[mariadb-operator] Mariadb-cluster chart
This PS adds mariadb-cluster chart based on mariadb-operator. Also for some backward compartibility this PS adds mariadb-backup chart and prometheus-mysql-exporter chart as a separate ones. Change-Id: I3f652375cce2e3b45e095e08d2e6f4ae73b8d8f0
This commit is contained in:
parent
3d64d4c832
commit
29f2b616cc
1
.gitignore
vendored
1
.gitignore
vendored
@ -59,6 +59,7 @@ releasenotes/build
|
||||
# Dev tools
|
||||
.idea/
|
||||
.vscode/
|
||||
.devcontainer/
|
||||
**/.vagrant
|
||||
**/*.log
|
||||
|
||||
|
26
mariadb-backup/Chart.yaml
Normal file
26
mariadb-backup/Chart.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
appVersion: v10.6.14
|
||||
description: OpenStack-Helm MariaDB backups
|
||||
name: mariadb-backup
|
||||
version: 0.0.1
|
||||
home: https://mariadb.com/kb/en/
|
||||
icon: http://badges.mariadb.org/mariadb-badge-180x60.png
|
||||
sources:
|
||||
- https://github.com/MariaDB/server
|
||||
- https://opendev.org/openstack/openstack-helm
|
||||
maintainers:
|
||||
- name: OpenStack-Helm Authors
|
||||
...
|
19
mariadb-backup/README.rst
Normal file
19
mariadb-backup/README.rst
Normal file
@ -0,0 +1,19 @@
|
||||
openstack-helm/mariadb-backup
|
||||
======================
|
||||
|
||||
By default, this chart creates a mariadb-backup cronjob that runs in a schedule
|
||||
in order to create mysql backups.
|
||||
|
||||
This chart depends on mariadb-cluster chart.
|
||||
|
||||
The backups are stored in a PVC and also are possible to upload then to a remote
|
||||
RGW container.
|
||||
|
||||
You must ensure that your control nodes that should receive mariadb
|
||||
instances are labeled with ``openstack-control-plane=enabled``, or
|
||||
whatever you have configured in values.yaml for the label
|
||||
configuration:
|
||||
|
||||
::
|
||||
|
||||
kubectl label nodes openstack-control-plane=enabled --all
|
18
mariadb-backup/requirements.yaml
Normal file
18
mariadb-backup/requirements.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
dependencies:
|
||||
- name: helm-toolkit
|
||||
repository: file://../helm-toolkit
|
||||
version: ">= 0.1.0"
|
||||
...
|
584
mariadb-backup/templates/bin/_backup_mariadb.sh.tpl
Normal file
584
mariadb-backup/templates/bin/_backup_mariadb.sh.tpl
Normal file
@ -0,0 +1,584 @@
|
||||
#!/bin/bash
|
||||
|
||||
SCOPE=${1:-"all"}
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
source /tmp/backup_main.sh
|
||||
|
||||
# Export the variables required by the framework
|
||||
# Note: REMOTE_BACKUP_ENABLED, STORAGE_POLICY and CONTAINER_NAME are already
|
||||
# exported.
|
||||
export DB_NAMESPACE=${MARIADB_POD_NAMESPACE}
|
||||
export DB_NAME="mariadb"
|
||||
export LOCAL_DAYS_TO_KEEP=${MARIADB_LOCAL_BACKUP_DAYS_TO_KEEP}
|
||||
export REMOTE_DAYS_TO_KEEP=${MARIADB_REMOTE_BACKUP_DAYS_TO_KEEP}
|
||||
export REMOTE_BACKUP_RETRIES=${NUMBER_OF_RETRIES_SEND_BACKUP_TO_REMOTE}
|
||||
export MIN_DELAY_SEND_REMOTE=${MIN_DELAY_SEND_BACKUP_TO_REMOTE}
|
||||
export MAX_DELAY_SEND_REMOTE=${MAX_DELAY_SEND_BACKUP_TO_REMOTE}
|
||||
export ARCHIVE_DIR=${MARIADB_BACKUP_BASE_DIR}/db/${DB_NAMESPACE}/${DB_NAME}/archive
|
||||
|
||||
# Dump all the database files to existing $TMP_DIR and save logs to $LOG_FILE
|
||||
dump_databases_to_directory() {
|
||||
TMP_DIR=$1
|
||||
LOG_FILE=$2
|
||||
SCOPE=${3:-"all"}
|
||||
|
||||
|
||||
MYSQL="mysql \
|
||||
--defaults-file=/etc/mysql/admin_user.cnf \
|
||||
--connect-timeout 10"
|
||||
|
||||
MYSQLDUMP="mysqldump \
|
||||
--defaults-file=/etc/mysql/admin_user.cnf"
|
||||
|
||||
if [[ "${SCOPE}" == "all" ]]; then
|
||||
MYSQL_DBNAMES=( $($MYSQL --silent --skip-column-names -e \
|
||||
"show databases;" | \
|
||||
grep -ivE 'information_schema|performance_schema|mysql|sys') )
|
||||
else
|
||||
if [[ "${SCOPE}" != "information_schema" && "${SCOPE}" != "performance_schema" && "${SCOPE}" != "mysql" && "${SCOPE}" != "sys" ]]; then
|
||||
MYSQL_DBNAMES=( ${SCOPE} )
|
||||
else
|
||||
log ERROR "It is not allowed to backup database ${SCOPE}."
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
#check if there is a database to backup, otherwise exit
|
||||
if [[ -z "${MYSQL_DBNAMES// }" ]]
|
||||
then
|
||||
log INFO "There is no database to backup"
|
||||
return 0
|
||||
fi
|
||||
|
||||
#Create a list of Databases
|
||||
printf "%s\n" "${MYSQL_DBNAMES[@]}" > $TMP_DIR/db.list
|
||||
|
||||
if [[ "${SCOPE}" == "all" ]]; then
|
||||
#Retrieve and create the GRANT file for all the users
|
||||
{{- if .Values.manifests.certificates }}
|
||||
SSL_DSN=";mysql_ssl=1"
|
||||
SSL_DSN="$SSL_DSN;mysql_ssl_client_key=/etc/mysql/certs/tls.key"
|
||||
SSL_DSN="$SSL_DSN;mysql_ssl_client_cert=/etc/mysql/certs/tls.crt"
|
||||
SSL_DSN="$SSL_DSN;mysql_ssl_ca_file=/etc/mysql/certs/ca.crt"
|
||||
if ! pt-show-grants --defaults-file=/etc/mysql/admin_user.cnf $SSL_DSN \
|
||||
{{- else }}
|
||||
if ! pt-show-grants --defaults-file=/etc/mysql/admin_user.cnf \
|
||||
{{- end }}
|
||||
2>>"$LOG_FILE" > "$TMP_DIR"/grants.sql; then
|
||||
log ERROR "Failed to create GRANT for all the users"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
#Retrieve and create the GRANT files per DB
|
||||
for db in "${MYSQL_DBNAMES[@]}"
|
||||
do
|
||||
echo $($MYSQL --skip-column-names -e "select concat('show grants for ',user,';') \
|
||||
from mysql.db where ucase(db)=ucase('$db');") | \
|
||||
sed -r "s/show grants for ([a-zA-Z0-9_-]*)/show grants for '\1'/g" | \
|
||||
$MYSQL --silent --skip-column-names 2>>$LOG_FILE > $TMP_DIR/${db}_grant.sql
|
||||
if [ "$?" -eq 0 ]
|
||||
then
|
||||
sed -i 's/$/;/' $TMP_DIR/${db}_grant.sql
|
||||
else
|
||||
log ERROR "Failed to create GRANT files for ${db}"
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
|
||||
#Dumping the database
|
||||
|
||||
SQL_FILE=mariadb.$MARIADB_POD_NAMESPACE.${SCOPE}
|
||||
|
||||
$MYSQLDUMP $MYSQL_BACKUP_MYSQLDUMP_OPTIONS "${MYSQL_DBNAMES[@]}" \
|
||||
> $TMP_DIR/${SQL_FILE}.sql 2>>$LOG_FILE
|
||||
if [[ $? -eq 0 && -s $TMP_DIR/${SQL_FILE}.sql ]]
|
||||
then
|
||||
log INFO "Database(s) dumped successfully. (SCOPE = ${SCOPE})"
|
||||
return 0
|
||||
else
|
||||
log ERROR "Backup failed and need attention. (SCOPE = ${SCOPE})"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# functions from mariadb-verifier chart
|
||||
|
||||
get_time_delta_secs () {
|
||||
second_delta=0
|
||||
input_date_second=$( date --date="$1" +%s )
|
||||
if [ -n "$input_date_second" ]; then
|
||||
current_date=$( date +"%Y-%m-%dT%H:%M:%SZ" )
|
||||
current_date_second=$( date --date="$current_date" +%s )
|
||||
((second_delta=current_date_second-input_date_second))
|
||||
if [ "$second_delta" -lt 0 ]; then
|
||||
second_delta=0
|
||||
fi
|
||||
fi
|
||||
echo $second_delta
|
||||
}
|
||||
|
||||
|
||||
check_data_freshness () {
|
||||
archive_file=$(basename "$1")
|
||||
archive_date=$(echo "$archive_file" | cut -d'.' -f 4)
|
||||
SCOPE=$2
|
||||
|
||||
if [[ "${SCOPE}" != "all" ]]; then
|
||||
log "Data freshness check is skipped for individual database."
|
||||
return 0
|
||||
fi
|
||||
|
||||
log "Checking for data freshness in the backups..."
|
||||
# Get some idea of which database.table has changed in the last 30m
|
||||
# Excluding the system DBs and aqua_test_database
|
||||
#
|
||||
changed_tables=$(${MYSQL_LIVE} -e "select TABLE_SCHEMA,TABLE_NAME from \
|
||||
information_schema.tables where UPDATE_TIME >= SUBTIME(now(),'00:30:00') AND TABLE_SCHEMA \
|
||||
NOT IN('information_schema', 'mysql', 'performance_schema', 'sys', 'aqua_test_database');" | \
|
||||
awk '{print $1 "." $2}')
|
||||
|
||||
if [ -n "${changed_tables}" ]; then
|
||||
delta_secs=$(get_time_delta_secs "$archive_date")
|
||||
age_offset={{ .Values.conf.backup.validateData.ageOffset }}
|
||||
((age_threshold=delta_secs+age_offset))
|
||||
|
||||
data_freshness=false
|
||||
skipped_freshness=false
|
||||
|
||||
for table in ${changed_tables}; do
|
||||
tab_schema=$(echo "$table" | awk -F. '{print $1}')
|
||||
tab_name=$(echo "$table" | awk -F. '{print $2}')
|
||||
|
||||
local_table_existed=$(${MYSQL_LOCAL_SHORT_SILENT} -e "select TABLE_SCHEMA,TABLE_NAME from \
|
||||
INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=\"${tab_schema}\" AND TABLE_NAME=\"${tab_name}\";")
|
||||
|
||||
if [ -n "$local_table_existed" ]; then
|
||||
# TODO: If last updated field of a table structure has different
|
||||
# patterns (updated/timstamp), it may be worth to parameterize the patterns.
|
||||
datetime=$(${MYSQL_LOCAL_SHORT_SILENT} -e "describe ${table};" | \
|
||||
awk '(/updated/ || /timestamp/) && /datetime/ {print $1}')
|
||||
|
||||
if [ -n "${datetime}" ]; then
|
||||
data_ages=$(${MYSQL_LOCAL_SHORT_SILENT} -e "select \
|
||||
time_to_sec(timediff(now(),${datetime})) from ${table} where ${datetime} is not null order by 1 limit 10;")
|
||||
|
||||
for age in $data_ages; do
|
||||
if [ "$age" -le $age_threshold ]; then
|
||||
data_freshness=true
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
# As long as there is an indication of data freshness, no need to check further
|
||||
if [ "$data_freshness" = true ] ; then
|
||||
break
|
||||
fi
|
||||
else
|
||||
skipped_freshness=true
|
||||
log "No indicator to determine data freshness for table $table. Skipped data freshness check."
|
||||
|
||||
# Dumping out table structure to determine if enhancement is needed to include this table
|
||||
debug_info=$(${MYSQL_LOCAL} --skip-column-names -e "describe ${table};" | awk '{print $2 " " $1}')
|
||||
log "$debug_info" "DEBUG"
|
||||
fi
|
||||
else
|
||||
log "Table $table doesn't exist in local database"
|
||||
skipped_freshness=true
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$data_freshness" = true ] ; then
|
||||
log "Database passed integrity (data freshness) check."
|
||||
else
|
||||
if [ "$skipped_freshness" = false ] ; then
|
||||
log "Local backup database restore failed integrity check." "ERROR"
|
||||
log "The backup may not have captured the up-to-date data." "INFO"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
else
|
||||
log "No tables changed in this backup. Skipped data freshness check as the"
|
||||
log "check should have been performed by previous validation runs."
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
cleanup_local_databases () {
|
||||
old_local_dbs=$(${MYSQL_LOCAL_SHORT_SILENT} -e 'show databases;' | \
|
||||
grep -ivE 'information_schema|performance_schema|mysql|sys' || true)
|
||||
|
||||
for db in $old_local_dbs; do
|
||||
${MYSQL_LOCAL_SHORT_SILENT} -e "drop database $db;"
|
||||
done
|
||||
}
|
||||
|
||||
list_archive_dir () {
|
||||
archive_dir_content=$(ls -1R "$ARCHIVE_DIR")
|
||||
if [ -n "$archive_dir_content" ]; then
|
||||
log "Content of $ARCHIVE_DIR"
|
||||
log "${archive_dir_content}"
|
||||
fi
|
||||
}
|
||||
|
||||
remove_remote_archive_file () {
|
||||
archive_file=$(basename "$1")
|
||||
token_req_file=$(mktemp --suffix ".json")
|
||||
header_file=$(mktemp)
|
||||
resp_file=$(mktemp --suffix ".json")
|
||||
http_resp="404"
|
||||
|
||||
HEADER_CONTENT_TYPE="Content-Type: application/json"
|
||||
HEADER_ACCEPT="Accept: application/json"
|
||||
|
||||
cat << JSON_EOF > "$token_req_file"
|
||||
{
|
||||
"auth": {
|
||||
"identity": {
|
||||
"methods": [
|
||||
"password"
|
||||
],
|
||||
"password": {
|
||||
"user": {
|
||||
"domain": {
|
||||
"name": "${OS_USER_DOMAIN_NAME}"
|
||||
},
|
||||
"name": "${OS_USERNAME}",
|
||||
"password": "${OS_PASSWORD}"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"project": {
|
||||
"domain": {
|
||||
"name": "${OS_PROJECT_DOMAIN_NAME}"
|
||||
},
|
||||
"name": "${OS_PROJECT_NAME}"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
JSON_EOF
|
||||
|
||||
http_resp=$(curl -s -X POST "$OS_AUTH_URL/auth/tokens" -H "${HEADER_CONTENT_TYPE}" \
|
||||
-H "${HEADER_ACCEPT}" -d @"${token_req_file}" -D "$header_file" -o "$resp_file" -w "%{http_code}")
|
||||
|
||||
if [ "$http_resp" = "201" ]; then
|
||||
OS_TOKEN=$(grep -i "x-subject-token" "$header_file" | cut -d' ' -f2 | tr -d "\r")
|
||||
|
||||
if [ -n "$OS_TOKEN" ]; then
|
||||
OS_OBJ_URL=$(python3 -c "import json,sys;print([[ep['url'] for ep in obj['endpoints'] if ep['interface']=='public'] for obj in json.load(sys.stdin)['token']['catalog'] if obj['type']=='object-store'][0][0])" < "$resp_file")
|
||||
|
||||
if [ -n "$OS_OBJ_URL" ]; then
|
||||
http_resp=$(curl -s -X DELETE "$OS_OBJ_URL/$CONTAINER_NAME/$archive_file" \
|
||||
-H "${HEADER_CONTENT_TYPE}" -H "${HEADER_ACCEPT}" \
|
||||
-H "X-Auth-Token: ${OS_TOKEN}" -D "$header_file" -o "$resp_file" -w "%{http_code}")
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$http_resp" == "404" ] ; then
|
||||
log "Failed to cleanup remote backup. Container object $archive_file is not on RGW."
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ "$http_resp" != "204" ] ; then
|
||||
log "Failed to cleanup remote backup. Cannot delete container object $archive_file" "ERROR"
|
||||
cat "$header_file"
|
||||
cat "$resp_file"
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
handle_bad_archive_file () {
|
||||
archive_file=$1
|
||||
|
||||
if [ ! -d "$BAD_ARCHIVE_DIR" ]; then
|
||||
mkdir -p "$BAD_ARCHIVE_DIR"
|
||||
fi
|
||||
|
||||
# Move the file to quarantine directory such that
|
||||
# file won't be used for restore in case of recovery
|
||||
#
|
||||
log "Moving $i to $BAD_ARCHIVE_DIR..."
|
||||
mv "$i" "$BAD_ARCHIVE_DIR"
|
||||
log "Removing $i from remote RGW..."
|
||||
if remove_remote_archive_file "$i"; then
|
||||
log "File $i has been successfully removed from RGW."
|
||||
else
|
||||
log "FIle $i cannot be removed form RGW." "ERROR"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Atmost only three bad files are kept. Deleting the oldest if
|
||||
# number of files exceeded the threshold.
|
||||
#
|
||||
bad_files=$(find "$BAD_ARCHIVE_DIR" -name "*.tar.gz" 2>/dev/null | wc -l)
|
||||
if [ "$bad_files" -gt 3 ]; then
|
||||
((bad_files=bad_files-3))
|
||||
delete_files=$(find "$BAD_ARCHIVE_DIR" -name "*.tar.gz" 2>/dev/null | sort | head --lines=$bad_files)
|
||||
for b in $delete_files; do
|
||||
log "Deleting $b..."
|
||||
rm -f "${b}"
|
||||
done
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
cleanup_old_validation_result_file () {
|
||||
clean_files=$(find "$ARCHIVE_DIR" -maxdepth 1 -name "*.passed" 2>/dev/null)
|
||||
for d in $clean_files; do
|
||||
archive_file=${d/.passed}
|
||||
if [ ! -f "$archive_file" ]; then
|
||||
log "Deleting $d as its associated archive file $archive_file nolonger existed."
|
||||
rm -f "${d}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
validate_databases_backup () {
|
||||
archive_file=$1
|
||||
SCOPE=${2:-"all"}
|
||||
|
||||
restore_log='/tmp/restore_error.log'
|
||||
tmp_dir=$(mktemp -d)
|
||||
|
||||
rm -f $restore_log
|
||||
cd "$tmp_dir"
|
||||
log "Decompressing archive $archive_file..."
|
||||
if ! tar zxvf - < "$archive_file" 1>/dev/null; then
|
||||
log "Database restore from local backup failed. Archive decompression failed." "ERROR"
|
||||
return 1
|
||||
fi
|
||||
|
||||
db_list_file="$tmp_dir/db.list"
|
||||
if [[ -e "$db_list_file" ]]; then
|
||||
dbs=$(sort < "$db_list_file" | grep -ivE sys | tr '\n' ' ')
|
||||
else
|
||||
dbs=" "
|
||||
fi
|
||||
|
||||
sql_file="${tmp_dir}/mariadb.${MARIADB_POD_NAMESPACE}.${SCOPE}.sql"
|
||||
|
||||
if [[ "${SCOPE}" == "all" ]]; then
|
||||
grant_file="${tmp_dir}/grants.sql"
|
||||
else
|
||||
grant_file="${tmp_dir}/${SCOPE}_grant.sql"
|
||||
fi
|
||||
|
||||
if [[ -f $sql_file ]]; then
|
||||
if $MYSQL_LOCAL < "$sql_file" 2>$restore_log; then
|
||||
local_dbs=$(${MYSQL_LOCAL_SHORT_SILENT} -e 'show databases;' | \
|
||||
grep -ivE 'information_schema|performance_schema|mysql|sys' | sort | tr '\n' ' ')
|
||||
|
||||
if [ "$dbs" = "$local_dbs" ]; then
|
||||
log "Databases restored successful."
|
||||
else
|
||||
log "Database restore from local backup failed. Database mismatched between local backup and local server" "ERROR"
|
||||
log "Databases restored on local server: $local_dbs" "DEBUG"
|
||||
log "Databases in the local backup: $dbs" "DEBUG"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
log "Database restore from local backup failed. $dbs" "ERROR"
|
||||
cat $restore_log
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [[ -f $grant_file ]]; then
|
||||
if $MYSQL_LOCAL < "$grant_file" 2>$restore_log; then
|
||||
if ! $MYSQL_LOCAL -e 'flush privileges;'; then
|
||||
log "Database restore from local backup failed. Failed to flush privileges." "ERROR"
|
||||
return 1
|
||||
fi
|
||||
log "Databases permission restored successful."
|
||||
else
|
||||
log "Database restore from local backup failed. Databases permission failed to restore." "ERROR"
|
||||
cat "$restore_log"
|
||||
cat "$grant_file"
|
||||
log "Local DBs: $local_dbs" "DEBUG"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
log "Database restore from local backup failed. There is no permission file available" "ERROR"
|
||||
return 1
|
||||
fi
|
||||
|
||||
if ! check_data_freshness "$archive_file" ${SCOPE}; then
|
||||
# Log has already generated during check data freshness
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
log "Database restore from local backup failed. There is no database file available to restore from" "ERROR"
|
||||
return 1
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# end of functions form mariadb verifier chart
|
||||
|
||||
# Verify all the databases backup archives
|
||||
verify_databases_backup_archives() {
|
||||
SCOPE=${1:-"all"}
|
||||
|
||||
# verification code
|
||||
export DB_NAME="mariadb"
|
||||
export ARCHIVE_DIR=${MARIADB_BACKUP_BASE_DIR}/db/${MARIADB_POD_NAMESPACE}/${DB_NAME}/archive
|
||||
export BAD_ARCHIVE_DIR=${ARCHIVE_DIR}/quarantine
|
||||
export MYSQL_OPTS="--silent --skip-column-names"
|
||||
export MYSQL_LIVE="mysql --defaults-file=/etc/mysql/admin_user.cnf ${MYSQL_OPTS}"
|
||||
export MYSQL_LOCAL_OPTS="--user=root --host=127.0.0.1"
|
||||
export MYSQL_LOCAL_SHORT="mysql ${MYSQL_LOCAL_OPTS} --connect-timeout 2"
|
||||
export MYSQL_LOCAL_SHORT_SILENT="${MYSQL_LOCAL_SHORT} ${MYSQL_OPTS}"
|
||||
export MYSQL_LOCAL="mysql ${MYSQL_LOCAL_OPTS} --connect-timeout 10"
|
||||
|
||||
max_wait={{ .Values.conf.mariadb_server.setup_wait.iteration }}
|
||||
duration={{ .Values.conf.mariadb_server.setup_wait.duration }}
|
||||
counter=0
|
||||
dbisup=false
|
||||
|
||||
log "Waiting for Mariadb backup verification server to start..."
|
||||
|
||||
# During Mariadb init/startup process, a temporary server is startup
|
||||
# and shutdown prior to starting up the normal server.
|
||||
# To avoid prematurely determine server availability, lets snooze
|
||||
# a bit to give time for the process to complete prior to issue
|
||||
# mysql commands.
|
||||
#
|
||||
|
||||
|
||||
while [ $counter -lt $max_wait ]; do
|
||||
if ! $MYSQL_LOCAL_SHORT -e 'select 1' > /dev/null 2>&1 ; then
|
||||
sleep $duration
|
||||
((counter=counter+1))
|
||||
else
|
||||
# Lets sleep for an additional duration just in case async
|
||||
# init takes a bit more time to complete.
|
||||
#
|
||||
sleep $duration
|
||||
dbisup=true
|
||||
counter=$max_wait
|
||||
fi
|
||||
done
|
||||
|
||||
if ! $dbisup; then
|
||||
log "Mariadb backup verification server is not running" "ERROR"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# During Mariadb init process, a test database will be briefly
|
||||
# created and deleted. Adding to the exclusion list for some
|
||||
# edge cases
|
||||
#
|
||||
clean_db=$(${MYSQL_LOCAL_SHORT_SILENT} -e 'show databases;' | \
|
||||
grep -ivE 'information_schema|performance_schema|mysql|test|sys' || true)
|
||||
|
||||
if [[ -z "${clean_db// }" ]]; then
|
||||
log "Clean Server is up and running"
|
||||
else
|
||||
cleanup_local_databases
|
||||
log "Old databases found on the Mariadb backup verification server were cleaned."
|
||||
clean_db=$(${MYSQL_LOCAL_SHORT_SILENT} -e 'show databases;' | \
|
||||
grep -ivE 'information_schema|performance_schema|mysql|test|sys' || true)
|
||||
|
||||
if [[ -z "${clean_db// }" ]]; then
|
||||
log "Clean Server is up and running"
|
||||
else
|
||||
log "Cannot clean old databases on verification server." "ERROR"
|
||||
return 1
|
||||
fi
|
||||
log "The server is ready for verification."
|
||||
fi
|
||||
|
||||
# Starting with 10.4.13, new definer mariadb.sys was added. However, mariadb.sys was deleted
|
||||
# during init mariadb as it was not on the exclusion list. This corrupted the view of mysql.user.
|
||||
# Insert the tuple back to avoid other similar issues with error i.e
|
||||
# The user specified as a definer ('mariadb.sys'@'localhost') does not exist
|
||||
#
|
||||
# Before insert the tuple mentioned above, we should make sure that the MariaDB version is 10.4.+
|
||||
mariadb_version=$($MYSQL_LOCAL_SHORT -e "status" | grep -E '^Server\s+version:')
|
||||
log "Current database ${mariadb_version}"
|
||||
if [[ ! -z ${mariadb_version} && -z $(grep '10.2' <<< ${mariadb_version}}) ]]; then
|
||||
if [[ -z $(grep 'mariadb.sys' <<< $($MYSQL_LOCAL_SHORT mysql -e "select * from global_priv where user='mariadb.sys'")) ]]; then
|
||||
$MYSQL_LOCAL_SHORT -e "insert into mysql.global_priv values ('localhost','mariadb.sys',\
|
||||
'{\"access\":0,\"plugin\":\"mysql_native_password\",\"authentication_string\":\"\",\"account_locked\":true,\"password_last_changed\":0}');"
|
||||
$MYSQL_LOCAL_SHORT -e 'flush privileges;'
|
||||
fi
|
||||
fi
|
||||
|
||||
# Ensure archive dir existed
|
||||
if [ -d "$ARCHIVE_DIR" ]; then
|
||||
# List archive dir before
|
||||
list_archive_dir
|
||||
|
||||
# Ensure the local databases are clean for each restore validation
|
||||
#
|
||||
cleanup_local_databases
|
||||
|
||||
if [[ "${SCOPE}" == "all" ]]; then
|
||||
archive_files=$(find "$ARCHIVE_DIR" -maxdepth 1 -name "*.tar.gz" 2>/dev/null | sort)
|
||||
for i in $archive_files; do
|
||||
archive_file_passed=$i.passed
|
||||
if [ ! -f "$archive_file_passed" ]; then
|
||||
log "Validating archive file $i..."
|
||||
if validate_databases_backup "$i"; then
|
||||
touch "$archive_file_passed"
|
||||
else
|
||||
if handle_bad_archive_file "$i"; then
|
||||
log "File $i has been removed from RGW."
|
||||
else
|
||||
log "File $i cannot be removed from RGW." "ERROR"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
else
|
||||
archive_files=$(find "$ARCHIVE_DIR" -maxdepth 1 -name "*.tar.gz" 2>/dev/null | grep "${SCOPE}" | sort)
|
||||
for i in $archive_files; do
|
||||
archive_file_passed=$i.passed
|
||||
if [ ! -f "$archive_file_passed" ]; then
|
||||
log "Validating archive file $i..."
|
||||
if validate_databases_backup "${i}" "${SCOPE}"; then
|
||||
touch "$archive_file_passed"
|
||||
else
|
||||
if handle_bad_archive_file "$i"; then
|
||||
log "File $i has been removed from RGW."
|
||||
else
|
||||
log "File $i cannot be removed from RGW." "ERROR"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
# Cleanup passed files if its archive file nolonger existed
|
||||
cleanup_old_validation_result_file
|
||||
|
||||
# List archive dir after
|
||||
list_archive_dir
|
||||
fi
|
||||
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# Call main program to start the database backup
|
||||
backup_databases ${SCOPE}
|
328
mariadb-backup/templates/bin/_restore_mariadb.sh.tpl
Executable file
328
mariadb-backup/templates/bin/_restore_mariadb.sh.tpl
Executable file
@ -0,0 +1,328 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
{{- $envAll := . }}
|
||||
|
||||
# Capture the user's command line arguments
|
||||
ARGS=("$@")
|
||||
|
||||
if [[ -s /tmp/restore_main.sh ]]; then
|
||||
source /tmp/restore_main.sh
|
||||
else
|
||||
echo "File /tmp/restore_main.sh does not exist."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Export the variables needed by the framework
|
||||
export DB_NAME="mariadb"
|
||||
export DB_NAMESPACE=${MARIADB_POD_NAMESPACE}
|
||||
export ARCHIVE_DIR=${MARIADB_BACKUP_BASE_DIR}/db/${DB_NAMESPACE}/${DB_NAME}/archive
|
||||
|
||||
RESTORE_USER='restoreuser'
|
||||
RESTORE_PW=$(pwgen 16 1)
|
||||
RESTORE_LOG='/tmp/restore_error.log'
|
||||
rm -f $RESTORE_LOG
|
||||
|
||||
# This is for commands which require admin access
|
||||
MYSQL="mysql \
|
||||
--defaults-file=/etc/mysql/admin_user.cnf \
|
||||
--host=$MARIADB_SERVER_SERVICE_HOST \
|
||||
--connect-timeout 10"
|
||||
|
||||
# This is for commands which we want the temporary "restore" user
|
||||
# to execute
|
||||
RESTORE_CMD="mysql \
|
||||
--user=${RESTORE_USER} \
|
||||
--password=${RESTORE_PW} \
|
||||
--host=$MARIADB_SERVER_SERVICE_HOST \
|
||||
{{- if .Values.manifests.certificates }}
|
||||
--ssl-ca=/etc/mysql/certs/ca.crt \
|
||||
--ssl-key=/etc/mysql/certs/tls.key \
|
||||
--ssl-cert=/etc/mysql/certs/tls.crt \
|
||||
{{- end }}
|
||||
--connect-timeout 10"
