dev "$INTERFACE" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
+
+# Install and persist iptables NAT rules (Rocky Linux compatible)
+sudo dnf install -y iptables-services
+sudo systemctl enable --now iptables
+
+# Enable IP forwarding and configure NAT
+sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
+sudo sysctl -p
+sudo iptables -t nat -A POSTROUTING -o "$INTERFACE" -j SNAT --to "$IP_ADDRESS"
+sudo service iptables save
+
+# LXD preseed
+cd /home/dd/engine
+lxd init --preseed <manifests/maas/lxd-preseed.yaml
+
+# Wait for LXD to be ready
+lxd waitready
+
+# Load secrets
+underpost secret underpost --create-from-file /home/dd/engine/engine-private/conf/dd-cron/.env.production
+
+# Extract config values
+DB_PG_MAAS_USER=$(node bin config get --plain DB_PG_MAAS_USER)
+DB_PG_MAAS_PASS=$(node bin config get --plain DB_PG_MAAS_PASS)
+DB_PG_MAAS_HOST=$(node bin config get --plain DB_PG_MAAS_HOST)
+DB_PG_MAAS_NAME=$(node bin config get --plain DB_PG_MAAS_NAME)
+
+MAAS_ADMIN_USERNAME=$(node bin config get --plain MAAS_ADMIN_USERNAME)
+MAAS_ADMIN_EMAIL=$(node bin config get --plain MAAS_ADMIN_EMAIL)
+MAAS_ADMIN_PASS=$(node bin config get --plain MAAS_ADMIN_PASS)
+
+# Initialize MAAS
+maas init region+rack \
+    --database-uri "postgres://${DB_PG_MAAS_USER}:${DB_PG_MAAS_PASS}@${DB_PG_MAAS_HOST}/${DB_PG_MAAS_NAME}" \
+    --maas-url http://${IP_ADDRESS}:5240/MAAS
+
+# Let MAAS initialize
+sleep 30
+
+# Create admin and get API key
+maas createadmin \
+    --username "$MAAS_ADMIN_USERNAME" \
+    --password "$MAAS_ADMIN_PASS" \
+    --email "$MAAS_ADMIN_EMAIL"
+
+APIKEY=$(maas apikey --username "$MAAS_ADMIN_USERNAME")
+
+# Login to MAAS
+maas login "$MAAS_ADMIN_USERNAME" "http://localhost:5240/MAAS/" "$APIKEY"
+
+# Configure MAAS networking
+SUBNET=10.10.10.0/24
+FABRIC_ID=$(maas "$MAAS_ADMIN_USERNAME" subnet read "$SUBNET" | jq -r ".vlan.fabric_id")
+VLAN_TAG=$(maas "$MAAS_ADMIN_USERNAME" subnet read "$SUBNET" | jq -r ".vlan.vid")
+PRIMARY_RACK=$(maas "$MAAS_ADMIN_USERNAME" rack-controllers read | jq -r ".[] | .system_id")
+
+maas "$MAAS_ADMIN_USERNAME" subnet update "$SUBNET" gateway_ip=10.10.10.1
+maas "$MAAS_ADMIN_USERNAME" ipranges create type=dynamic start_ip=10.10.10.200 end_ip=10.10.10.254
+maas "$MAAS_ADMIN_USERNAME" vlan update "$FABRIC_ID" "$VLAN_TAG" dhcp_on=True primary_rack="$PRIMARY_RACK"
+maas "$MAAS_ADMIN_USERNAME" maas set-config name=upstream_dns value=8.8.8.8
+
+# Register LXD as VM host
+VM_HOST_ID=$(maas "$MAAS_ADMIN_USERNAME" vm-hosts create \
+    password=password \
+    type=lxd \
+    power_address="https://${IP_ADDRESS}:8443" \
+    project=maas | jq '.id')
+
+# Set VM host CPU oversubscription
+maas "$MAAS_ADMIN_USERNAME" vm-host update "$VM_HOST_ID" cpu_over_commit_ratio=4

