[mariadb-operator] Mariadb-cluster chart

This PS adds mariadb-cluster chart based on mariadb-operator. Also for
some backward compartibility this PS adds mariadb-backup chart and
prometheus-mysql-exporter chart as a separate ones.

Change-Id: I3f652375cce2e3b45e095e08d2e6f4ae73b8d8f0
This commit is contained in:
Sergiy Markin 2023-10-17 04:04:37 +00:00 committed by Vladimir Kozhukalov
parent 3d64d4c832
commit 29f2b616cc
98 changed files with 4995 additions and 2 deletions

1
.gitignore vendored
View File

@ -59,6 +59,7 @@ releasenotes/build
# Dev tools
.idea/
.vscode/
.devcontainer/
**/.vagrant
**/*.log

26
mariadb-backup/Chart.yaml Normal file
View File

@ -0,0 +1,26 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v1
appVersion: v10.6.14
description: OpenStack-Helm MariaDB backups
name: mariadb-backup
version: 0.0.1
home: https://mariadb.com/kb/en/
icon: http://badges.mariadb.org/mariadb-badge-180x60.png
sources:
- https://github.com/MariaDB/server
- https://opendev.org/openstack/openstack-helm
maintainers:
- name: OpenStack-Helm Authors
...

19
mariadb-backup/README.rst Normal file
View File

@ -0,0 +1,19 @@
openstack-helm/mariadb-backup
======================
By default, this chart creates a mariadb-backup cronjob that runs in a schedule
in order to create mysql backups.
This chart depends on mariadb-cluster chart.
The backups are stored in a PVC and also are possible to upload then to a remote
RGW container.
You must ensure that your control nodes that should receive mariadb
instances are labeled with ``openstack-control-plane=enabled``, or
whatever you have configured in values.yaml for the label
configuration:
::
kubectl label nodes openstack-control-plane=enabled --all

View File

@ -0,0 +1,18 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
dependencies:
- name: helm-toolkit
repository: file://../helm-toolkit
version: ">= 0.1.0"
...

View File

@ -0,0 +1,584 @@
#!/bin/bash
SCOPE=${1:-"all"}
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
source /tmp/backup_main.sh
# Export the variables required by the framework
# Note: REMOTE_BACKUP_ENABLED, STORAGE_POLICY and CONTAINER_NAME are already
# exported.
export DB_NAMESPACE=${MARIADB_POD_NAMESPACE}
export DB_NAME="mariadb"
export LOCAL_DAYS_TO_KEEP=${MARIADB_LOCAL_BACKUP_DAYS_TO_KEEP}
export REMOTE_DAYS_TO_KEEP=${MARIADB_REMOTE_BACKUP_DAYS_TO_KEEP}
export REMOTE_BACKUP_RETRIES=${NUMBER_OF_RETRIES_SEND_BACKUP_TO_REMOTE}
export MIN_DELAY_SEND_REMOTE=${MIN_DELAY_SEND_BACKUP_TO_REMOTE}
export MAX_DELAY_SEND_REMOTE=${MAX_DELAY_SEND_BACKUP_TO_REMOTE}
export ARCHIVE_DIR=${MARIADB_BACKUP_BASE_DIR}/db/${DB_NAMESPACE}/${DB_NAME}/archive
# Dump all the database files to existing $TMP_DIR and save logs to $LOG_FILE
dump_databases_to_directory() {
TMP_DIR=$1
LOG_FILE=$2
SCOPE=${3:-"all"}
MYSQL="mysql \
--defaults-file=/etc/mysql/admin_user.cnf \
--connect-timeout 10"
MYSQLDUMP="mysqldump \
--defaults-file=/etc/mysql/admin_user.cnf"
if [[ "${SCOPE}" == "all" ]]; then
MYSQL_DBNAMES=( $($MYSQL --silent --skip-column-names -e \
"show databases;" | \
grep -ivE 'information_schema|performance_schema|mysql|sys') )
else
if [[ "${SCOPE}" != "information_schema" && "${SCOPE}" != "performance_schema" && "${SCOPE}" != "mysql" && "${SCOPE}" != "sys" ]]; then
MYSQL_DBNAMES=( ${SCOPE} )
else
log ERROR "It is not allowed to backup database ${SCOPE}."
return 1
fi
fi
#check if there is a database to backup, otherwise exit
if [[ -z "${MYSQL_DBNAMES// }" ]]
then
log INFO "There is no database to backup"
return 0
fi
#Create a list of Databases
printf "%s\n" "${MYSQL_DBNAMES[@]}" > $TMP_DIR/db.list
if [[ "${SCOPE}" == "all" ]]; then
#Retrieve and create the GRANT file for all the users
{{- if .Values.manifests.certificates }}
SSL_DSN=";mysql_ssl=1"
SSL_DSN="$SSL_DSN;mysql_ssl_client_key=/etc/mysql/certs/tls.key"
SSL_DSN="$SSL_DSN;mysql_ssl_client_cert=/etc/mysql/certs/tls.crt"
SSL_DSN="$SSL_DSN;mysql_ssl_ca_file=/etc/mysql/certs/ca.crt"
if ! pt-show-grants --defaults-file=/etc/mysql/admin_user.cnf $SSL_DSN \
{{- else }}
if ! pt-show-grants --defaults-file=/etc/mysql/admin_user.cnf \
{{- end }}
2>>"$LOG_FILE" > "$TMP_DIR"/grants.sql; then
log ERROR "Failed to create GRANT for all the users"
return 1
fi
fi
#Retrieve and create the GRANT files per DB
for db in "${MYSQL_DBNAMES[@]}"
do
echo $($MYSQL --skip-column-names -e "select concat('show grants for ',user,';') \
from mysql.db where ucase(db)=ucase('$db');") | \
sed -r "s/show grants for ([a-zA-Z0-9_-]*)/show grants for '\1'/g" | \
$MYSQL --silent --skip-column-names 2>>$LOG_FILE > $TMP_DIR/${db}_grant.sql
if [ "$?" -eq 0 ]
then
sed -i 's/$/;/' $TMP_DIR/${db}_grant.sql
else
log ERROR "Failed to create GRANT files for ${db}"
return 1
fi
done
#Dumping the database
SQL_FILE=mariadb.$MARIADB_POD_NAMESPACE.${SCOPE}
$MYSQLDUMP $MYSQL_BACKUP_MYSQLDUMP_OPTIONS "${MYSQL_DBNAMES[@]}" \
> $TMP_DIR/${SQL_FILE}.sql 2>>$LOG_FILE
if [[ $? -eq 0 && -s $TMP_DIR/${SQL_FILE}.sql ]]
then
log INFO "Database(s) dumped successfully. (SCOPE = ${SCOPE})"
return 0
else
log ERROR "Backup failed and need attention. (SCOPE = ${SCOPE})"
return 1
fi
}
# functions from mariadb-verifier chart
get_time_delta_secs () {
second_delta=0
input_date_second=$( date --date="$1" +%s )
if [ -n "$input_date_second" ]; then
current_date=$( date +"%Y-%m-%dT%H:%M:%SZ" )
current_date_second=$( date --date="$current_date" +%s )
((second_delta=current_date_second-input_date_second))
if [ "$second_delta" -lt 0 ]; then
second_delta=0
fi
fi
echo $second_delta
}
check_data_freshness () {
archive_file=$(basename "$1")
archive_date=$(echo "$archive_file" | cut -d'.' -f 4)
SCOPE=$2
if [[ "${SCOPE}" != "all" ]]; then
log "Data freshness check is skipped for individual database."
return 0
fi
log "Checking for data freshness in the backups..."
# Get some idea of which database.table has changed in the last 30m
# Excluding the system DBs and aqua_test_database
#
changed_tables=$(${MYSQL_LIVE} -e "select TABLE_SCHEMA,TABLE_NAME from \
information_schema.tables where UPDATE_TIME >= SUBTIME(now(),'00:30:00') AND TABLE_SCHEMA \
NOT IN('information_schema', 'mysql', 'performance_schema', 'sys', 'aqua_test_database');" | \
awk '{print $1 "." $2}')
if [ -n "${changed_tables}" ]; then
delta_secs=$(get_time_delta_secs "$archive_date")
age_offset={{ .Values.conf.backup.validateData.ageOffset }}
((age_threshold=delta_secs+age_offset))
data_freshness=false
skipped_freshness=false
for table in ${changed_tables}; do
tab_schema=$(echo "$table" | awk -F. '{print $1}')
tab_name=$(echo "$table" | awk -F. '{print $2}')
local_table_existed=$(${MYSQL_LOCAL_SHORT_SILENT} -e "select TABLE_SCHEMA,TABLE_NAME from \
INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=\"${tab_schema}\" AND TABLE_NAME=\"${tab_name}\";")
if [ -n "$local_table_existed" ]; then
# TODO: If last updated field of a table structure has different
# patterns (updated/timstamp), it may be worth to parameterize the patterns.
datetime=$(${MYSQL_LOCAL_SHORT_SILENT} -e "describe ${table};" | \
awk '(/updated/ || /timestamp/) && /datetime/ {print $1}')
if [ -n "${datetime}" ]; then
data_ages=$(${MYSQL_LOCAL_SHORT_SILENT} -e "select \
time_to_sec(timediff(now(),${datetime})) from ${table} where ${datetime} is not null order by 1 limit 10;")
for age in $data_ages; do
if [ "$age" -le $age_threshold ]; then
data_freshness=true
break
fi
done
# As long as there is an indication of data freshness, no need to check further
if [ "$data_freshness" = true ] ; then
break
fi
else
skipped_freshness=true
log "No indicator to determine data freshness for table $table. Skipped data freshness check."
# Dumping out table structure to determine if enhancement is needed to include this table
debug_info=$(${MYSQL_LOCAL} --skip-column-names -e "describe ${table};" | awk '{print $2 " " $1}')
log "$debug_info" "DEBUG"
fi
else
log "Table $table doesn't exist in local database"
skipped_freshness=true
fi
done
if [ "$data_freshness" = true ] ; then
log "Database passed integrity (data freshness) check."
else
if [ "$skipped_freshness" = false ] ; then
log "Local backup database restore failed integrity check." "ERROR"
log "The backup may not have captured the up-to-date data." "INFO"
return 1
fi
fi
else
log "No tables changed in this backup. Skipped data freshness check as the"
log "check should have been performed by previous validation runs."
fi
return 0
}
cleanup_local_databases () {
old_local_dbs=$(${MYSQL_LOCAL_SHORT_SILENT} -e 'show databases;' | \
grep -ivE 'information_schema|performance_schema|mysql|sys' || true)
for db in $old_local_dbs; do
${MYSQL_LOCAL_SHORT_SILENT} -e "drop database $db;"
done
}
list_archive_dir () {
archive_dir_content=$(ls -1R "$ARCHIVE_DIR")
if [ -n "$archive_dir_content" ]; then
log "Content of $ARCHIVE_DIR"
log "${archive_dir_content}"
fi
}
remove_remote_archive_file () {
archive_file=$(basename "$1")
token_req_file=$(mktemp --suffix ".json")
header_file=$(mktemp)
resp_file=$(mktemp --suffix ".json")
http_resp="404"
HEADER_CONTENT_TYPE="Content-Type: application/json"
HEADER_ACCEPT="Accept: application/json"
cat << JSON_EOF > "$token_req_file"
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "${OS_USER_DOMAIN_NAME}"
},
"name": "${OS_USERNAME}",
"password": "${OS_PASSWORD}"
}
}
},
"scope": {
"project": {
"domain": {
"name": "${OS_PROJECT_DOMAIN_NAME}"
},
"name": "${OS_PROJECT_NAME}"
}
}
}
}
JSON_EOF
http_resp=$(curl -s -X POST "$OS_AUTH_URL/auth/tokens" -H "${HEADER_CONTENT_TYPE}" \
-H "${HEADER_ACCEPT}" -d @"${token_req_file}" -D "$header_file" -o "$resp_file" -w "%{http_code}")
if [ "$http_resp" = "201" ]; then
OS_TOKEN=$(grep -i "x-subject-token" "$header_file" | cut -d' ' -f2 | tr -d "\r")
if [ -n "$OS_TOKEN" ]; then
OS_OBJ_URL=$(python3 -c "import json,sys;print([[ep['url'] for ep in obj['endpoints'] if ep['interface']=='public'] for obj in json.load(sys.stdin)['token']['catalog'] if obj['type']=='object-store'][0][0])" < "$resp_file")
if [ -n "$OS_OBJ_URL" ]; then
http_resp=$(curl -s -X DELETE "$OS_OBJ_URL/$CONTAINER_NAME/$archive_file" \
-H "${HEADER_CONTENT_TYPE}" -H "${HEADER_ACCEPT}" \
-H "X-Auth-Token: ${OS_TOKEN}" -D "$header_file" -o "$resp_file" -w "%{http_code}")
fi
fi
fi
if [ "$http_resp" == "404" ] ; then
log "Failed to cleanup remote backup. Container object $archive_file is not on RGW."
return 1
fi
if [ "$http_resp" != "204" ] ; then
log "Failed to cleanup remote backup. Cannot delete container object $archive_file" "ERROR"
cat "$header_file"
cat "$resp_file"
fi
return 0
}
handle_bad_archive_file () {
archive_file=$1
if [ ! -d "$BAD_ARCHIVE_DIR" ]; then
mkdir -p "$BAD_ARCHIVE_DIR"
fi
# Move the file to quarantine directory such that
# file won't be used for restore in case of recovery
#
log "Moving $i to $BAD_ARCHIVE_DIR..."
mv "$i" "$BAD_ARCHIVE_DIR"
log "Removing $i from remote RGW..."
if remove_remote_archive_file "$i"; then
log "File $i has been successfully removed from RGW."
else
log "FIle $i cannot be removed form RGW." "ERROR"
return 1
fi
# Atmost only three bad files are kept. Deleting the oldest if
# number of files exceeded the threshold.
#
bad_files=$(find "$BAD_ARCHIVE_DIR" -name "*.tar.gz" 2>/dev/null | wc -l)
if [ "$bad_files" -gt 3 ]; then
((bad_files=bad_files-3))
delete_files=$(find "$BAD_ARCHIVE_DIR" -name "*.tar.gz" 2>/dev/null | sort | head --lines=$bad_files)
for b in $delete_files; do
log "Deleting $b..."
rm -f "${b}"
done
fi
return 0
}
cleanup_old_validation_result_file () {
clean_files=$(find "$ARCHIVE_DIR" -maxdepth 1 -name "*.passed" 2>/dev/null)
for d in $clean_files; do
archive_file=${d/.passed}
if [ ! -f "$archive_file" ]; then
log "Deleting $d as its associated archive file $archive_file nolonger existed."
rm -f "${d}"
fi
done
}
validate_databases_backup () {
archive_file=$1
SCOPE=${2:-"all"}
restore_log='/tmp/restore_error.log'
tmp_dir=$(mktemp -d)
rm -f $restore_log
cd "$tmp_dir"
log "Decompressing archive $archive_file..."
if ! tar zxvf - < "$archive_file" 1>/dev/null; then
log "Database restore from local backup failed. Archive decompression failed." "ERROR"
return 1
fi
db_list_file="$tmp_dir/db.list"
if [[ -e "$db_list_file" ]]; then
dbs=$(sort < "$db_list_file" | grep -ivE sys | tr '\n' ' ')
else
dbs=" "
fi
sql_file="${tmp_dir}/mariadb.${MARIADB_POD_NAMESPACE}.${SCOPE}.sql"
if [[ "${SCOPE}" == "all" ]]; then
grant_file="${tmp_dir}/grants.sql"
else
grant_file="${tmp_dir}/${SCOPE}_grant.sql"
fi
if [[ -f $sql_file ]]; then
if $MYSQL_LOCAL < "$sql_file" 2>$restore_log; then
local_dbs=$(${MYSQL_LOCAL_SHORT_SILENT} -e 'show databases;' | \
grep -ivE 'information_schema|performance_schema|mysql|sys' | sort | tr '\n' ' ')
if [ "$dbs" = "$local_dbs" ]; then
log "Databases restored successful."
else
log "Database restore from local backup failed. Database mismatched between local backup and local server" "ERROR"
log "Databases restored on local server: $local_dbs" "DEBUG"
log "Databases in the local backup: $dbs" "DEBUG"
return 1
fi
else
log "Database restore from local backup failed. $dbs" "ERROR"
cat $restore_log
return 1
fi
if [[ -f $grant_file ]]; then
if $MYSQL_LOCAL < "$grant_file" 2>$restore_log; then
if ! $MYSQL_LOCAL -e 'flush privileges;'; then
log "Database restore from local backup failed. Failed to flush privileges." "ERROR"
return 1
fi
log "Databases permission restored successful."
else
log "Database restore from local backup failed. Databases permission failed to restore." "ERROR"
cat "$restore_log"
cat "$grant_file"
log "Local DBs: $local_dbs" "DEBUG"
return 1
fi
else
log "Database restore from local backup failed. There is no permission file available" "ERROR"
return 1
fi
if ! check_data_freshness "$archive_file" ${SCOPE}; then
# Log has already generated during check data freshness
return 1
fi
else
log "Database restore from local backup failed. There is no database file available to restore from" "ERROR"
return 1
fi
return 0
}
# end of functions form mariadb verifier chart
# Verify all the databases backup archives
verify_databases_backup_archives() {
SCOPE=${1:-"all"}
# verification code
export DB_NAME="mariadb"
export ARCHIVE_DIR=${MARIADB_BACKUP_BASE_DIR}/db/${MARIADB_POD_NAMESPACE}/${DB_NAME}/archive
export BAD_ARCHIVE_DIR=${ARCHIVE_DIR}/quarantine
export MYSQL_OPTS="--silent --skip-column-names"
export MYSQL_LIVE="mysql --defaults-file=/etc/mysql/admin_user.cnf ${MYSQL_OPTS}"
export MYSQL_LOCAL_OPTS="--user=root --host=127.0.0.1"
export MYSQL_LOCAL_SHORT="mysql ${MYSQL_LOCAL_OPTS} --connect-timeout 2"
export MYSQL_LOCAL_SHORT_SILENT="${MYSQL_LOCAL_SHORT} ${MYSQL_OPTS}"
export MYSQL_LOCAL="mysql ${MYSQL_LOCAL_OPTS} --connect-timeout 10"
max_wait={{ .Values.conf.mariadb_server.setup_wait.iteration }}
duration={{ .Values.conf.mariadb_server.setup_wait.duration }}
counter=0
dbisup=false
log "Waiting for Mariadb backup verification server to start..."
# During Mariadb init/startup process, a temporary server is startup
# and shutdown prior to starting up the normal server.
# To avoid prematurely determine server availability, lets snooze
# a bit to give time for the process to complete prior to issue
# mysql commands.
#
while [ $counter -lt $max_wait ]; do
if ! $MYSQL_LOCAL_SHORT -e 'select 1' > /dev/null 2>&1 ; then
sleep $duration
((counter=counter+1))
else
# Lets sleep for an additional duration just in case async
# init takes a bit more time to complete.
#
sleep $duration
dbisup=true
counter=$max_wait
fi
done
if ! $dbisup; then
log "Mariadb backup verification server is not running" "ERROR"
return 1
fi
# During Mariadb init process, a test database will be briefly
# created and deleted. Adding to the exclusion list for some
# edge cases
#
clean_db=$(${MYSQL_LOCAL_SHORT_SILENT} -e 'show databases;' | \
grep -ivE 'information_schema|performance_schema|mysql|test|sys' || true)
if [[ -z "${clean_db// }" ]]; then
log "Clean Server is up and running"
else
cleanup_local_databases
log "Old databases found on the Mariadb backup verification server were cleaned."
clean_db=$(${MYSQL_LOCAL_SHORT_SILENT} -e 'show databases;' | \
grep -ivE 'information_schema|performance_schema|mysql|test|sys' || true)
if [[ -z "${clean_db// }" ]]; then
log "Clean Server is up and running"
else
log "Cannot clean old databases on verification server." "ERROR"
return 1
fi
log "The server is ready for verification."
fi
# Starting with 10.4.13, new definer mariadb.sys was added. However, mariadb.sys was deleted
# during init mariadb as it was not on the exclusion list. This corrupted the view of mysql.user.
# Insert the tuple back to avoid other similar issues with error i.e
# The user specified as a definer ('mariadb.sys'@'localhost') does not exist
#
# Before insert the tuple mentioned above, we should make sure that the MariaDB version is 10.4.+
mariadb_version=$($MYSQL_LOCAL_SHORT -e "status" | grep -E '^Server\s+version:')
log "Current database ${mariadb_version}"
if [[ ! -z ${mariadb_version} && -z $(grep '10.2' <<< ${mariadb_version}}) ]]; then
if [[ -z $(grep 'mariadb.sys' <<< $($MYSQL_LOCAL_SHORT mysql -e "select * from global_priv where user='mariadb.sys'")) ]]; then
$MYSQL_LOCAL_SHORT -e "insert into mysql.global_priv values ('localhost','mariadb.sys',\
'{\"access\":0,\"plugin\":\"mysql_native_password\",\"authentication_string\":\"\",\"account_locked\":true,\"password_last_changed\":0}');"
$MYSQL_LOCAL_SHORT -e 'flush privileges;'
fi
fi
# Ensure archive dir existed
if [ -d "$ARCHIVE_DIR" ]; then
# List archive dir before
list_archive_dir
# Ensure the local databases are clean for each restore validation
#
cleanup_local_databases
if [[ "${SCOPE}" == "all" ]]; then
archive_files=$(find "$ARCHIVE_DIR" -maxdepth 1 -name "*.tar.gz" 2>/dev/null | sort)
for i in $archive_files; do
archive_file_passed=$i.passed
if [ ! -f "$archive_file_passed" ]; then
log "Validating archive file $i..."
if validate_databases_backup "$i"; then
touch "$archive_file_passed"
else
if handle_bad_archive_file "$i"; then
log "File $i has been removed from RGW."
else
log "File $i cannot be removed from RGW." "ERROR"
return 1
fi
fi
fi
done
else
archive_files=$(find "$ARCHIVE_DIR" -maxdepth 1 -name "*.tar.gz" 2>/dev/null | grep "${SCOPE}" | sort)
for i in $archive_files; do
archive_file_passed=$i.passed
if [ ! -f "$archive_file_passed" ]; then
log "Validating archive file $i..."
if validate_databases_backup "${i}" "${SCOPE}"; then
touch "$archive_file_passed"
else
if handle_bad_archive_file "$i"; then
log "File $i has been removed from RGW."
else
log "File $i cannot be removed from RGW." "ERROR"
return 1
fi
fi
fi
done
fi
# Cleanup passed files if its archive file nolonger existed
cleanup_old_validation_result_file
# List archive dir after
list_archive_dir
fi
return 0
}
# Call main program to start the database backup
backup_databases ${SCOPE}

View File

@ -0,0 +1,328 @@
#!/bin/bash
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{{- $envAll := . }}
# Capture the user's command line arguments
ARGS=("$@")
if [[ -s /tmp/restore_main.sh ]]; then
source /tmp/restore_main.sh
else
echo "File /tmp/restore_main.sh does not exist."
exit 1
fi
# Export the variables needed by the framework
export DB_NAME="mariadb"
export DB_NAMESPACE=${MARIADB_POD_NAMESPACE}
export ARCHIVE_DIR=${MARIADB_BACKUP_BASE_DIR}/db/${DB_NAMESPACE}/${DB_NAME}/archive
RESTORE_USER='restoreuser'
RESTORE_PW=$(pwgen 16 1)
RESTORE_LOG='/tmp/restore_error.log'
rm -f $RESTORE_LOG
# This is for commands which require admin access
MYSQL="mysql \
--defaults-file=/etc/mysql/admin_user.cnf \
--host=$MARIADB_SERVER_SERVICE_HOST \
--connect-timeout 10"
# This is for commands which we want the temporary "restore" user
# to execute
RESTORE_CMD="mysql \
--user=${RESTORE_USER} \
--password=${RESTORE_PW} \
--host=$MARIADB_SERVER_SERVICE_HOST \
{{- if .Values.manifests.certificates }}
--ssl-ca=/etc/mysql/certs/ca.crt \
--ssl-key=/etc/mysql/certs/tls.key \
--ssl-cert=/etc/mysql/certs/tls.crt \
{{- end }}
--connect-timeout 10"
# Get a single database data from the SQL file.
# $1 - database name
# $2 - sql file path
current_db_desc() {
PATTERN="-- Current Database:"
sed -n "/${PATTERN} \`$1\`/,/${PATTERN}/p" $2
}
#Return all database from an archive
get_databases() {
TMP_DIR=$1
DB_FILE=$2
if [[ -e ${TMP_DIR}/db.list ]]
then
DBS=$(cat ${TMP_DIR}/db.list | \
grep -ivE 'information_schema|performance_schema|mysql|sys' )
else
DBS=" "
fi
echo $DBS > $DB_FILE
}
# Determine sql file from 2 options - current and legacy one
# if current is not found check that there is no other namespaced dump file
# before falling back to legacy one
_get_sql_file() {
TMP_DIR=$1
SQL_FILE="${TMP_DIR}/mariadb.${MARIADB_POD_NAMESPACE}.*.sql"
LEGACY_SQL_FILE="${TMP_DIR}/mariadb.*.sql"
INVALID_SQL_FILE="${TMP_DIR}/mariadb.*.*.sql"
if [ -f ${SQL_FILE} ]
then
echo "Found $(ls ${SQL_FILE})" > /dev/stderr
printf ${SQL_FILE}
elif [ -f ${INVALID_SQL_FILE} ]
then
echo "Expected to find ${SQL_FILE} or ${LEGACY_SQL_FILE}, but found $(ls ${INVALID_SQL_FILE})" > /dev/stderr
elif [ -f ${LEGACY_SQL_FILE} ]
then
echo "Falling back to legacy naming ${LEGACY_SQL_FILE}. Found $(ls ${LEGACY_SQL_FILE})" > /dev/stderr
printf ${LEGACY_SQL_FILE}
fi
}
# Extract all tables of a database from an archive and put them in the requested
# file.
get_tables() {
DATABASE=$1
TMP_DIR=$2
TABLE_FILE=$3
SQL_FILE=$(_get_sql_file $TMP_DIR)
if [ ! -z $SQL_FILE ]; then
current_db_desc ${DATABASE} ${SQL_FILE} \
| grep "^CREATE TABLE" | awk -F '`' '{print $2}' \
> $TABLE_FILE
else
# Error, cannot report the tables
echo "No SQL file found - cannot extract the tables"
return 1
fi
}
# Extract all rows in the given table of a database from an archive and put
# them in the requested file.
get_rows() {
DATABASE=$1
TABLE=$2
TMP_DIR=$3
ROW_FILE=$4
SQL_FILE=$(_get_sql_file $TMP_DIR)
if [ ! -z $SQL_FILE ]; then
current_db_desc ${DATABASE} ${SQL_FILE} \
| grep "INSERT INTO \`${TABLE}\` VALUES" > $ROW_FILE
return 0
else
# Error, cannot report the rows
echo "No SQL file found - cannot extract the rows"
return 1
fi
}
# Extract the schema for the given table in the given database belonging to
# the archive file found in the TMP_DIR.
get_schema() {
DATABASE=$1
TABLE=$2
TMP_DIR=$3
SCHEMA_FILE=$4
SQL_FILE=$(_get_sql_file $TMP_DIR)
if [ ! -z $SQL_FILE ]; then
DB_FILE=$(mktemp -p /tmp)
current_db_desc ${DATABASE} ${SQL_FILE} > ${DB_FILE}
sed -n /'CREATE TABLE `'$TABLE'`'/,/'--'/p ${DB_FILE} > ${SCHEMA_FILE}
if [[ ! (-s ${SCHEMA_FILE}) ]]; then
sed -n /'CREATE TABLE IF NOT EXISTS `'$TABLE'`'/,/'--'/p ${DB_FILE} \
> ${SCHEMA_FILE}
fi
rm -f ${DB_FILE}
else
# Error, cannot report the rows
echo "No SQL file found - cannot extract the schema"
return 1
fi
}
# Create temporary user for restoring specific databases.
create_restore_user() {
restore_db=$1
# Ensure any old restore user is removed first, if it exists.
# If it doesn't exist it may return error, so do not exit the
# script if that's the case.
delete_restore_user "dont_exit_on_error"
$MYSQL --execute="GRANT SELECT ON *.* TO ${RESTORE_USER}@'%' IDENTIFIED BY '${RESTORE_PW}';" 2>>$RESTORE_LOG
if [[ "$?" -eq 0 ]]
then
$MYSQL --execute="GRANT ALL ON ${restore_db}.* TO ${RESTORE_USER}@'%' IDENTIFIED BY '${RESTORE_PW}';" 2>>$RESTORE_LOG
if [[ "$?" -ne 0 ]]
then
cat $RESTORE_LOG
echo "Failed to grant restore user ALL permissions on database ${restore_db}"
return 1
fi
else
cat $RESTORE_LOG
echo "Failed to grant restore user select permissions on all databases"
return 1
fi
}
# Delete temporary restore user
delete_restore_user() {
error_handling=$1
$MYSQL --execute="DROP USER ${RESTORE_USER}@'%';" 2>>$RESTORE_LOG
if [[ "$?" -ne 0 ]]
then
if [ "$error_handling" == "exit_on_error" ]
then
cat $RESTORE_LOG
echo "Failed to delete temporary restore user - needs attention to avoid a security hole"
return 1
fi
fi
}
#Restore a single database
restore_single_db() {
SINGLE_DB_NAME=$1
TMP_DIR=$2
if [[ -z "$SINGLE_DB_NAME" ]]
then
echo "Restore single DB called but with wrong parameter."
return 1
fi
SQL_FILE=$(_get_sql_file $TMP_DIR)
if [ ! -z $SQL_FILE ]; then
# Restoring a single database requires us to create a temporary user
# which has capability to only restore that ONE database. One gotcha
# is that the mysql command to restore the database is going to throw
# errors because of all the other databases that it cannot access. So
# because of this reason, the --force option is used to prevent the
# command from stopping on an error.
create_restore_user $SINGLE_DB_NAME
if [[ $? -ne 0 ]]
then
echo "Restore $SINGLE_DB_NAME failed create restore user."
return 1
fi
$RESTORE_CMD --force < $SQL_FILE 2>>$RESTORE_LOG
if [[ "$?" -eq 0 ]]
then
echo "Database $SINGLE_DB_NAME Restore successful."
else
cat $RESTORE_LOG
delete_restore_user "exit_on_error"
echo "Database $SINGLE_DB_NAME Restore failed."
return 1
fi
delete_restore_user "exit_on_error"
if [[ $? -ne 0 ]]
then
echo "Restore $SINGLE_DB_NAME failed delete restore user."
return 1
fi
if [ -f ${TMP_DIR}/${SINGLE_DB_NAME}_grant.sql ]
then
$MYSQL < ${TMP_DIR}/${SINGLE_DB_NAME}_grant.sql 2>>$RESTORE_LOG
if [[ "$?" -eq 0 ]]
then
if ! $MYSQL --execute="FLUSH PRIVILEGES;"; then
echo "Failed to flush privileges for $SINGLE_DB_NAME."
return 1
fi
echo "Database $SINGLE_DB_NAME Permission Restore successful."
else
cat $RESTORE_LOG
echo "Database $SINGLE_DB_NAME Permission Restore failed."
return 1
fi
else
echo "There is no permission file available for $SINGLE_DB_NAME"
return 1
fi
else
echo "There is no database file available to restore from"
return 1
fi
return 0
}
#Restore all the databases
restore_all_dbs() {
TMP_DIR=$1
SQL_FILE=$(_get_sql_file $TMP_DIR)
if [ ! -z $SQL_FILE ]; then
# Check the scope of the archive.
SCOPE=$(echo ${SQL_FILE} | awk -F'.' '{print $(NF-1)}')
if [[ "${SCOPE}" != "all" ]]; then
# This is just a single database backup. The user should
# instead use the single database restore option.
echo "Cannot use the restore all option for an archive containing only a single database."
echo "Please use the single database restore option."
return 1
fi
$MYSQL < $SQL_FILE 2>$RESTORE_LOG
if [[ "$?" -eq 0 ]]
then
echo "Databases $( echo $DBS | tr -d '\n') Restore successful."
else
cat $RESTORE_LOG
echo "Databases $( echo $DBS | tr -d '\n') Restore failed."
return 1
fi
if [[ -f ${TMP_DIR}/grants.sql ]]
then
$MYSQL < ${TMP_DIR}/grants.sql 2>$RESTORE_LOG
if [[ "$?" -eq 0 ]]
then
if ! $MYSQL --execute="FLUSH PRIVILEGES;"; then
echo "Failed to flush privileges."
return 1
fi
echo "Databases Permission Restore successful."
else
cat $RESTORE_LOG
echo "Databases Permission Restore failed."
return 1
fi
else
echo "There is no permission file available"
return 1
fi
else
echo "There is no database file available to restore from"
return 1
fi
return 0
}
# Call the CLI interpreter, providing the archive directory path and the
# user arguments passed in
cli_main ${ARGS[@]}

View File

@ -0,0 +1,28 @@
#!/bin/bash -ex
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
log () {
msg_default="Need some text to log"
level_default="INFO"
component_default="Mariadb Backup Verifier"
msg=${1:-$msg_default}
level=${2:-$level_default}
component=${3:-"$component_default"}
echo "$(date +'%Y-%m-%d %H:%M:%S,%3N') - ${component} - ${level} - ${msg}"
}
log "Starting Mariadb server for backup verification..."
MYSQL_ALLOW_EMPTY_PASSWORD=1 nohup bash -x docker-entrypoint.sh mysqld --user=nobody 2>&1

View File

@ -0,0 +1,45 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_bin }}
{{- $envAll := . }}
{{ if eq .Values.endpoints.oslo_db.auth.admin.username .Values.endpoints.oslo_db.auth.sst.username }}
{{ fail "the DB admin username should not match the sst user username" }}
{{ end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mariadb-backup-bin
data:
backup_mariadb.sh: |
{{ tuple "bin/_backup_mariadb.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
start_verification_server.sh: |
{{ tuple "bin/_start_mariadb_verify_server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
restore_mariadb.sh: |
{{ tuple "bin/_restore_mariadb.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
backup_main.sh: |
{{ include "helm-toolkit.scripts.db-backup-restore.backup_main" . | indent 4 }}
restore_main.sh: |
{{ include "helm-toolkit.scripts.db-backup-restore.restore_main" . | indent 4 }}
{{- if .Values.images.local_registry.active }}
image-repo-sync.sh: |
{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
{{- end }}
{{- if .Values.manifests.job_ks_user }}
ks-user.sh: |
{{ include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
{{- end }}
{{- end }}
...

View File

@ -0,0 +1,24 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License" );
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mariadb-backup-etc
data:
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" ( index $envAll.Values.conf.database "my" ) "key" "my.cnf" ) | indent 2 }}
{{- end }}

View File

@ -0,0 +1,226 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.cron_job_mariadb_backup }}
{{- $envAll := . }}
{{- $serviceAccountName := "mariadb-backup" }}
{{ tuple $envAll "mariadb_backup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: mariadb-backup
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
{{ tuple $envAll "mariadb-backup" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
schedule: {{ .Values.jobs.mariadb_backup.cron | quote }}
successfulJobsHistoryLimit: {{ .Values.jobs.mariadb_backup.history.success }}
failedJobsHistoryLimit: {{ .Values.jobs.mariadb_backup.history.failed }}
concurrencyPolicy: Forbid
jobTemplate:
metadata:
labels:
{{ tuple $envAll "mariadb-backup" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "mariadb-backup" "containerNames" (list "init" "backup-perms" "mariadb-backup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{- if .Values.jobs.mariadb_backup.backoffLimit }}
backoffLimit: {{ .Values.jobs.mariadb_backup.backoffLimit }}
{{- end }}
{{- if .Values.jobs.mariadb_backup.activeDeadlineSeconds }}
activeDeadlineSeconds: {{ .Values.jobs.mariadb_backup.activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll "mariadb-backup" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
spec:
{{ dict "envAll" $envAll "application" "mariadb_backup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
restartPolicy: OnFailure
serviceAccountName: {{ $serviceAccountName }}
shareProcessNamespace: true
{{ if $envAll.Values.pod.tolerations.mariadb.enabled }}
{{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
{{ end }}
nodeSelector:
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
initContainers:
{{ tuple $envAll "mariadb_backup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
- name: backup-perms
{{ tuple $envAll "mariadb_backup" | include "helm-toolkit.snippets.image" | indent 14 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.mariadb_backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
{{ dict "envAll" $envAll "application" "mariadb_backup" "container" "backup_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
command:
- chown
- -R
- "65534:65534"
- $(MARIADB_BACKUP_BASE_DIR)
env:
- name: MARIADB_BACKUP_BASE_DIR
value: {{ .Values.conf.backup.base_path | quote }}
volumeMounts:
- mountPath: /tmp
name: pod-tmp
- mountPath: {{ .Values.conf.backup.base_path }}
name: mariadb-backup-dir
- name: verify-perms
{{ tuple $envAll "mariadb_backup" | include "helm-toolkit.snippets.image" | indent 14 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.mariadb_backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
{{ dict "envAll" $envAll "application" "mariadb_backup" "container" "verify_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
command:
- chown
- -R
- "65534:65534"
- /var/lib/mysql
volumeMounts:
- mountPath: /tmp
name: pod-tmp
- mountPath: /var/lib/mysql
name: mysql-data
containers:
- name: mariadb-backup
command:
- /bin/sh
args:
- -c
- >-
/tmp/backup_mariadb.sh;
/usr/bin/pkill mysqld
env:
- name: MARIADB_BACKUP_BASE_DIR
value: {{ .Values.conf.backup.base_path | quote }}
- name: MYSQL_BACKUP_MYSQLDUMP_OPTIONS
value: {{ .Values.conf.backup.mysqldump_options | quote }}
- name: MARIADB_LOCAL_BACKUP_DAYS_TO_KEEP
value: {{ .Values.conf.backup.days_to_keep | quote }}
- name: MARIADB_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: REMOTE_BACKUP_ENABLED
value: "{{ .Values.conf.backup.remote_backup.enabled }}"
{{- if .Values.conf.backup.remote_backup.enabled }}
- name: MARIADB_REMOTE_BACKUP_DAYS_TO_KEEP
value: {{ .Values.conf.backup.remote_backup.days_to_keep | quote }}
- name: CONTAINER_NAME
value: {{ .Values.conf.backup.remote_backup.container_name | quote }}
- name: STORAGE_POLICY
value: "{{ .Values.conf.backup.remote_backup.storage_policy }}"
- name: NUMBER_OF_RETRIES_SEND_BACKUP_TO_REMOTE
value: {{ .Values.conf.backup.remote_backup.number_of_retries | quote }}
- name: MIN_DELAY_SEND_BACKUP_TO_REMOTE
value: {{ .Values.conf.backup.remote_backup.delay_range.min | quote }}
- name: MAX_DELAY_SEND_BACKUP_TO_REMOTE
value: {{ .Values.conf.backup.remote_backup.delay_range.max | quote }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.mariadb }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 16 }}
{{- end }}
{{- end }}
{{ tuple $envAll "mariadb_backup" | include "helm-toolkit.snippets.image" | indent 14 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.mariadb_backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
{{ dict "envAll" $envAll "application" "mariadb_backup" "container" "mariadb_backup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- mountPath: /tmp/backup_mariadb.sh
name: mariadb-backup-bin
readOnly: true
subPath: backup_mariadb.sh
- mountPath: /tmp/backup_main.sh
name: mariadb-backup-bin
readOnly: true
subPath: backup_main.sh
- mountPath: {{ .Values.conf.backup.base_path }}
name: mariadb-backup-dir
- name: mariadb-backup-secrets
mountPath: /etc/mysql/admin_user.cnf
subPath: admin_user.cnf
readOnly: true
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
- name: mariadb-verify-server
{{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.image" | indent 14 }}
{{ dict "envAll" $envAll "application" "mariadb_backup" "container" "mariadb_verify_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
env:
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
{{- end }}
- name: MYSQL_HISTFILE
value: /dev/null
- name: MARIADB_BACKUP_BASE_DIR
value: {{ .Values.conf.backup.base_path | quote }}
ports:
- name: mysql
protocol: TCP
containerPort: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
command:
- /tmp/start_verification_server.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: var-run
mountPath: /var/run/mysqld
- name: mycnfd
mountPath: /etc/mysql/conf.d
- name: mariadb-backup-etc
mountPath: /etc/mysql/my.cnf
subPath: my.cnf
readOnly: true
- name: mariadb-backup-secrets
mountPath: /etc/mysql/admin_user.cnf
subPath: admin_user.cnf
readOnly: true
- name: mysql-data
mountPath: /var/lib/mysql
- name: mariadb-backup-bin
mountPath: /tmp/start_verification_server.sh
readOnly: true
subPath: start_verification_server.sh
volumes:
- name: pod-tmp
emptyDir: {}
- name: mycnfd
emptyDir: {}
- name: var-run
emptyDir: {}
- name: mariadb-backup-etc
configMap:
name: mariadb-backup-etc
defaultMode: 0444
- name: mysql-data
emptyDir: {}
- name: mariadb-backup-secrets
secret:
secretName: mariadb-backup-secrets
defaultMode: 420
- configMap:
defaultMode: 365
name: mariadb-backup-bin
name: mariadb-backup-bin
{{- if and .Values.volume.backup.enabled .Values.manifests.pvc_backup }}
- name: mariadb-backup-dir
persistentVolumeClaim:
claimName: mariadb-backup-data
{{- else }}
- hostPath:
path: {{ .Values.conf.backup.base_path }}
type: DirectoryOrCreate
name: mariadb-backup-dir
{{- end }}
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
{{- end }}

View File

@ -0,0 +1,22 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
{{- $serviceName := tuple "oslo_db" "server" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
{{- $imageRepoSyncJob := dict "envAll" . "serviceName" $serviceName -}}
{{- if .Values.pod.tolerations.mariadb.enabled -}}
{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
{{- end -}}
{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
{{- end }}

View File

@ -0,0 +1,24 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.job_ks_user }}
{{- $backoffLimit := .Values.jobs.ks_user.backoffLimit }}
{{- $activeDeadlineSeconds := .Values.jobs.ks_user.activeDeadlineSeconds }}
{{- $serviceName := tuple "oslo_db" "server" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
{{- $ksUserJob := dict "envAll" . "serviceName" $serviceName "configMapBin" "mariadb-backup-bin" "backoffLimit" $backoffLimit "activeDeadlineSeconds" $activeDeadlineSeconds -}}
{{- if .Values.pod.tolerations.mariadb.enabled -}}
{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

View File

@ -0,0 +1,29 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.volume.backup.enabled .Values.manifests.pvc_backup }}
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: mariadb-backup-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: {{ .Values.volume.backup.size }}
storageClassName: {{ .Values.volume.backup.class_name }}
...
{{- end }}

View File

@ -0,0 +1,30 @@
{{/*
This manifest results a secret being created which has the key information
needed for backing up and restoring the Mariadb databases.
*/}}
{{- if and .Values.conf.backup.enabled .Values.manifests.secret_backup_restore }}
{{- $envAll := . }}
{{- $userClass := "backup_restore" }}
{{- $secretName := index $envAll.Values.secrets.mariadb $userClass }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
type: Opaque
data:
BACKUP_ENABLED: {{ $envAll.Values.conf.backup.enabled | quote | b64enc }}
BACKUP_BASE_PATH: {{ $envAll.Values.conf.backup.base_path | b64enc }}
LOCAL_DAYS_TO_KEEP: {{ $envAll.Values.conf.backup.days_to_keep | quote | b64enc }}
MYSQLDUMP_OPTIONS: {{ $envAll.Values.conf.backup.mysqldump_options | b64enc }}
REMOTE_BACKUP_ENABLED: {{ $envAll.Values.conf.backup.remote_backup.enabled | quote | b64enc }}
REMOTE_BACKUP_CONTAINER: {{ $envAll.Values.conf.backup.remote_backup.container_name | b64enc }}
REMOTE_BACKUP_DAYS_TO_KEEP: {{ $envAll.Values.conf.backup.remote_backup.days_to_keep | quote | b64enc }}
REMOTE_BACKUP_STORAGE_POLICY: {{ $envAll.Values.conf.backup.remote_backup.storage_policy | b64enc }}
REMOTE_BACKUP_RETRIES: {{ $envAll.Values.conf.backup.remote_backup.number_of_retries | quote | b64enc }}
REMOTE_BACKUP_SEND_DELAY_MIN: {{ $envAll.Values.conf.backup.remote_backup.delay_range.min | quote | b64enc }}
REMOTE_BACKUP_SEND_DELAY_MAX: {{ $envAll.Values.conf.backup.remote_backup.delay_range.max | quote | b64enc }}
...
{{- end }}

View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
{{- end }}

View File

@ -0,0 +1,78 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
This manifest results in two secrets being created:
1) Keystone "mariadb" secret, which is needed to access the cluster
(remote or same cluster) for storing mariadb backups. If the
cluster is remote, the auth_url would be non-null.
2) Keystone "admin" secret, which is needed to create the
"mariadb" keystone account mentioned above. This may not
be needed if the account is in a remote cluster (auth_url is non-null
in that case).
*/}}
{{- if .Values.conf.backup.remote_backup.enabled }}
{{- $envAll := . }}
{{- $userClass := "mariadb-server" }}
{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
type: Opaque
data:
{{- $identityClass := index .Values.endpoints.identity.auth $userClass }}
{{- if $identityClass.auth_url }}
OS_AUTH_URL: {{ $identityClass.auth_url | b64enc }}
{{- else }}
OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
{{- end }}
OS_REGION_NAME: {{ $identityClass.region_name | b64enc }}
OS_INTERFACE: {{ $identityClass.interface | default "internal" | b64enc }}
OS_PROJECT_DOMAIN_NAME: {{ $identityClass.project_domain_name | b64enc }}
OS_PROJECT_NAME: {{ $identityClass.project_name | b64enc }}
OS_USER_DOMAIN_NAME: {{ $identityClass.user_domain_name | b64enc }}
OS_USERNAME: {{ $identityClass.username | b64enc }}
OS_PASSWORD: {{ $identityClass.password | b64enc }}
OS_DEFAULT_DOMAIN: {{ $identityClass.default_domain_id | default "default" | b64enc }}
...
{{- if .Values.manifests.job_ks_user }}
{{- $userClass := "admin" }}
{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
type: Opaque
data:
{{- $identityClass := index .Values.endpoints.identity.auth $userClass }}
{{- if $identityClass.auth_url }}
OS_AUTH_URL: {{ $identityClass.auth_url | b64enc }}
{{- else }}
OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
{{- end }}
OS_REGION_NAME: {{ $identityClass.region_name | b64enc }}
OS_INTERFACE: {{ $identityClass.interface | default "internal" | b64enc }}
OS_PROJECT_DOMAIN_NAME: {{ $identityClass.project_domain_name | b64enc }}
OS_PROJECT_NAME: {{ $identityClass.project_name | b64enc }}
OS_USER_DOMAIN_NAME: {{ $identityClass.user_domain_name | b64enc }}
OS_USERNAME: {{ $identityClass.username | b64enc }}
OS_PASSWORD: {{ $identityClass.password | b64enc }}
OS_DEFAULT_DOMAIN: {{ $identityClass.default_domain_id | default "default" | b64enc }}
...
{{- end }}
{{- end }}

View File

@ -0,0 +1,26 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_etc }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Secret
metadata:
name: mariadb-backup-secrets
type: Opaque
data:
admin_user.cnf: {{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
admin_user_internal.cnf: {{ tuple "secrets/_admin_user_internal.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
{{- end }}

View File

@ -0,0 +1,24 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
[client]
user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- if .Values.manifests.certificates }}
ssl-ca = /etc/mysql/certs/ca.crt
ssl-key = /etc/mysql/certs/tls.key
ssl-cert = /etc/mysql/certs/tls.crt
{{- end }}