|
||||
|
||||
# Get a single database data from the SQL file.
|
||||
# $1 - database name
|
||||
# $2 - sql file path
|
||||
current_db_desc() {
|
||||
PATTERN="-- Current Database:"
|
||||
sed -n "/${PATTERN} \`$1\`/,/${PATTERN}/p" $2
|
||||
}
|
||||
|
||||
#Return all database from an archive
|
||||
get_databases() {
|
||||
TMP_DIR=$1
|
||||
DB_FILE=$2
|
||||
|
||||
if [[ -e ${TMP_DIR}/db.list ]]
|
||||
then
|
||||
DBS=$(cat ${TMP_DIR}/db.list | \
|
||||
grep -ivE 'information_schema|performance_schema|mysql|sys' )
|
||||
else
|
||||
DBS=" "
|
||||
fi
|
||||
|
||||
echo $DBS > $DB_FILE
|
||||
}
|
||||
|
||||
# Determine sql file from 2 options - current and legacy one
|
||||
# if current is not found check that there is no other namespaced dump file
|
||||
# before falling back to legacy one
|
||||
_get_sql_file() {
|
||||
TMP_DIR=$1
|
||||
SQL_FILE="${TMP_DIR}/mariadb.${MARIADB_POD_NAMESPACE}.*.sql"
|
||||
LEGACY_SQL_FILE="${TMP_DIR}/mariadb.*.sql"
|
||||
INVALID_SQL_FILE="${TMP_DIR}/mariadb.*.*.sql"
|
||||
if [ -f ${SQL_FILE} ]
|
||||
then
|
||||
echo "Found $(ls ${SQL_FILE})" > /dev/stderr
|
||||
printf ${SQL_FILE}
|
||||
elif [ -f ${INVALID_SQL_FILE} ]
|
||||
then
|
||||
echo "Expected to find ${SQL_FILE} or ${LEGACY_SQL_FILE}, but found $(ls ${INVALID_SQL_FILE})" > /dev/stderr
|
||||
elif [ -f ${LEGACY_SQL_FILE} ]
|
||||
then
|
||||
echo "Falling back to legacy naming ${LEGACY_SQL_FILE}. Found $(ls ${LEGACY_SQL_FILE})" > /dev/stderr
|
||||
printf ${LEGACY_SQL_FILE}
|
||||
fi
|
||||
}
|
||||
|
||||
# Extract all tables of a database from an archive and put them in the requested
|
||||
# file.
|
||||
get_tables() {
|
||||
DATABASE=$1
|
||||
TMP_DIR=$2
|
||||
TABLE_FILE=$3
|
||||
|
||||
SQL_FILE=$(_get_sql_file $TMP_DIR)
|
||||
if [ ! -z $SQL_FILE ]; then
|
||||
current_db_desc ${DATABASE} ${SQL_FILE} \
|
||||
| grep "^CREATE TABLE" | awk -F '`' '{print $2}' \
|
||||
> $TABLE_FILE
|
||||
else
|
||||
# Error, cannot report the tables
|
||||
echo "No SQL file found - cannot extract the tables"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Extract all rows in the given table of a database from an archive and put
|
||||
# them in the requested file.
|
||||
get_rows() {
|
||||
DATABASE=$1
|
||||
TABLE=$2
|
||||
TMP_DIR=$3
|
||||
ROW_FILE=$4
|
||||
|
||||
SQL_FILE=$(_get_sql_file $TMP_DIR)
|
||||
if [ ! -z $SQL_FILE ]; then
|
||||
current_db_desc ${DATABASE} ${SQL_FILE} \
|
||||
| grep "INSERT INTO \`${TABLE}\` VALUES" > $ROW_FILE
|
||||
return 0
|
||||
else
|
||||
# Error, cannot report the rows
|
||||
echo "No SQL file found - cannot extract the rows"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Extract the schema for the given table in the given database belonging to
|
||||
# the archive file found in the TMP_DIR.
|
||||
get_schema() {
|
||||
DATABASE=$1
|
||||
TABLE=$2
|
||||
TMP_DIR=$3
|
||||
SCHEMA_FILE=$4
|
||||
|
||||
SQL_FILE=$(_get_sql_file $TMP_DIR)
|
||||
if [ ! -z $SQL_FILE ]; then
|
||||
DB_FILE=$(mktemp -p /tmp)
|
||||
current_db_desc ${DATABASE} ${SQL_FILE} > ${DB_FILE}
|
||||
sed -n /'CREATE TABLE `'$TABLE'`'/,/'--'/p ${DB_FILE} > ${SCHEMA_FILE}
|
||||
if [[ ! (-s ${SCHEMA_FILE}) ]]; then
|
||||
sed -n /'CREATE TABLE IF NOT EXISTS `'$TABLE'`'/,/'--'/p ${DB_FILE} \
|
||||
> ${SCHEMA_FILE}
|
||||
fi
|
||||
rm -f ${DB_FILE}
|
||||
else
|
||||
# Error, cannot report the rows
|
||||
echo "No SQL file found - cannot extract the schema"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Create temporary user for restoring specific databases.
|
||||
create_restore_user() {
|
||||
restore_db=$1
|
||||
|
||||
# Ensure any old restore user is removed first, if it exists.
|
||||
# If it doesn't exist it may return error, so do not exit the
|
||||
# script if that's the case.
|
||||
delete_restore_user "dont_exit_on_error"
|
||||
|
||||
$MYSQL --execute="GRANT SELECT ON *.* TO ${RESTORE_USER}@'%' IDENTIFIED BY '${RESTORE_PW}';" 2>>$RESTORE_LOG
|
||||
if [[ "$?" -eq 0 ]]
|
||||
then
|
||||
$MYSQL --execute="GRANT ALL ON ${restore_db}.* TO ${RESTORE_USER}@'%' IDENTIFIED BY '${RESTORE_PW}';" 2>>$RESTORE_LOG
|
||||
if [[ "$?" -ne 0 ]]
|
||||
then
|
||||
cat $RESTORE_LOG
|
||||
echo "Failed to grant restore user ALL permissions on database ${restore_db}"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
cat $RESTORE_LOG
|
||||
echo "Failed to grant restore user select permissions on all databases"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Delete temporary restore user
|
||||
delete_restore_user() {
|
||||
error_handling=$1
|
||||
|
||||
$MYSQL --execute="DROP USER ${RESTORE_USER}@'%';" 2>>$RESTORE_LOG
|
||||
if [[ "$?" -ne 0 ]]
|
||||
then
|
||||
if [ "$error_handling" == "exit_on_error" ]
|
||||
then
|
||||
cat $RESTORE_LOG
|
||||
echo "Failed to delete temporary restore user - needs attention to avoid a security hole"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
#Restore a single database
|
||||
restore_single_db() {
|
||||
SINGLE_DB_NAME=$1
|
||||
TMP_DIR=$2
|
||||
|
||||
if [[ -z "$SINGLE_DB_NAME" ]]
|
||||
then
|
||||
echo "Restore single DB called but with wrong parameter."
|
||||
return 1
|
||||
fi
|
||||
|
||||
SQL_FILE=$(_get_sql_file $TMP_DIR)
|
||||
if [ ! -z $SQL_FILE ]; then
|
||||
# Restoring a single database requires us to create a temporary user
|
||||
# which has capability to only restore that ONE database. One gotcha
|
||||
# is that the mysql command to restore the database is going to throw
|
||||
# errors because of all the other databases that it cannot access. So
|
||||
# because of this reason, the --force option is used to prevent the
|
||||
# command from stopping on an error.
|
||||
create_restore_user $SINGLE_DB_NAME
|
||||
if [[ $? -ne 0 ]]
|
||||
then
|
||||
echo "Restore $SINGLE_DB_NAME failed create restore user."
|
||||
return 1
|
||||
fi
|
||||
$RESTORE_CMD --force < $SQL_FILE 2>>$RESTORE_LOG
|
||||
if [[ "$?" -eq 0 ]]
|
||||
then
|
||||
echo "Database $SINGLE_DB_NAME Restore successful."
|
||||
else
|
||||
cat $RESTORE_LOG
|
||||
delete_restore_user "exit_on_error"
|
||||
echo "Database $SINGLE_DB_NAME Restore failed."
|
||||
return 1
|
||||
fi
|
||||
delete_restore_user "exit_on_error"
|
||||
if [[ $? -ne 0 ]]
|
||||
then
|
||||
echo "Restore $SINGLE_DB_NAME failed delete restore user."
|
||||
return 1
|
||||
fi
|
||||
if [ -f ${TMP_DIR}/${SINGLE_DB_NAME}_grant.sql ]
|
||||
then
|
||||
$MYSQL < ${TMP_DIR}/${SINGLE_DB_NAME}_grant.sql 2>>$RESTORE_LOG
|
||||
if [[ "$?" -eq 0 ]]
|
||||
then
|
||||
if ! $MYSQL --execute="FLUSH PRIVILEGES;"; then
|
||||
echo "Failed to flush privileges for $SINGLE_DB_NAME."
|
||||
return 1
|
||||
fi
|
||||
echo "Database $SINGLE_DB_NAME Permission Restore successful."
|
||||
else
|
||||
cat $RESTORE_LOG
|
||||
echo "Database $SINGLE_DB_NAME Permission Restore failed."