package/manifests/mariadb/statefulset.yaml

@@ -49,7 +49,8 @@ spec:
     - metadata:
         name: mariadb-storage
       spec:
-        accessModes: ['ReadWriteOnce']
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: mariadb-storage-class
         resources:
           requests:
             storage: 1Gi

package/manifests/mariadb/storage-class.yaml

@@ -0,0 +1,10 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: mariadb-storage-class # Renamed for clarity
+  annotations:
+    # Set this to "true" if you want this to be the default StorageClass
+    # storageclass.kubernetes.io/is-default-class: "true"
+provisioner: rancher.io/local-path # Ensure this provisioner is installed in your cluster
+reclaimPolicy: Retain # Or Delete, depending on your data retention policy
+volumeBindingMode: WaitForFirstConsumer

package/manifests/mongodb/kustomization.yaml

@@ -6,6 +6,6 @@ resources:
   - pv-pvc.yaml
   - headless-service.yaml
   - statefulset.yaml
-  - backup-pv-pvc.yaml
+  # - backup-pv-pvc.yaml
   # - backup-cronjob.yaml
   # - backup-access.yaml

package/manifests/mongodb/statefulset.yaml

@@ -3,7 +3,7 @@ kind: StatefulSet
 metadata:
   name: mongodb # Specifies the name of the statefulset
 spec:
-  serviceName: 'mongodb-service' # Specifies the service to use
+  serviceName: "mongodb-service" # Specifies the service to use
   replicas: 2
   selector:
     matchLabels:
@@ -18,8 +18,8 @@ spec:
           image: docker.io/library/mongo:latest
           command:
             - mongod
-            - '--replSet'
-            - 'rs0'
+            - "--replSet"
+            - "rs0"
             # - '--config'
             # - '-f'
             # - '/etc/mongod.conf'
@@ -35,9 +35,9 @@ spec:
             # - '--setParameter'
             # - 'authenticationMechanisms=SCRAM-SHA-1'
             # - '--fork'
-            - '--logpath'
-            - '/var/log/mongodb/mongod.log'
-            - '--bind_ip_all'
+            - "--logpath"
+            - "/var/log/mongodb/mongod.log"
+            - "--bind_ip_all"
           # command: ['sh', '-c']
           # args:
           #   - |
@@ -99,11 +99,11 @@ spec:
                   key: password
           resources:
             requests:
-              cpu: '100m'
-              memory: '256Mi'
+              cpu: "100m"
+              memory: "256Mi"
             limits:
-              cpu: '500m'
-              memory: '512Mi'
+              cpu: "500m"
+              memory: "512Mi"
       volumes:
         - name: keyfile
           secret:
@@ -119,7 +119,8 @@ spec:
     - metadata:
         name: mongodb-storage
       spec:
-        accessModes: ['ReadWriteOnce']
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: mongodb-storage-class
         resources:
           requests:
             storage: 5Gi

package/manifests/mongodb/storage-class.yaml

@@ -0,0 +1,9 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: mongodb-storage-class
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "false"
+provisioner: rancher.io/local-path
+reclaimPolicy: Retain
+volumeBindingMode: WaitForFirstConsumer

package/manifests/mongodb-4.4/service-deployment.yaml

@@ -13,11 +13,11 @@ spec:
       labels:
         app: mongodb
     spec:
-      hostname: mongo
+      hostname: mongodb-service
       containers:
         - name: mongodb
-          image: docker.io/library/mongo:4.4
-          command: ['mongod', '--replSet', 'rs0', '--bind_ip_all']
+          image: mongo:4.4
+          command: ["mongod", "--replSet", "rs0", "--bind_ip_all"]
           # -- bash
           # mongo
           # use admin

package/manifests/mysql/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# kubectl apply -k core/.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - pv-pvc.yaml
+  - statefulset.yaml

package/manifests/mysql/pv-pvc.yaml

@@ -0,0 +1,27 @@
+# pv-pvc.yaml
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: mysql-pv
+  labels:
+    type: local
+spec:
+  storageClassName: manual
+  capacity:
+    storage: 20Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/mnt/data"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mysql-pv-claim
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi