From b15605029e6023de3f96a8c7572e0c0fe81a7fc0 Mon Sep 17 00:00:00 2001 From: Chris Wedgwood Date: Mon, 29 Oct 2018 16:55:31 +0000 Subject: [PATCH] [MariaDB] Fix non-default setting for admin user This allows the database administration username to be changed in addition to the password (the configuration and documentation implies this is possible, but the current implementation assumes root in a few places). Remove some unused env declarations. Tested with and without Prometheus exporter enabled. Change-Id: I8a48dac7a84fe583c7dc5ff0644ca14b1e5190d8 --- mariadb/templates/bin/_start.py.tpl | 12 +++++++----- mariadb/templates/etc/_00-base.cnf.tpl | 2 +- .../prometheus/exporter-job-create-user.yaml | 9 --------- ...ot-password.yaml => secret-dbadmin-password.yaml} | 4 ++-- mariadb/templates/statefulset.yaml | 8 +++++--- 5 files changed, 15 insertions(+), 20 deletions(-) rename mariadb/templates/{secret-db-root-password.yaml => secret-dbadmin-password.yaml} (85%) diff --git a/mariadb/templates/bin/_start.py.tpl b/mariadb/templates/bin/_start.py.tpl index 4d4428c6f..e8b4028e1 100644 --- a/mariadb/templates/bin/_start.py.tpl +++ b/mariadb/templates/bin/_start.py.tpl @@ -89,8 +89,10 @@ if check_env_var("DISCOVERY_DOMAIN"): discovery_domain = os.environ['DISCOVERY_DOMAIN'] if check_env_var("WSREP_PORT"): wsrep_port = os.environ['WSREP_PORT'] -if check_env_var("MYSQL_ROOT_PASSWORD"): - mysql_root_password = os.environ['MYSQL_ROOT_PASSWORD'] +if check_env_var("MYSQL_DBADMIN_USERNAME"): + mysql_dbadmin_username = os.environ['MYSQL_DBADMIN_USERNAME'] +if check_env_var("MYSQL_DBADMIN_PASSWORD"): + mysql_dbadmin_password = os.environ['MYSQL_DBADMIN_PASSWORD'] # Set some variables for tuneables cluster_leader_ttl = 120 @@ -240,11 +242,11 @@ def mysqld_bootstrap(): ], logger) template = ( "DELETE FROM mysql.user ;\n" - "CREATE OR REPLACE USER 'root'@'%' IDENTIFIED BY \'{0}\' ;\n" - "GRANT ALL ON *.* TO 'root'@'%' WITH GRANT OPTION ;\n" + "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" + "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" "DROP DATABASE IF EXISTS test ;\n" "FLUSH PRIVILEGES ;\n" - "SHUTDOWN ;".format(mysql_root_password)) + "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password)) bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name with open(bootstrap_sql_file, 'w') as f: f.write(template) diff --git a/mariadb/templates/etc/_00-base.cnf.tpl b/mariadb/templates/etc/_00-base.cnf.tpl index 949d86753..76cd155b3 100644 --- a/mariadb/templates/etc/_00-base.cnf.tpl +++ b/mariadb/templates/etc/_00-base.cnf.tpl @@ -95,7 +95,7 @@ wsrep_on=1 wsrep_provider=/usr/lib/galera/libgalera_smm.so wsrep_provider_options="gmcast.listen_addr=tcp://0.0.0.0:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" wsrep_slave_threads=12 -wsrep_sst_auth=root:{{ .Values.endpoints.oslo_db.auth.admin.password }} +wsrep_sst_auth={{ .Values.endpoints.oslo_db.auth.admin.username }}:{{ .Values.endpoints.oslo_db.auth.admin.password }} # FIXME(portdirect): use rsync for compatibility between image variations wsrep_sst_method=rsync diff --git a/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml b/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml index b9f7b5674..9f67ac1bd 100644 --- a/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml +++ b/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml @@ -54,15 +54,6 @@ spec: secretKeyRef: name: mysql-exporter-secrets key: EXPORTER_PASSWORD - - name: MYSQL_SERVICE - value: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} - - name: MYSQL_ROOT_USER - value: {{ .Values.endpoints.oslo_db.auth.admin.username }} - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: mariadb-db-root-password - key: MYSQL_ROOT_PASSWORD volumeMounts: - name: mysql-exporter-bin mountPath: /tmp/create-mysql-user.sh diff --git a/mariadb/templates/secret-db-root-password.yaml b/mariadb/templates/secret-dbadmin-password.yaml similarity index 85% rename from mariadb/templates/secret-db-root-password.yaml rename to mariadb/templates/secret-dbadmin-password.yaml index e99f30b4e..033fa5b90 100644 --- a/mariadb/templates/secret-db-root-password.yaml +++ b/mariadb/templates/secret-dbadmin-password.yaml @@ -20,8 +20,8 @@ limitations under the License. apiVersion: v1 kind: Secret metadata: - name: mariadb-db-root-password + name: mariadb-dbadmin-password type: Opaque data: - MYSQL_ROOT_PASSWORD: {{ .Values.endpoints.oslo_db.auth.admin.password | b64enc }} + MYSQL_DBADMIN_PASSWORD: {{ .Values.endpoints.oslo_db.auth.admin.password | b64enc }} {{- end }} diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml index c6aa45185..677b19e66 100644 --- a/mariadb/templates/statefulset.yaml +++ b/mariadb/templates/statefulset.yaml @@ -135,11 +135,13 @@ spec: value: {{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - name: STATE_CONFIGMAP value: {{ printf "%s-%s" .Release.Name "mariadb-state" | quote }} - - name: MYSQL_ROOT_PASSWORD + - name: MYSQL_DBADMIN_USERNAME + value: {{ .Values.endpoints.oslo_db.auth.admin.username }} + - name: MYSQL_DBADMIN_PASSWORD valueFrom: secretKeyRef: - name: mariadb-db-root-password - key: MYSQL_ROOT_PASSWORD + name: mariadb-dbadmin-password + key: MYSQL_DBADMIN_PASSWORD ports: - name: mysql protocol: TCP