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
echo "There is no permission file available for $SINGLE_DB_NAME"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
echo "There is no database file available to restore from"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
#Restore all the databases
|
||||
restore_all_dbs() {
|
||||
TMP_DIR=$1
|
||||
|
||||
SQL_FILE=$(_get_sql_file $TMP_DIR)
|
||||
if [ ! -z $SQL_FILE ]; then
|
||||
# Check the scope of the archive.
|
||||
SCOPE=$(echo ${SQL_FILE} | awk -F'.' '{print $(NF-1)}')
|
||||
if [[ "${SCOPE}" != "all" ]]; then
|
||||
# This is just a single database backup. The user should
|
||||
# instead use the single database restore option.
|
||||
echo "Cannot use the restore all option for an archive containing only a single database."
|
||||
echo "Please use the single database restore option."
|
||||
return 1
|
||||
fi
|
||||
|
||||
$MYSQL < $SQL_FILE 2>$RESTORE_LOG
|
||||
if [[ "$?" -eq 0 ]]
|
||||
then
|
||||
echo "Databases $( echo $DBS | tr -d '\n') Restore successful."
|
||||
else
|
||||
cat $RESTORE_LOG
|
||||
echo "Databases $( echo $DBS | tr -d '\n') Restore failed."
|
||||
return 1
|
||||
fi
|
||||
if [[ -f ${TMP_DIR}/grants.sql ]]
|
||||
then
|
||||
$MYSQL < ${TMP_DIR}/grants.sql 2>$RESTORE_LOG
|
||||
if [[ "$?" -eq 0 ]]
|
||||
then
|
||||
if ! $MYSQL --execute="FLUSH PRIVILEGES;"; then
|
||||
echo "Failed to flush privileges."
|
||||
return 1
|
||||
fi
|
||||
echo "Databases Permission Restore successful."
|
||||
else
|
||||
cat $RESTORE_LOG
|
||||
echo "Databases Permission Restore failed."
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
echo "There is no permission file available"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
echo "There is no database file available to restore from"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# Call the CLI interpreter, providing the archive directory path and the
|
||||
# user arguments passed in
|
||||
cli_main ${ARGS[@]}
|
@ -0,0 +1,28 @@
|
||||
#!/bin/bash -ex
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
log () {
|
||||
msg_default="Need some text to log"
|
||||
level_default="INFO"
|
||||
component_default="Mariadb Backup Verifier"
|
||||
|
||||
msg=${1:-$msg_default}
|
||||
level=${2:-$level_default}
|
||||
component=${3:-"$component_default"}
|
||||
|
||||
echo "$(date +'%Y-%m-%d %H:%M:%S,%3N') - ${component} - ${level} - ${msg}"
|
||||
}
|
||||
|
||||
log "Starting Mariadb server for backup verification..."
|
||||
MYSQL_ALLOW_EMPTY_PASSWORD=1 nohup bash -x docker-entrypoint.sh mysqld --user=nobody 2>&1
|
45
mariadb-backup/templates/configmap-bin.yaml
Normal file
45
mariadb-backup/templates/configmap-bin.yaml
Normal file
@ -0,0 +1,45 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.configmap_bin }}
|
||||
{{- $envAll := . }}
|
||||
{{ if eq .Values.endpoints.oslo_db.auth.admin.username .Values.endpoints.oslo_db.auth.sst.username }}
|
||||
{{ fail "the DB admin username should not match the sst user username" }}
|
||||
{{ end }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: mariadb-backup-bin
|
||||
data:
|
||||
backup_mariadb.sh: |
|
||||
{{ tuple "bin/_backup_mariadb.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
start_verification_server.sh: |
|
||||
{{ tuple "bin/_start_mariadb_verify_server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
restore_mariadb.sh: |
|
||||
{{ tuple "bin/_restore_mariadb.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
backup_main.sh: |
|
||||
{{ include "helm-toolkit.scripts.db-backup-restore.backup_main" . | indent 4 }}
|
||||
restore_main.sh: |
|
||||
{{ include "helm-toolkit.scripts.db-backup-restore.restore_main" . | indent 4 }}
|
||||
{{- if .Values.images.local_registry.active }}
|
||||
image-repo-sync.sh: |
|
||||
{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.manifests.job_ks_user }}
|
||||
ks-user.sh: |
|
||||
{{ include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
...
|
24
mariadb-backup/templates/configmap-etc.yaml
Normal file
24
mariadb-backup/templates/configmap-etc.yaml
Normal file
@ -0,0 +1,24 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License" );
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.configmap_etc }}
|
||||
{{- $envAll := . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: mariadb-backup-etc
|
||||
data:
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" ( index $envAll.Values.conf.database "my" ) "key" "my.cnf" ) | indent 2 }}
|
||||
{{- end }}
|
226
mariadb-backup/templates/cron-job-backup-mariadb.yaml
Normal file
226
mariadb-backup/templates/cron-job-backup-mariadb.yaml
Normal file
@ -0,0 +1,226 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.cron_job_mariadb_backup }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
{{- $serviceAccountName := "mariadb-backup" }}
|
||||
{{ tuple $envAll "mariadb_backup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: mariadb-backup
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
labels:
|
||||
{{ tuple $envAll "mariadb-backup" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
spec:
|
||||
schedule: {{ .Values.jobs.mariadb_backup.cron | quote }}
|
||||
successfulJobsHistoryLimit: {{ .Values.jobs.mariadb_backup.history.success }}
|
||||
failedJobsHistoryLimit: {{ .Values.jobs.mariadb_backup.history.failed }}
|
||||
concurrencyPolicy: Forbid
|
||||
jobTemplate:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll "mariadb-backup" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
annotations:
|
||||
{{ dict "envAll" $envAll "podName" "mariadb-backup" "containerNames" (list "init" "backup-perms" "mariadb-backup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{- if .Values.jobs.mariadb_backup.backoffLimit }}
|
||||
backoffLimit: {{ .Values.jobs.mariadb_backup.backoffLimit }}
|
||||
{{- end }}
|
||||
{{- if .Values.jobs.mariadb_backup.activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ .Values.jobs.mariadb_backup.activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll "mariadb-backup" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "mariadb_backup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
shareProcessNamespace: true
|
||||
{{ if $envAll.Values.pod.tolerations.mariadb.enabled }}
|
||||
{{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
|
||||
{{ end }}
|
||||
nodeSelector:
|
||||
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
|
||||
initContainers:
|
||||
{{ tuple $envAll "mariadb_backup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
|
||||
- name: backup-perms
|
||||
{{ tuple $envAll "mariadb_backup" | include "helm-toolkit.snippets.image" | indent 14 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.mariadb_backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
||||
{{ dict "envAll" $envAll "application" "mariadb_backup" "container" "backup_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
|
||||
command:
|
||||
- chown
|
||||
- -R
|
||||
- "65534:65534"
|
||||
- $(MARIADB_BACKUP_BASE_DIR)
|
||||
env:
|
||||
- name: MARIADB_BACKUP_BASE_DIR
|
||||
value: {{ .Values.conf.backup.base_path | quote }}
|
||||
volumeMounts:
|
||||
- mountPath: /tmp
|
||||
name: pod-tmp
|
||||
- mountPath: {{ .Values.conf.backup.base_path }}
|
||||
name: mariadb-backup-dir
|
||||
- name: verify-perms
|
||||
{{ tuple $envAll "mariadb_backup" | include "helm-toolkit.snippets.image" | indent 14 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.mariadb_backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
||||
{{ dict "envAll" $envAll "application" "mariadb_backup" "container" "verify_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
|
||||
command:
|
||||
- chown
|
||||
- -R
|
||||
- "65534:65534"
|
||||
- /var/lib/mysql
|
||||
volumeMounts:
|
||||
- mountPath: /tmp
|
||||
name: pod-tmp
|
||||
- mountPath: /var/lib/mysql
|
||||
name: mysql-data
|
||||
containers:
|
||||
- name: mariadb-backup
|
||||
command:
|
||||
- /bin/sh
|
||||
args:
|
||||
- -c
|
||||
- >-
|
||||
/tmp/backup_mariadb.sh;
|
||||
/usr/bin/pkill mysqld
|
||||
env:
|
||||
- name: MARIADB_BACKUP_BASE_DIR
|
||||
value: {{ .Values.conf.backup.base_path | quote }}
|
||||
- name: MYSQL_BACKUP_MYSQLDUMP_OPTIONS
|
||||
value: {{ .Values.conf.backup.mysqldump_options | quote }}
|
||||
- name: MARIADB_LOCAL_BACKUP_DAYS_TO_KEEP
|
||||
value: {{ .Values.conf.backup.days_to_keep | quote }}
|
||||
- name: MARIADB_POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: REMOTE_BACKUP_ENABLED
|
||||
value: "{{ .Values.conf.backup.remote_backup.enabled }}"
|
||||
{{- if .Values.conf.backup.remote_backup.enabled }}
|
||||
- name: MARIADB_REMOTE_BACKUP_DAYS_TO_KEEP
|
||||
value: {{ .Values.conf.backup.remote_backup.days_to_keep | quote }}
|
||||
- name: CONTAINER_NAME
|
||||
value: {{ .Values.conf.backup.remote_backup.container_name | quote }}
|
||||
- name: STORAGE_POLICY
|
||||
value: "{{ .Values.conf.backup.remote_backup.storage_policy }}"
|
||||
- name: NUMBER_OF_RETRIES_SEND_BACKUP_TO_REMOTE
|
||||
value: {{ .Values.conf.backup.remote_backup.number_of_retries | quote }}
|
||||
- name: MIN_DELAY_SEND_BACKUP_TO_REMOTE
|
||||
value: {{ .Values.conf.backup.remote_backup.delay_range.min | quote }}
|
||||
- name: MAX_DELAY_SEND_BACKUP_TO_REMOTE
|
||||
value: {{ .Values.conf.backup.remote_backup.delay_range.max | quote }}
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.mariadb }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 16 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ tuple $envAll "mariadb_backup" | include "helm-toolkit.snippets.image" | indent 14 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.mariadb_backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
||||
{{ dict "envAll" $envAll "application" "mariadb_backup" "container" "mariadb_backup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- mountPath: /tmp/backup_mariadb.sh
|
||||
name: mariadb-backup-bin
|
||||
readOnly: true
|
||||
subPath: backup_mariadb.sh
|
||||
- mountPath: /tmp/backup_main.sh
|
||||
name: mariadb-backup-bin
|
||||
readOnly: true
|
||||
subPath: backup_main.sh
|
||||
- mountPath: {{ .Values.conf.backup.base_path }}
|
||||
name: mariadb-backup-dir
|
||||
- name: mariadb-backup-secrets
|
||||
mountPath: /etc/mysql/admin_user.cnf
|
||||
subPath: admin_user.cnf
|
||||
readOnly: true
|
||||
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
||||
- name: mariadb-verify-server
|
||||
{{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.image" | indent 14 }}
|
||||
{{ dict "envAll" $envAll "application" "mariadb_backup" "container" "mariadb_verify_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
||||
env:
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: MARIADB_X509
|
||||
value: "REQUIRE X509"
|
||||
{{- end }}
|
||||
- name: MYSQL_HISTFILE
|
||||
value: /dev/null
|
||||
- name: MARIADB_BACKUP_BASE_DIR
|
||||
value: {{ .Values.conf.backup.base_path | quote }}
|
||||
ports:
|
||||
- name: mysql
|
||||
protocol: TCP
|
||||
containerPort: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
command:
|
||||
- /tmp/start_verification_server.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: var-run
|
||||
mountPath: /var/run/mysqld
|
||||
- name: mycnfd
|
||||
mountPath: /etc/mysql/conf.d
|
||||
- name: mariadb-backup-etc
|
||||
mountPath: /etc/mysql/my.cnf
|
||||
subPath: my.cnf
|
||||
readOnly: true
|
||||
- name: mariadb-backup-secrets
|
||||
mountPath: /etc/mysql/admin_user.cnf
|
||||
subPath: admin_user.cnf
|
||||
readOnly: true
|
||||
- name: mysql-data
|
||||
mountPath: /var/lib/mysql
|
||||
- name: mariadb-backup-bin
|
||||
mountPath: /tmp/start_verification_server.sh
|
||||
readOnly: true
|
||||
subPath: start_verification_server.sh
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: mycnfd
|
||||
emptyDir: {}
|
||||
- name: var-run
|
||||
emptyDir: {}
|
||||
- name: mariadb-backup-etc
|
||||
configMap:
|
||||
name: mariadb-backup-etc
|
||||
defaultMode: 0444
|
||||
- name: mysql-data
|
||||
emptyDir: {}
|
||||
- name: mariadb-backup-secrets
|
||||
secret:
|
||||
secretName: mariadb-backup-secrets
|
||||
defaultMode: 420
|
||||
- configMap:
|
||||
defaultMode: 365
|
||||
name: mariadb-backup-bin
|
||||
name: mariadb-backup-bin
|
||||
{{- if and .Values.volume.backup.enabled .Values.manifests.pvc_backup }}
|
||||
- name: mariadb-backup-dir
|
||||
persistentVolumeClaim:
|
||||
claimName: mariadb-backup-data
|
||||
{{- else }}
|
||||
- hostPath:
|
||||
path: {{ .Values.conf.backup.base_path }}
|
||||
type: DirectoryOrCreate
|
||||
name: mariadb-backup-dir
|
||||
{{- end }}
|
||||
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{- end }}
|
22
mariadb-backup/templates/job-image-repo-sync.yaml
Normal file
22
mariadb-backup/templates/job-image-repo-sync.yaml
Normal file
@ -0,0 +1,22 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
|
||||
{{- $serviceName := tuple "oslo_db" "server" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
{{- $imageRepoSyncJob := dict "envAll" . "serviceName" $serviceName -}}
|
||||
{{- if .Values.pod.tolerations.mariadb.enabled -}}
|
||||
{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
|
||||
{{- end -}}
|
||||
{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
|
||||
{{- end }}
|
24
mariadb-backup/templates/job-ks-user.yaml
Normal file
24
mariadb-backup/templates/job-ks-user.yaml
Normal file
@ -0,0 +1,24 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.job_ks_user }}
|
||||
{{- $backoffLimit := .Values.jobs.ks_user.backoffLimit }}
|
||||
{{- $activeDeadlineSeconds := .Values.jobs.ks_user.activeDeadlineSeconds }}
|
||||
{{- $serviceName := tuple "oslo_db" "server" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" $serviceName "configMapBin" "mariadb-backup-bin" "backoffLimit" $backoffLimit "activeDeadlineSeconds" $activeDeadlineSeconds -}}
|
||||
{{- if .Values.pod.tolerations.mariadb.enabled -}}
|
||||
{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
|
||||
{{- end -}}
|
||||
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
||||
{{- end }}
|
29
mariadb-backup/templates/mariadb-backup-pvc.yaml
Normal file
29
mariadb-backup/templates/mariadb-backup-pvc.yaml
Normal file
@ -0,0 +1,29 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.volume.backup.enabled .Values.manifests.pvc_backup }}
|
||||
---
|
||||
kind: PersistentVolumeClaim
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: mariadb-backup-data
|
||||
spec:
|
||||
accessModes: ["ReadWriteOnce"]
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.volume.backup.size }}
|
||||
storageClassName: {{ .Values.volume.backup.class_name }}
|
||||
...
|
||||
{{- end }}
|
||||
|
30
mariadb-backup/templates/secret-backup-restore.yaml
Normal file
30
mariadb-backup/templates/secret-backup-restore.yaml
Normal file
@ -0,0 +1,30 @@
|
||||
{{/*
|
||||
This manifest results a secret being created which has the key information
|
||||
needed for backing up and restoring the Mariadb databases.
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.conf.backup.enabled .Values.manifests.secret_backup_restore }}
|
||||
|
||||
{{- $envAll := . }}
|
||||
{{- $userClass := "backup_restore" }}
|
||||
{{- $secretName := index $envAll.Values.secrets.mariadb $userClass }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
type: Opaque
|
||||
data:
|
||||
BACKUP_ENABLED: {{ $envAll.Values.conf.backup.enabled | quote | b64enc }}
|
||||
BACKUP_BASE_PATH: {{ $envAll.Values.conf.backup.base_path | b64enc }}
|
||||
LOCAL_DAYS_TO_KEEP: {{ $envAll.Values.conf.backup.days_to_keep | quote | b64enc }}
|
||||
MYSQLDUMP_OPTIONS: {{ $envAll.Values.conf.backup.mysqldump_options | b64enc }}
|
||||
REMOTE_BACKUP_ENABLED: {{ $envAll.Values.conf.backup.remote_backup.enabled | quote | b64enc }}
|
||||
REMOTE_BACKUP_CONTAINER: {{ $envAll.Values.conf.backup.remote_backup.container_name | b64enc }}
|
||||
REMOTE_BACKUP_DAYS_TO_KEEP: {{ $envAll.Values.conf.backup.remote_backup.days_to_keep | quote | b64enc }}
|
||||
REMOTE_BACKUP_STORAGE_POLICY: {{ $envAll.Values.conf.backup.remote_backup.storage_policy | b64enc }}
|
||||
REMOTE_BACKUP_RETRIES: {{ $envAll.Values.conf.backup.remote_backup.number_of_retries | quote | b64enc }}
|
||||
REMOTE_BACKUP_SEND_DELAY_MIN: {{ $envAll.Values.conf.backup.remote_backup.delay_range.min | quote | b64enc }}
|
||||
REMOTE_BACKUP_SEND_DELAY_MAX: {{ $envAll.Values.conf.backup.remote_backup.delay_range.max | quote | b64enc }}
|
||||
...
|
||||
{{- end }}
|
17
mariadb-backup/templates/secret-registry.yaml
Normal file
17
mariadb-backup/templates/secret-registry.yaml
Normal file
@ -0,0 +1,17 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
|
||||
{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
|
||||
{{- end }}
|
78
mariadb-backup/templates/secret-rgw.yaml
Normal file
78
mariadb-backup/templates/secret-rgw.yaml
Normal file
@ -0,0 +1,78 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
|
||||
|
||||
This manifest results in two secrets being created:
|
||||
1) Keystone "mariadb" secret, which is needed to access the cluster
|
||||
(remote or same cluster) for storing mariadb backups. If the
|
||||
cluster is remote, the auth_url would be non-null.
|
||||
2) Keystone "admin" secret, which is needed to create the
|
||||
"mariadb" keystone account mentioned above. This may not
|
||||
be needed if the account is in a remote cluster (auth_url is non-null
|
||||
in that case).
|
||||
*/}}
|
||||
|
||||
{{- if .Values.conf.backup.remote_backup.enabled }}
|
||||
|
||||
{{- $envAll := . }}
|
||||
{{- $userClass := "mariadb-server" }}
|
||||
{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- $identityClass := index .Values.endpoints.identity.auth $userClass }}
|
||||
{{- if $identityClass.auth_url }}
|
||||
OS_AUTH_URL: {{ $identityClass.auth_url | b64enc }}
|
||||
{{- else }}
|
||||
OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
|
||||
{{- end }}
|
||||
OS_REGION_NAME: {{ $identityClass.region_name | b64enc }}
|
||||
OS_INTERFACE: {{ $identityClass.interface | default "internal" | b64enc }}
|
||||
OS_PROJECT_DOMAIN_NAME: {{ $identityClass.project_domain_name | b64enc }}
|
||||
OS_PROJECT_NAME: {{ $identityClass.project_name | b64enc }}
|
||||
OS_USER_DOMAIN_NAME: {{ $identityClass.user_domain_name | b64enc }}
|
||||
OS_USERNAME: {{ $identityClass.username | b64enc }}
|
||||
OS_PASSWORD: {{ $identityClass.password | b64enc }}
|
||||
OS_DEFAULT_DOMAIN: {{ $identityClass.default_domain_id | default "default" | b64enc }}
|
||||
...
|
||||
{{- if .Values.manifests.job_ks_user }}
|
||||
{{- $userClass := "admin" }}
|
||||
{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- $identityClass := index .Values.endpoints.identity.auth $userClass }}
|
||||
{{- if $identityClass.auth_url }}
|
||||
OS_AUTH_URL: {{ $identityClass.auth_url | b64enc }}
|
||||
{{- else }}
|
||||
OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
|
||||
{{- end }}
|
||||
OS_REGION_NAME: {{ $identityClass.region_name | b64enc }}
|
||||
OS_INTERFACE: {{ $identityClass.interface | default "internal" | b64enc }}
|
||||
OS_PROJECT_DOMAIN_NAME: {{ $identityClass.project_domain_name | b64enc }}
|
||||
OS_PROJECT_NAME: {{ $identityClass.project_name | b64enc }}
|
||||
OS_USER_DOMAIN_NAME: {{ $identityClass.user_domain_name | b64enc }}
|
||||
OS_USERNAME: {{ $identityClass.username | b64enc }}
|
||||
OS_PASSWORD: {{ $identityClass.password | b64enc }}
|
||||
OS_DEFAULT_DOMAIN: {{ $identityClass.default_domain_id | default "default" | b64enc }}
|
||||
...
|
||||
{{- end }}
|
||||
{{- end }}
|
26
mariadb-backup/templates/secrets-etc.yaml
Normal file
26
mariadb-backup/templates/secrets-etc.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.secret_etc }}
|
||||
{{- $envAll := . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: mariadb-backup-secrets
|
||||
type: Opaque
|
||||
data:
|
||||
admin_user.cnf: {{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
|
||||
admin_user_internal.cnf: {{ tuple "secrets/_admin_user_internal.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
|
||||
{{- end }}
|
24
mariadb-backup/templates/secrets/_admin_user.cnf.tpl
Normal file
24
mariadb-backup/templates/secrets/_admin_user.cnf.tpl
Normal file
@ -0,0 +1,24 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
[client]
|
||||
user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
|
||||
password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
|
||||
host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{- if .Values.manifests.certificates }}
|
||||
ssl-ca = /etc/mysql/certs/ca.crt
|
||||
ssl-key = /etc/mysql/certs/tls.key
|
||||
ssl-cert = /etc/mysql/certs/tls.crt
|
||||
{{- end }}
|